Security Awareness Training: Employee Obligation Under NIS-2 and ISO 27001

Section 30(1)(5) BSIG and ISO/IEC 27001:2022, Control 6.3, require companies to regularly raise awareness of information security among all employees. This obligation is not a recommendation — it is a verifiable component of the ISMS and therefore a direct audit checkpoint for certifications, regulatory inspections, and insurers.

This article explains the specific requirements NIS-2 and ISO/IEC 27001:2022 place on security awareness training, how proof must be structured, and what differences between a standalone e-learning platform and an integrated compliance solution are decisive in an audit situation.

The NIS-2 Directive (EU 2022/2555), Article 21(2)(g), requires essential and important entities to implement cybersecurity hygiene measures and training. In the German BSIG, Section 30(1)(5) specifies this requirement as part of the minimum measures catalogue. Under Section 38 BSIG, management bears personal responsibility for implementation.

ISO/IEC 27001:2022 addresses the topic in Control 6.3 (Awareness) and Control 6.4 (Training). Both require that persons performing ISMS-relevant activities are adequately trained and aware. A lead auditor evaluates documentation on three levels: Is there a training programme? Was it carried out? Is participation documented per individual?

A missing or incomplete record typically results in a nonconformity finding in a certification audit. More on the role of the Information Security Officer responsible for the training programme at ISB at CIVAC.

Compliant training must cover at least the following topics per ISO/IEC 27001:2022 and BSI IT-Grundschutz Building Block ORP.3 (Awareness): phishing recognition and social engineering, secure password management and access control, handling of mobile devices and remote work, incident reporting channels, data classification and handling of confidential information.

Annual repetition is the minimum standard; a higher frequency of training must be documented for elevated risk profiles or after security incidents. For employees with privileged access rights (administrators, executives, finance staff), advanced training modules are considered best practice per ISO/IEC 27002:2022.

The BSI also recommends role-specific training: an accountant needs different focal points than a system administrator. Generic one-size-fits-all training without role alignment is increasingly evaluated as insufficient by experienced auditors.

What matters is not that a training took place — what matters is that it can be proven who completed which training when and with what result. The clock starts from the moment of knowledge: an auditor or authority requesting training records after an incident expects immediate presentation.

Compliant documentation contains per employee: training title with version, date of completion, test result or completion confirmation, name and signature or digital certificate file. Collective logs or spreadsheets without individual certificates are frequently cause for further requirements in formal audits.

The CIVAC workspace maps this proof structurally: the training module records participation, test, and certificate per person, exports proof at the click of a button, and links it to the monthly documentation workflow. The auditor calls, the proof is ready.

The most common mistake is the separation of training system and compliance documentation. Companies use an external e-learning platform, export certificates as PDF files, and store them in a folder — without a structured link to the ISMS record. In an audit situation, gaps emerge: missing individuals, outdated certificates, no proof of training content.

A second common mistake: training is carried out once and not repeated. ISO/IEC 27001:2022 requires an ongoing programme, not a one-time campaign. Annual repetition cycles must be anchored in the ISMS plan.

Third mistake: training only for IT staff. Article 21 NIS-2 and ISO/IEC 27001:2022 Control 6.3 apply to all persons performing ISMS-relevant activities — effectively the entire workforce. Exceptions must be justified and documented.

In healthcare, in addition to NIS-2, the requirements of KRINKO (Commission for Hospital Hygiene) and Section 36 IfSG apply. Training on hygiene standards and data protection under Article 29 GDPR is mandatory for employees with access to patient data. More at Hygiene Officer at CIVAC.

In the financial sector, DORA (EU 2022/2554) and BaFin requirements for ICT risk management require additional training on operational resilience. Employees with access to critical systems must demonstrably be informed about incident reporting obligations and emergency plans.

In logistics and manufacturing, where IT and OT (Operational Technology) converge, training on ICS/SCADA security and physical access control is NIS-2-relevant for companies classified as essential or important entities.

ISO/IEC 27001:2022 does not prescribe a fixed training frequency — but the standard requires the training programme to be appropriate and current. BSI IT-Grundschutz ORP.3.A1 recommends annual awareness measures as the minimum standard. In the case of an elevated threat level or after security incidents, the interval should be shortened.

Training content must be regularly reviewed. New attack vectors (e.g., AI-assisted phishing campaigns, QR-code phishing) must be integrated into the programme within a reasonable timeframe. A training plan unchanged for three years is evaluated in an audit as an indicator of an ISMS that is not actively lived.

In the CIVAC workspace, training modules are versioned. Each update to a training module automatically creates a new completion obligation for all affected employees. The ISB sees in the dashboard who has not yet completed — without manual tracking in spreadsheets.

An isolated e-learning system that issues certificates but is not integrated into the ISMS creates a documentation break. The ISO/IEC 27001:2022 auditor checks not only whether training has taken place, but whether the training documentation is part of the ISMS record and in context with risk treatment, incident management, and internal audits.

CIVAC connects training modules directly to the documentation workflow: completed training automatically flows into the monthly compliance proof. The ISB can demonstrate in the reporting function which employee groups were trained when and what risk mitigation is associated.

For companies using an external ISB mandate, this integration is particularly valuable: the external officer sees the training status in real time, can address gaps, and include the training proof directly in their status report to management.

When selecting a training platform for security awareness, four criteria should be paramount. First: auditability — does the platform deliver individual completion certificates with timestamps? Second: content updates — is the training catalogue regularly updated and are version statuses documented?

Third: data protection and GDPR compliance — is employee data processed on EU servers? CIVAC operates its platform with exclusive EU data residency, AES-256 at rest, TLS 1.3 in transit. Fourth: integration — can the training platform export proof to a higher-level compliance or ISMS system, or integrate directly?

An e-learning platform that only delivers training but creates no structured link to the ISMS generates additional manual effort in an audit situation. Choose a solution that provides training and compliance documentation from one system.

Security Awareness Training is not a one-time task but an ongoing process with documentation obligations. CIVAC combines compliance platform and Officer-as-a-Service: the workspace contains training modules directly linked to the ISMS record. Licence the workspace for your internal officers — or have a certified CIVAC partner appointed as ISB to coordinate the training programme for you.

37 ready-to-deploy audit templates, an AI assistant with confidence score, and a reporting line to management ensure that training proof and ISMS documentation reside in the same system. Audit-proof, documented, ISO-27001-compliant.

Turn reading into action: info@civac.de.