GRCWatch
Sign inStart free trial

PCI DSS 12.6.2: Review Security Awareness Program Annually

PCI DSS 12.6.2 requires organizations to formally review their security awareness program at least once every 12 months. This control ensures your training remains effective, addresses emerging threats, and demonstrates sustained commitment to employee security culture. For SMBs managing limited compliance resources, a structured annual review process simplifies documentation and reduces audit friction.

What this means

This control mandates a documented annual evaluation of your organization's security awareness program. The review assesses program effectiveness, identifies gaps in employee knowledge, evaluates training content relevance to current threats, and determines whether the program meets organizational security objectives. The review must be completed within a 12-month cycle and documented to provide audit evidence of your ongoing compliance commitment.

How to comply

  1. 1.Schedule a formal review meeting with compliance, security, and HR stakeholders before your annual deadline
  2. 2.Collect metrics on training completion rates, assessment scores, and employee participation across all personnel
  3. 3.Evaluate training content against current threat landscape and organizational vulnerabilities
  4. 4.Assess employee security knowledge gaps through surveys, simulations, or phishing test results
  5. 5.Document review findings, recommendations, and any program updates in writing
  6. 6.Implement identified improvements and communicate changes to staff
  7. 7.Maintain records of the review date, attendees, findings, and actions taken for audit purposes

Evidence auditors look for

  • Dated review meeting minutes with attendee signatures and review findings documented
  • Annual training effectiveness metrics including completion rates and assessment results
  • Documented gap analysis comparing current threats to training content coverage
  • Employee feedback or survey results from security awareness program evaluation
  • Compliance report summarizing program strengths and recommended improvements
  • Records of any program updates, new training modules, or policy changes implemented based on review
  • Audit trail showing review completion within the 12-month requirement period

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates annual review scheduling and automatically compiles training metrics, completion rates, and assessment data to streamline your 12.6.2 documentation—eliminating manual data gathering and ensuring timely, audit-ready evidence collection.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 12.6.1 - Security Awareness Program ImplementationPCI DSS 12.6.3 - Security Awareness Program ContentPCI DSS 12.6.4 - Security Awareness Program Documentation