This article provides additional information on how you can meet the requirement for the CAF control - CAF - B6.b Training
Cyber Security Training Requirements
Staff involved in delivering managed services should receive appropriate cyber security training so they understand their responsibilities and can help protect client environments.
Baseline and Role-Based Training
- All employees should complete mandatory security awareness training when they join the company.
- Staff should also complete regular refresher training (e.g., monthly or at appropriate intervals).
- Privileged users and technical specialists should receive additional role-based training relevant to their duties.
Tracking and Refresh Cycles
-
Training completion should be tracked within a system such as Adoptech.
-
Courses should be refreshed at appropriate intervals to ensure knowledge remains current.
-
Training records should be reviewed and maintained.
Evaluating Effectiveness
-
The effectiveness of the training programme should be assessed periodically.
-
This may include reviewing:
-
training completion rates
-
phishing simulation click-through rates
-
other awareness metrics
-
-
Training content should be updated where improvements are needed.
Accessible Guidance
-
Cyber security policies, guidance and best-practice materials should be easily accessible to staff.
-
These can be stored centrally in Adoptech to support ongoing awareness and consistent understanding.