Owner: CHRO (delivery), with CISO (content)
Effective Date: May 15, 2026
Reviewed: Annually
Frameworks: SOC 2 CC1.4 / CC2.2 (training and communication); ISO/IEC 27001 A.6.3 (information-security awareness). Implements the Human Resources Security Policy.
This procedure operationalizes the Human Resources Security Policy → Information security awareness, education & training clause. It is the canonical operating record for SOC 2 CC1.4 / CC2.2 (training and communication) and ISO/IEC 27001 A.6.3 (information security awareness).

Cadence

TriggerWhenOwner
New-hire trainingWithin 30 days of start dateCHRO (delivery), CISO (content)
Annual refresherAnnually, by the employee’s hire anniversary (no later than 12 months after their most recent completion)CHRO (assignment), CISO (content)
Role-specific trainingAt time of role change, then annuallyHiring manager (assignment), CISO + relevant policy owner (content)
Topical / out-of-cycle trainingOn any material change to threat landscape, policy, or after a relevant incidentCISO

Content

The baseline training is delivered through Vanta and covers, at minimum: Role-specific modules layer on top of the baseline:
RoleAdditional module(s)
EngineeringSecure coding (/engineering/secure-coding), secrets handling (/engineering/secrets-management), change management (/engineering/change-management)
People-managers, recruitersFair-chance hiring + adverse-action handling (/procedures/background-checks)
Finance / executivesWire-fraud and CEO-impersonation patterns; SOX-style segregation of duties
Anyone with production accessProduction-access training (/policies/access-control §“Production access”), data-handling under /policies/data-management
Anyone handling employee or candidate dataEmployee privacy (/policies/employee-privacy), AEDT and bias-audit procedures (/procedures/employment-ai-bias-audit)
The CISO reviews and updates training content at least annually; out-of-cycle updates are issued after any material policy change or incident-driven control change.

Process

  1. Assignment. CHRO assigns the baseline and role-applicable modules in Vanta on hire (and on role change). Assignments target completion within 30 days for new hires and within 30 days of the anniversary for annual refresh.
  2. Completion. Employees and applicable contractors complete modules and attest in Vanta. Vanta records the timestamp and the policy acknowledgement.
  3. Reminders. Vanta surfaces overdue items at 7 days before the due date, on the due date, and weekly thereafter. CHRO escalates any item more than 14 days past due to the employee’s manager.
  4. Reporting. CISO reviews the training completion dashboard monthly and reports trailing-quarter completion percentage at each ISMS Management Review.
  5. Phishing simulations. A simulated phishing campaign is run at least twice per year through the platform configured by the CISO (currently the simulation features of the email gateway). Click-rate and reporting-rate are reported at the ISMS Management Review. Repeat clickers are referred to additional targeted training; the CISO maintains the criteria and threshold.

Evidence

The following are retained in Vanta and surfaced into the SharePoint SOC 2 / ISO 27001 evidence library:
  • Per-employee training-completion records — module, date, attestation hash.
  • Training content version in effect at the time of completion.
  • Phishing-simulation campaign reports — date, click rate, report rate, repeat-clicker follow-up.
  • Annual sign-off by the CISO that the program has been reviewed and is current.
Records are retained for at least 7 years per the Records Retention Schedule.

Failure to complete

An employee who has not completed training by their due date — 30 days from assignment (at hire, or on the annual anniversary for the refresh), not 30 days after a separate due date — has their access suspended (excluding onboarding-only access) until completion is recorded. Repeated failure is grounds for disciplinary action per the Information Security Policy → Violations & enforcement.

Version history

VersionDateDescriptionAuthorApproved by
1.0May 15, 2026Initial version — implements Human Resources Security Policy → Information security awareness, education & training, SOC 2 CC1.4 / CC2.2, ISO 27001 A.6.3Cameron WolfeIshan Jadhwani