← Controls / AT

AT-02 Security Awareness

Awareness and Training

Low Moderate High Privacy

Description

The organization provides basic security awareness training to all information system users (including managers and senior executives) before authorizing access to the system, when required by system changes, and [Assignment: organization-defined frequency, at least annually] thereafter.

Supplemental Guidance

The organization determines the appropriate content of security awareness training based on the specific requirements of the organization and the information systems to which personnel have authorized access. The organization’s security awareness program is consistent with the requirements contained in C.F.R. Part 5 Subpart C (5 C.F.R 930.301) and with the guidance in NIST Special Publication 800-50.

Changes from Rev 4

Title changed from 'Security Awareness Training' Control text extended to include techniques, updates to literacy training and awareness content, and lessons learned Adds multiple parameters Discussion adds examples of events that may precipitate an update to literacy training and awareness content Incorporates awareness training elements of withdrawn App J control AR-05

Enhancements

(0) None.

Compliance Mappings

ISO 27001:2022

7.27.3A.6.3

ISO 27002:2022

6.3

COBIT 2019

APO07APO13BAI08

CIS Controls v8

CIS 14CIS 14.1CIS 14.2CIS 14.3CIS 14.4CIS 14.5CIS 14.6CIS 14.7CIS 14.8

NIST CSF 2.0

GV.RR-01GV.RR-04PR.AT-01

PCI DSS v4.0.1

12.65.4

CSA CCM v4

HRS-11HRS-12HRS-13

CSA AICM v1

HRS-11HRS-12HRS-13HRS-14

ISO 42001:2023

A.4.6A.9.2

NIS2 Directive

Art. 21(2)(g)

APRA CPS 234

Para 19-20

BSI IT-Grundschutz

ORP.2ORP.3

ANSSI

Hygiene.1Hygiene.3SecNumCloud.8.3

FINMA Circular 2023/1

IV.B.a(48)IV.B.a(49)IV.B.b(50)IV.B.b(51)

OSFI B-13

B-13.1.1

EU GDPR

Art.39(1)(b)Art.47(2)(n)

EU DORA

Art.13(6)Art.5(4)

BIO2

6.3

RBI CSF

Annex1.23Annex1.14Annex1.24

FISC Security Guidelines

FISC.O8

LGPD + BCB 4893

BCB.Art.4LGPD.Art.47LGPD.Art.50

MLPS 2.0

8.1.8.2

DNB Good Practice

DNB.8.2DNB.9.1DNB.9.3

SWIFT CSCF

SWIFT.7.2

SAMA CSF

1.6

NCA ECC

1-10

UAE IA

T5

CBB TM

TM-3

Qatar NIA

HR

CBUAE

CR-11

CBE CSF

CTO-8GOV-4

SA JS2

JS2-8.6

CBN CSF

Part3.8Part8

BoG CISD

CISD-XCISD-XV

BoM CTRM

3.85.3

IOSCO Cyber Resilience

PROT-4

BCBS 239

Principle 1

CPMI-IOSCO PFMI

CG.GOVCG.LE

FFIEC IS

I.AI.CII.C.12II.C.13(e)II.C.7II.C.7(e)

NYDFS 500

500.10500.14

HIPAA Security Rule

§164.308(a)(5)(i)§164.308(a)(5)(ii)(A)§164.308(a)(5)(ii)(B)

ECB CROE

CROE.2.1.2CROE.2.3.2CROE.2.8.2

EBA ICT Guidelines

3.4.73.8(a)

SEBI CSCRF

CAPACITYPR.AT

BOT Cyber Resilience

Ch7.1

CMMC 2.0

AT

NERC CIP

CIP-004-7

10 CFR 73.54

RG5.71-C-AT

TSA Pipeline SD

SD-2 Sec H

FERC CIP Orders

Order 888

DOE C2M2 v2.1

WORKFORCE

API 1164

Sec 13

AWIA

AWWA Sec 8

IAEA NSS 17-T

Sec 9

Solvency II

DR.266

Lloyd's Minimum Standards

MS8.13

NAIC Insurance Data Security

4-training4B

PRA SS1/23

P2.3P3.6

FCA SYSC 13

SYSC 13.5.1SYSC 13.6.1

HITRUST CSF v11

02.b

FDA 21 CFR Part 11

§11.10(i)

ISO 27799

7.2

NHS DSPT

NDG-1.3NDG-2.1NDG-2.2NDG-2.3NDG-3.1

MiCA

Art.62(7)

Basel SCO60

SCO60.3SCO60.60

BSSC Standards

GSP-03

ISO 17799 (legacy)

6.2.38.2.210.4.111.7.113.1.114.1.415.1.4

COBIT 4.1 (legacy)

PO7.4