GRCWatch
Sign inStart free trial

CIS Controls 14.1: Establish and Maintain a Security Awareness Program

Security awareness training is your first line of defense against human error and social engineering attacks. CIS Control 14.1 requires organizations to implement mandatory training at onboarding and minimum annual refreshers. Without a structured program, even the best technical controls fall short—making workforce education non-negotiable for compliance.

What this means

CIS 14.1 mandates creation and maintenance of a formal security awareness program designed to educate your workforce on secure handling of enterprise assets and data. The control requires training delivery at the point of hire and at minimum once annually. Organizations must review and update program content yearly, or immediately when significant business changes occur that could affect this safeguard's effectiveness. The goal is building a security-conscious culture where employees understand their role in protecting organizational data.

How to comply

  1. 1.Develop a documented security awareness program policy that defines scope, objectives, and mandatory training frequency
  2. 2.Deliver initial security awareness training to all employees at time of hire, before they access enterprise systems
  3. 3.Conduct minimum annual refresher training for all workforce members; document completion and attendance
  4. 4.Review program content annually and update based on emerging threats, regulatory changes, and internal security incidents
  5. 5.Implement additional training triggered by significant organizational changes (new systems, policy updates, breach response)
  6. 6.Track training completion rates and maintain records for audit and compliance verification
  7. 7.Assess program effectiveness through metrics such as phishing click rates, security incident trends, or knowledge assessments

Evidence auditors look for

  • Security awareness training policy with defined scope, mandatory frequency, and content review schedule
  • Training completion records showing 100% of employees trained at hire and annual refresher participation
  • Training content (slides, videos, modules) covering password management, phishing recognition, data handling, and incident reporting
  • Annual content review and update documentation with dates and change justifications
  • Training delivery logs with attendee names, dates completed, and assessment scores
  • Phishing simulation results and awareness metrics tracking program effectiveness
  • Incident reports cross-referenced with training topics to identify knowledge gaps
  • Signed acknowledgment forms or LMS records confirming employee training completion

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates security awareness training scheduling, tracks completion across your entire workforce, and generates audit-ready evidence reports—eliminating manual tracking and ensuring CIS 14.1 compliance.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS 14.2 — Information Security Awareness and Training Program ImprovementCIS 6.1 — Establish an Incident Response ProgramCIS 2.1 — Establish and Maintain a Software Inventory