Employee training and awareness appear in multiple places across the Trust Services Criteria: CC1 (demonstrating commitment to competence), CC2 (ensuring personnel understand their security responsibilities), and CC6 (ensuring personnel with privileged access understand their additional obligations). The training program is not a checkbox item — auditors test both the existence of the training and the completeness of the completion records, and they will ask whether the training content reflects actual security requirements and current threats.
Training Requirements by TSC
| Training Component | TSC Satisfied | Minimum Requirements | Evidence |
|---|---|---|---|
| Annual security awareness training | CC1, CC2 | Annual training covering: data handling policies, acceptable use, phishing awareness, password security, incident reporting, social engineering. Minimum 30 minutes; testing or quiz recommended. | Training platform completion records: employee name, training title, completion date, score (if applicable); 100% completion required for in-scope personnel |
| New hire security orientation | CC1, CC2 | Security training completed as part of onboarding, before access to production systems is granted. Covers same content as annual training plus role-specific obligations. | Onboarding training completion timestamp vs. access provisioning timestamp; must show training completed before or concurrent with system access |
| Privileged user training | CC6 | Additional training for personnel with administrative or privileged access: specific guidance on responsible use of elevated permissions, audit logging awareness, segregation of duties, and risk of insider threat. | Separate completion record for privileged user training; list of personnel with privileged access cross-referenced to training completions |
| Phishing simulation | CC2, CC7 | Periodic simulated phishing campaigns to test employee vigilance; remediation training for employees who click; metrics on click rate over time. | Simulation platform reports showing campaign dates, employee groups tested, click rates, and remediation training assignments |
| Role-specific privacy training | Privacy TSC | For organizations with Privacy TSC in scope: specific training on personal data handling, data subject rights, and applicable privacy regulations (GDPR, UU PDP, CCPA). | Separate privacy training completion records; content demonstrating coverage of applicable privacy requirements |
Training Completion Tracking
The evidence auditors request for training is not the training content — it is proof that each in-scope employee completed it. This requires a system that records: the employee’s name, the specific training completed, the date of completion, and (for knowledge checks) the score achieved. A training platform like KnowBe4, Proofpoint Security Awareness Training, or even a Learning Management System (LMS) with completion tracking satisfies this requirement.
| KEY IDEA | Auditors will cross-reference the training completion list against the employee roster for the audit period. If a new employee was hired in March, their training completion date should be no later than their first day of access to production systems. If an employee terminated in September, they should appear in training completions for the training cycle that covered the months they were employed. Gaps in either direction are noted. |
One frequently missed requirement is re-training triggered by policy changes. If a material security policy is updated, and the update affects employee obligations, employees should be notified and (for significant changes) retrained. Documenting that a policy change triggered a notification — even a brief all-hands email or Slack announcement — satisfies CC2’s communication requirement for policy changes.
Phishing Simulation Program
A phishing simulation program runs periodic simulated phishing campaigns to test whether employees can identify and resist phishing attacks. For SOC 2 purposes, the program provides evidence that the organization is actively reinforcing security awareness, not just delivering one-time training. Auditors review: the frequency of campaigns, the click rate trends (improving over time suggests the program is effective), and whether employees who fail simulations receive remediation training.
| BITLION INSIGHT | Phishing simulation click rates are data that enterprise security reviewers sometimes request in addition to the SOC 2 report. A program that shows consistent click rates below 5% with remediation training for failures demonstrates a mature security awareness culture. Organizations that have never run phishing simulations often discover significant click rates on their first campaign — which is valuable information that drives real improvement, but is best discovered before an enterprise client asks about it. |