Security awareness training is a crucial aspect of the overall security posture of an organization. It helps employees understand their role in protecting the company's assets, including sensitive information and systems. In today's digital-dominant work, cyber threats are evolving and becoming increasingly sophisticated, making it essential for organizations to implement security awareness programs to mitigate human risk, especially from new and emerging social engineering attacks.

We often get asked if security awareness training needs to be graded for audits and auditors. In the context of a SOC 2, HIPAA, or ISO 27001 audit, grading of security awareness training is not required. While grading is a crucial factor in demonstrating the effectiveness of an organization's security awareness program, it is not required. 

Graded Security Awareness Training and SOC 2

A SOC 2 audit is a security assessment that verifies the controls and processes an organization has in place to secure its customers' sensitive data. The purpose of the audit is to assure that the company's security measures meet the required standards and are operating effectively.

Grading the security awareness training program is optional for a SOC 2 audit because SOC 2 does not require that you demonstrate the level of employee engagement and understanding of the company's security policies and procedures. A well-designed security awareness program should educate employees on the dangers of phishing, password management, and other common security threats. This education is required by SOC 2; but, grading the training program is beyond the scope. The evidence SOC 2 requires for security awareness training is a clear trail of when an employee completed training. This usually means a spreadsheet and a training certificate.

Security awareness training is codified in the Common Criteria of SOC 2, specifically CC 2.2:

> The entity communicates information to improve security knowledge and awareness and to model appropriate security behaviors to personnel through a security awareness training program.

Why Grade Security Awareness Training

Even though grading security awareness training is not required by SOC 2, it is still something to consider for your company.

For example, if the company's security awareness program includes a quiz or test to assess employees' understanding of the material covered in the training, grading the results of the quiz can demonstrate the level of employee engagement and understanding. The grades can also help the organization identify areas where additional training is needed and make improvements to the training program.

In addition to demonstrating employee engagement, grading the security awareness training program can also demonstrate the company's commitment to security. SOC 2 audits are conducted to assure that the organization has appropriate controls and processes in place to secure its customers' sensitive data. Grading the security awareness training program shows that the company is taking a proactive approach to secure its systems and data by educating its employees and verifying their understanding of security policies and procedures. Grading is complimentary to SOC 2.

It is also worth noting that grading the security awareness training program is a best practice that is widely adopted by many companies. Many companies implement security awareness programs as part of their overall security strategy, and grading the training is an essential component of demonstrating the effectiveness of the program.

In conclusion, grading security awareness training is not necessary for SOC 2 audits but it does help demonstrate the level of employee engagement and understanding of security policies and procedures. Grading the training program provides objective evidence of the effectiveness of the training program and the level of employee engagement. It also demonstrates the company's commitment to security and provides assurance that the organization has appropriate controls and processes in place to secure its customers' sensitive data.

——

All Haekka training is graded but admins have the flexibility to choose whether a training has a grade threshold. If a grading threshold is not set, training is Complete when a user finishes all the lessons regardless of their grade. If a grading threshold is set, users much achieve the threshold or higher to complete the training; if users do not meet the grading threshold, they are automatically re-enrolled in the training until they meet or exceed the grading threshold.