Training and Awareness
Why security training exists
Security training exists because the most sophisticated technical defences in the world can be undone by a single person who does not know what to do in a moment of uncertainty. Firewalls do not stop an employee from forwarding a sensitive document to the wrong email address. Endpoint protection does not stop someone from approving an MFA request they should have denied. Encryption does not prevent someone from leaving a printed document on a desk where a visitor can read it.
The security incidents that damage organisations most — ransomware infections, data breaches, contract losses — almost always involve a human decision somewhere in the chain. Not a stupid decision, and usually not a malicious one. A decision made quickly, under pressure, without the knowledge needed to recognise the risk. Training is what closes that gap.
This section tells you what training is required, how to complete it, how your completion is tracked, and where to find additional learning if you want it. It also explains the phishing simulation programme, which runs throughout the year.
Section contents
- Your mandatory training requirements
- How to access and complete training
- Completion tracking and what happens if you fall behind
- The phishing simulation programme
- Role-specific training — what it is and who needs it
- Learning resources — going further
- New starter security induction
- Training after a security incident
Your mandatory training requirements
Core annual security awareness training
Who: every employee, every contractor, every person working under the organisation's direction — no exceptions.
When: once per year. The annual campaign launches in [month — e.g. October] each year and runs for four weeks. The deadline for completion is [deadline date]. If you join part-way through the year, your first completion deadline is [X weeks] from your start date.
What it covers: the annual training module takes approximately 45 minutes to complete and covers the following topics:
- Information security policy overview — your obligations and the consequences of breach
- Recognising and responding to phishing emails
- Acceptable use of company devices and systems
- Information classification and how to handle each tier
- Clear desk and clear screen procedures
- Password and MFA requirements
- Incident reporting — how to report and why speed matters
- Data protection and your UK GDPR obligations
- Remote working security
Format: the training is delivered through [training platform name — e.g. KnowBe4 / Mimecast Awareness Training / Proofpoint Security Awareness Training]. You will receive an email at the start of the campaign with a direct link to your assigned training. You can pause and return — completion is tracked by the platform, so you do not need to finish in one session.
Assessment: at the end of each topic section, there is a short knowledge check. You do not need to achieve a specific score to complete the training, but your answers are used by the security team to identify areas where additional guidance may be helpful. Answer honestly — the purpose is learning, not testing.
Certificate: on completion, the platform generates a completion certificate. You do not need to do anything with this — it is recorded automatically. If you need a copy of your certificate for any reason, contact HR.
Acceptable use acknowledgement
Who: every employee and contractor.
When: once per year, timed to coincide with the annual training campaign.
What it is: a one-page confirmation that you have read and understood the Acceptable Use Policy and the Information Classification and Handling Policy, that you understand your obligations under those policies, and that you agree to comply with them. It is not a legal contract separate from your employment — it is a record that the organisation has ensured you understand your obligations.
How to complete it: the acknowledgement is delivered through [platform or process — e.g. the training platform at the end of the annual module / a separate DocuSign document / HR system]. You will receive a prompt at the conclusion of the annual awareness training.
Data protection training
Who: all staff who handle personal data as part of their role. In practice this includes most employees — if you send emails, keep contact lists, process customer orders, or manage any record that includes someone's name, address, email, or other identifying information, you are handling personal data.
When: once per year. Typically delivered as part of the annual awareness training module or as a linked follow-up module.
What it covers: what personal data is, your obligations under UK GDPR, how to recognise a potential data breach, how to respond to a subject access request, and what to do when you are unsure whether something you are about to do with personal data is appropriate.
Additional mandatory training — if it applies to you
Some roles trigger additional mandatory training requirements beyond the annual module. If any of the following applies to you, additional training will be assigned automatically or you will receive a notification from HR or the CISO.
CUI access: if your role involves access to Controlled Unclassified Information — material from our US defence contracts — you must complete a CUI handling module before access is granted. This covers what CUI is, how to mark it, how to store and transmit it, and what to do if it is compromised. This is a US federal regulation requirement under NIST SP 800-171 and is not optional for anyone handling CUI.
OFFICIAL-SENSITIVE access: if your role involves handling UK government OFFICIAL-SENSITIVE material under DEFSTAN contracts, additional handling training is required before access is granted. The CISO will advise on the specific requirements based on your role.
Line manager responsibilities: if you manage people, you have additional security responsibilities — including being the first point of contact when a direct report has a security concern, and being responsible for ensuring your team completes training on time. A short manager briefing is available on request from the CISO.
How to access and complete training
Finding your assigned training
All mandatory training is accessed through [training platform name]. You will receive an email from [sender address — e.g. training@organisation.com or noreply@trainingplatform.com] with a direct link to your assigned modules.
If you have not received this email or cannot find it:
- Check your spam or junk folder. Some email clients filter training platform emails.
- Log in directly to [training platform URL] using your company email address and your standard company password (or single sign-on if configured).
- If you still cannot access the platform, contact IT Operations via the helpdesk.
Do not use the "Remind me later" button past the first week of the campaign. The completion deadline is real and the reporting is automated.
Completing the training
The training is delivered entirely online. You need: a company device, an internet connection or VPN connection, and approximately 45 minutes uninterrupted.
You can pause and resume. If you need to stop mid-module, the platform saves your progress. When you return, you pick up where you left off.
A note on shortcuts: some training platforms allow you to click through content quickly or to advance before watching a video in full. Please do not do this. The purpose of the training is that you absorb the content, not that a completion record exists. The security of your colleagues and our organisation's contracts depends on genuine awareness, not recorded acknowledgement.
If training content is wrong or out of date: if you notice something in the training that appears to contradict a current policy or that describes a process that has changed, report it to the CISO. The training content is reviewed annually but may not be updated in real time when policies change. The policies in this ISMS space take precedence.
Completing training on a mobile device
The training platform is accessible on mobile devices and tablets. If you primarily work on a phone or tablet, you can complete training on your device. However, some interactive elements may work better on a larger screen. If you encounter technical problems with the mobile experience, contact IT Operations.
Completing training in languages other than English
The training is currently delivered in English. If English is not your first language and you would find training in another language more effective, contact HR. Depending on the platform's capabilities and the number of staff with this need, alternative language options may be available.
Completion tracking and what happens if you fall behind
How completion is tracked
The training platform tracks completion automatically at the individual user level. When you complete the annual module, the platform records your name, completion date, and time spent on the training. This record is visible to HR and the CISO.
The CISO runs a completion report every two weeks during the annual campaign. The report shows: total completion rate across the organisation, completion rate by department, and a list of individuals who have not yet completed the training. This report is shared with the HR Manager and with line managers for follow-up.
You do not need to tell anyone you have completed the training. The system records it. If you are asked whether you have completed the training and you have, your completion record is verifiable.
The completion timeline and escalation process
The campaign runs for four weeks. During those four weeks, you will receive the following:
| Week | What happens |
|---|---|
| Week 1 | Training assigned — email with link sent to all staff |
| Week 2 | Reminder email sent to all staff who have not yet completed |
| Week 3 | Second reminder sent; line managers notified of non-completers in their team |
| Week 4 (final) | Final reminder sent; CISO notified of all outstanding completions |
| Day after deadline | CISO sends list of non-completers to HR and relevant line managers for follow-up |
After the deadline, non-completion is treated as a policy breach and is addressed through normal line management channels. This means your line manager will be asked to have a conversation with you about why the training was not completed and when it will be completed. In most cases this is a brief administrative conversation. In persistent cases — where training deadlines have been missed in consecutive years — it is addressed through the formal performance management process.
What "completed" means
Training is marked complete when you have worked through all modules and completed the final acknowledgement step. If you close your browser partway through the final acknowledgement, the training may not register as complete. If you believe you completed the training but it is not showing as complete, log back in to the platform and check your progress. Contact IT Operations if the platform is showing incorrect status.
I completed last year's training — do I have to do it again?
Yes. Annual completion is required each year. Last year's completion does not carry over. The reason is practical: the threat landscape changes, the organisation's policies and tools change, and different topics are emphasised each year based on what incidents and near-misses occurred in the past twelve months. A completion from two years ago does not reflect the current training content.
I am on leave during the campaign
If you are on planned annual leave, maternity or paternity leave, or long-term sick leave for part or all of the campaign period, the following applies:
Annual leave: if you return from leave before the deadline, complete the training promptly on your return. If you return after the deadline, your line manager and HR will agree a revised completion date. Completion within two weeks of return from leave is the standard expectation.
Long-term sick leave: training completion requirements are not enforced during a period of long-term sick leave. On return to work, the completion requirement applies from your return date with a two-week window.
Parental leave: same as long-term sick leave. Training is required on return, with a reasonable completion window agreed with your line manager and HR.
Contact HR if you have any questions about your specific situation.
The phishing simulation programme
What it is
Throughout the year, the security team sends simulated phishing emails to staff. These look like real phishing emails — they are crafted to appear to come from trusted organisations, to create a sense of urgency, and to contain realistic-looking links or attachments. They are not real threats. If you click a link in a simulated phishing email, you will be taken to a training page, not to a malicious site.
The phishing simulation programme runs approximately every [six to eight weeks]. Not every simulated phishing email goes to every person — the programme uses a rotating schedule so that different people receive different scenarios at different times.
Why we run it
Security awareness training that covers phishing theory is necessary but not sufficient. Knowing that phishing emails exist and knowing the warning signs in the abstract is different from recognising a specific phishing email when it arrives in your inbox on a busy Tuesday morning. The simulation programme bridges that gap.
Research consistently shows that organisations running regular phishing simulations have significantly lower click rates on real phishing emails than those that do not. The training effect is real and measurable. Click rates go down over time as staff become more attuned to the signals.
The simulation also gives the security team useful information about where awareness gaps exist — which types of phishing scenarios are most effective, which departments are most frequently clicked, and whether specific training interventions are having an effect. This information is used to improve the programme and to target additional guidance where it is most needed.
What happens if you click a simulated phishing email
If you click a link in a simulated phishing email, you will be redirected to a training page. The page will tell you that you clicked a simulated phishing email and explain which signals you could have used to identify it. You will be asked to read through a short module about the specific phishing technique used in that scenario.
This is not disciplinary. Clicking a simulated phishing email is not a performance issue, is not recorded in your HR file, and is not raised with your line manager as a negative event. The only consequence is a short additional training module.
Click data is reported to the CISO at an aggregated departmental level, not at the individual level. The CISO does not receive a list of names of people who clicked. The data is used for programme planning, not for individual performance management.
What happens if you report a simulated phishing email
If you use the phishing report button in Outlook (or forward the email to the security reporting address) before clicking anything, the simulation is marked as a successful detection. You will receive a brief confirmation message acknowledging that you correctly identified and reported the suspicious email.
Successful detection and reporting is the ideal outcome. It is better than clicking through and reading the training page. If your organisation-wide report rate is high and your click rate is low, the phishing simulation programme is working.
How to tell if an email is a simulation test
You cannot tell in advance, and that is intentional. If simulated phishing emails were identifiable as tests, they would not serve their purpose. The correct response to any email that you are not certain about is the same whether it is a real phishing attack or a simulation:
- Do not click any links.
- Do not open any attachments.
- Report it using the phishing report button.
- Delete it.
If it was a simulation, you will receive a confirmation. If it was a real phishing email, you will have protected yourself and the organisation and given the security team visibility of an active campaign.
Scenario types used in simulations
The simulation programme uses a range of scenarios that reflect real phishing campaigns observed in our sector. You may receive simulations that appear to come from:
- Microsoft, Google, or other technology providers asking you to verify your account or approve a sign-in
- HMRC, Companies House, or other government bodies about a tax, filing, or compliance matter
- A courier company about a parcel delivery requiring action
- A colleague, manager, or senior leader asking you to do something urgently
- A supplier or customer with an invoice, a document to review, or a contract update
- A financial institution about an account issue
- The IT helpdesk asking you to complete an action or install something
The scenarios change regularly. Recognising the pattern — urgency, an unexpected action required, a sender that prompts you to act before thinking — is more useful than memorising a list of scenarios.
I receive a lot of simulations and find them stressful
The simulation programme is designed to help, not to create anxiety. If you are finding the frequency of simulations stressful, speak to your line manager or contact the CISO directly. The programme parameters — frequency, difficulty of scenarios — can be adjusted for specific individuals or teams where there is a genuine wellbeing concern.
What we would ask is that the response to a simulation that feels hard is not to stop engaging with your email vigilantly but rather to use the resources on this page and in the [User Guidance Hub → Phishing and Suspicious Emails] section to build confidence. The more comfortable you are with the signals, the less stressful the simulations become.
Role-specific training — what it is and who needs it
Some roles carry security responsibilities beyond the general obligations that apply to everyone. Role-specific training is assigned based on your job function. If you need role-specific training, you will be informed by HR or the CISO when you take on that role.
The following table describes the main categories of role-specific training and who they apply to.
| Training | Who it is for | Why it is required |
|---|---|---|
| CUI handling and marking | Anyone with access to US defence contract information | US federal regulation under NIST SP 800-171 / DFARS |
| OFFICIAL-SENSITIVE handling | Anyone handling UK DEFSTAN contract material | DEFSTAN 05-138 personnel requirements |
| Incident response familiarisation | IRT members — CISO, IT Manager, Security Analyst, HR Manager | Ensures IRT members know the IRP, their roles, and the reporting procedures before an incident occurs |
| Privileged access responsibilities | IT Operations staff with admin accounts | Understanding of the elevated obligations that come with privileged access — PAM use, dual-account model, session recording |
| Supplier security assessment | Staff who select, procure, or manage suppliers | Understanding of supplier security assessment process and what to look for when onboarding a new supplier |
| Data subject access request handling | HR, customer-facing roles, anyone who might receive a SAR | UK GDPR requirement — ensures correct handling of access requests within the 30-day window |
| Clear-level security awareness (BPSS) | Anyone who has completed BPSS screening | Understanding of what BPSS screening means, what it covers, and the ongoing obligations it creates |
Role-specific training is separate from the annual awareness training. Completing the annual module does not exempt you from role-specific training, and completing role-specific training does not replace the annual module.
Learning resources — going further
The mandatory training covers what you must know. This section covers what you can explore if you want to understand more — whether because your role makes security particularly relevant, because you are interested in the subject, or because you want to be better prepared to protect yourself at home as well as at work.
Organisation-provided resources
This ISMS space: the most immediately relevant resource is this Confluence space itself. The User Guidance Hub (Section 04) contains practical scenario-based guidance for the situations you actually encounter. The policies in Section 01 explain the reasoning behind your obligations. If a training module mentions something you want to understand in more depth, the relevant section of this space is the first place to look.
Security team office hours: the CISO and Security Analyst hold regular informal security drop-in sessions — [frequency and time — e.g. the last Thursday of each month, 12:00–13:00 in the main meeting room / via Teams]. These are open to all staff. Bring questions about anything security-related — whether it is something from the training you did not understand, a situation at home you are not sure about, or a general question about how the organisation handles security. No topic is too basic.
Ask the security team: the CISO and IT Operations are available by email and via the helpdesk for security questions at any time. If you have a question about whether something you are about to do is safe or permitted, ask before doing it. The only questions that are unwelcome are the ones that are not asked.
NCSC guidance for individuals and organisations
The National Cyber Security Centre (NCSC) is the UK government's authority on cybersecurity and publishes free, high-quality guidance written for non-technical audiences as well as professionals.
Particularly recommended reading:
NCSC — Cyber Aware — the NCSC's programme for individuals and small organisations. Covers the six most effective actions to protect your online accounts and devices. Most of it applies equally to your personal and professional digital life.
NCSC — Small Business Guide — short, practical guidance for organisations of our size. Useful background reading if you want to understand why the organisation's controls are configured the way they are.
NCSC — Phishing attacks: defending your organisation — a more detailed treatment of phishing than is covered in the annual training. Particularly useful if you receive a lot of email from external parties as part of your role.
NCSC — Cyber threats to UK business 2022–2023 — the annual threat report for UK businesses. Accessible to non-technical readers and directly relevant to our sector.
NCSC guidance relevant to our specific context
Because we handle defence contract information, two NCSC areas are particularly relevant beyond standard business guidance:
NCSC — Supply chain security — guidance on assessing and managing security risks in supply chains. Relevant to anyone involved in supplier selection or management.
NCSC — 10 Steps to Cyber Security — the foundational framework that the UK government recommends for organisations. Reading this gives context for why all five Fundamental Controls (Section 02 of this ISMS) exist.
ICO guidance on data protection
The Information Commissioner's Office (ICO) is the UK's data protection regulator. Its website contains extensive free guidance on UK GDPR obligations.
ICO — Your data matters — guidance written for individuals about their rights. Understanding what rights data subjects have helps you understand why the organisation's data protection obligations exist.
ICO — For organisations — guidance for organisations about their obligations. The sections on data breaches, subject access requests, and lawful bases for processing are most relevant to day-to-day work.
CISA resources (US — relevant if you work on US defence contracts)
If your role involves US defence contracts and CUI, the US Cybersecurity and Infrastructure Security Agency (CISA) publishes resources directly relevant to your work.
CISA — Controlled Unclassified Information resources — background on the CUI programme, what it requires, and how it operates.
CISA — Known Exploited Vulnerabilities catalogue — the live list of vulnerabilities confirmed to be actively exploited in the wild. Referenced in our patch management process. Useful context if you want to understand why certain patches are treated as urgent.
Free online learning
Google Digital Garage — Fundamentals of Digital Marketing and Cybersecurity: free, self-paced modules covering security fundamentals for non-technical audiences. Useful if you want structured learning beyond the annual module. [learndigital.withgoogle.com]
Open University — Introduction to Cyber Security: a free online course accredited by the NCSC. More in-depth than the annual training and designed for people who want a solid foundational understanding rather than just the minimum required knowledge. Approximately eight hours of learning. [www.open.edu/openlearn]
Cybrary: a learning platform with free and paid cybersecurity courses. The free tier covers foundational concepts suitable for non-technical staff who want to understand the field more deeply. [www.cybrary.it]
Books worth reading
For staff who find books more accessible than online modules:
Hacking the Human by Ian Mann — a non-technical book about social engineering. Explains how phishing, vishing, and physical social engineering attacks work from the attacker's perspective. Understanding the attacker's approach is the most effective way to defend against it.
The Art of Invisibility by Kevin Mitnick — written for a general audience by a reformed hacker. Covers privacy and security practices for individuals. More personal than professional in focus but highly readable and practically useful.
Countdown to Zero Day by Kim Zetter — a detailed account of the Stuxnet cyberattack. Long-form journalism that explains how a sophisticated cyberattack works without requiring technical knowledge. Provides context for why supply chain security and critical infrastructure protection matter.
New starter security induction
If you are new to the organisation, your security induction happens as part of your broader onboarding. This section tells you what to expect and what you need to complete before your access to company systems is fully provisioned.
Before your access is granted
Before your account is created and access to company systems is provisioned, the following must be in place:
Pre-employment screening: your background screening (BPSS as a minimum for most roles) must be completed and the result recorded by HR. If your screening is still in progress when you start, your access may be provisioned at a reduced level initially — no access to CUI or Restricted information until screening is complete.
Signed agreements: your employment contract and the initial NDA must be signed before your first day. You will be asked to sign a data protection and acceptable use acknowledgement on day one.
Your first week — security tasks
During your first week, the following security tasks should be completed. Your line manager will help you work through them.
Day 1:
- Receive your access card for the building from Facilities and be shown the zone access restrictions
- Log in to your company laptop for the first time and change your initial password to a strong passphrase
- Enrol in MFA through the authenticator app (IT Operations will guide you through this)
- Sign the acceptable use acknowledgement
By end of week 1:
- Complete the new starter security orientation module in [training platform name] — this is a shorter module than the annual training and covers the essentials you need to know immediately
- Locate the phishing report button in Outlook and confirm you know how to use it
- Confirm you can connect to the corporate VPN from your device (if you will work remotely at all)
- Read the [Reporting a Security Incident] page in the User Guidance Hub — know how to report before something happens
By end of month 1:
- Complete any role-specific training modules assigned to your account
- Complete the CUI handling module if your role involves CUI access
- Attend the optional security team drop-in session to ask any questions
New starter security checklist
Print this checklist or bookmark it and mark items off as you complete them.
| Task | Done | Notes |
|---|---|---|
| Pre-employment screening complete — confirmed by HR | ||
| Employment contract signed | ||
| Initial NDA signed | ||
| Acceptable use acknowledgement signed (day 1) | ||
| Building access card received and zones explained | ||
| First-time login to laptop — password changed | ||
| MFA enrolled on authenticator app | ||
| New starter security orientation module completed | ||
| Phishing report button located in Outlook | ||
| VPN connection tested (if remote working) | ||
| Incident reporting page read | ||
| Role-specific training modules completed (if assigned) | ||
| CUI handling module completed (if CUI access) |
If any item on this checklist cannot be completed within the timeframe, contact IT Operations or the CISO. Do not proceed with work that involves sensitive information until the relevant training is complete.
Training after a security incident
If you are involved in a security incident — whether you were the person who reported it, the person who accidentally triggered it, or someone whose account was affected — you may be asked to complete additional training following the incident's resolution.
Post-incident training is not disciplinary. It is targeted awareness that addresses the specific mechanism of the incident. If you clicked a phishing link, you will be assigned a module about the specific phishing technique used. If a sensitive document was emailed to the wrong recipient, you will be asked to revisit the information classification and handling procedures. The training is brief, targeted, and designed to make the same type of incident less likely to occur again.
The CISO may also use significant incidents — with all identifying information removed — as the basis for organisation-wide awareness communications. If a real phishing campaign was used against the organisation and staff clicked links, a security alert describing the campaign (what it looked like, how to spot it) may be sent to all staff. These communications are based on real incidents and are the most immediately relevant awareness content you will ever receive. Read them.
Summary — your training obligations at a glance
| Obligation | Who | When | Consequence of non-completion |
|---|---|---|---|
| Annual security awareness training | Everyone | Once per year — campaign in [month] | Policy breach — line manager follow-up |
| Acceptable use acknowledgement | Everyone | Annually, concurrent with training | Policy breach |
| Data protection training | All staff handling personal data | Annually | Policy breach |
| CUI handling module | Staff with CUI access | Before access granted; annually thereafter | CUI access not provisioned or suspended |
| OFFICIAL-SENSITIVE handling training | Staff with DEFSTAN access | Before access granted | Access not provisioned |
| New starter security orientation | New joiners | First week | Access restrictions until complete |
| Role-specific training | Assigned roles | As notified | Role-dependent — access restrictions may apply |
| Post-incident training | As assigned after incident | Within two weeks of assignment | Escalated to line manager |
Contacts and support
Questions about training requirements or completion: contact HR — [hr@organisation.com]
Technical problems with the training platform: contact IT Operations — [helpdesk URL / phone]
Questions about training content or policy: contact the CISO — [ciso@organisation.com]
Security questions that are not urgent: attend a security team drop-in session or email the CISO
Urgent security concerns: security team 24-hour contact — [phone number]
Training and Awareness section — last reviewed: [DATE]. Owner: CISO and HR Manager. Training programme delivered via [platform name]. Annual campaign launches: [month]. Questions about this section: [ciso@organisation.com].