Awareness & Training
Ensure personnel are trained and aware of cybersecurity policies.
9 of 9 frameworks cover this control
Framework Mappings
How Awareness & Training maps to each of the 6 cybersecurity frameworks tracked by ControlMap.
| Framework | Status | Control IDs |
|---|---|---|
| NIST CSF 2.0 | Covered | PR.AT-01 PR.AT-02 |
| ISO 27001 | Covered | A.6.3 A.7.2 |
| CIS v8 | Covered | CIS 14.1 CIS 14.2 |
| SOC 2 | Covered | CC1.4 CC2.2 |
| PCI DSS | Covered | 12.6.1 12.6.2 12.6.3 |
| CMMC | Covered | AT.L2-3.2.1 AT.L2-3.2.2 |
| 800-53 | Covered | AT-1 AT-2 AT-3 |
| HIPAA | Covered | §164.308(a)(5)(i) §164.308(a)(5)(ii)(A) |
| GDPR | Covered | Art.39(1)(b) Art.47(2)(n) |
About Awareness & Training
Awareness & Training is a cybersecurity control in the Protect domain. Ensure personnel are trained and aware of cybersecurity policies. Security awareness training is a critical human-layer defense that reduces the risk of social engineering, phishing, and accidental data exposure. Programs should cover recognizing phishing attempts, safe browsing practices, password hygiene, incident reporting procedures, and role-specific security responsibilities. Most compliance frameworks require training at onboarding and at least annually thereafter, with supplemental phishing simulations to measure effectiveness and identify employees who need additional coaching.
This control is recognized by 9 of the 6 major frameworks: NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR. It has full coverage across all ${FW_KEYS.length} frameworks.