Home Compliance & Certification Cybersecurity Awareness Training Guide

Cybersecurity Awareness Training Guide

Last updated on Sep 23, 2025

1. Purpose of this Guide

This artefact demonstrates that your company provides structured cybersecurity awareness training for staff. Cyber Essentials requires this because humans are often the first line of defence — and the first target. A proper training guide proves your team knows how to handle phishing emails, dodgy Wi-Fi, weak passwords, and more.

2. What You Will Submit

You will need:

  • Cybersecurity Awareness Training document (Word, PDF, or slide deck).

  • It should cover:

    • Cyber hygiene basics (passwords, MFA, safe browsing).

    • Recognising phishing and suspicious attachments.

    • Role-specific training (e.g. finance staff on invoice fraud, IT staff on admin account risks).

    • Secure use of networks and devices.

    • Reporting processes (how to escalate suspicious emails or incidents).

3. How to Collect / Obtain / Generate This Evidence

  • If you already have a training program:

    • Export the syllabus or staff training manual.

    • Ensure the document includes date/version and target audience.

  • If starting fresh:

    1. Use the Cybersecurity Awareness Training Template (from StrongKeep or CSA Cyber Essentials guidance).

    2. Add your company name, logo, and version control.

    3. Write clear sections:

      • Introduction: Why staff training matters.

      • Threats & Risks: Phishing, ransomware, weak passwords, unsafe Wi-Fi.

      • Cyber Hygiene Habits: Updates, MFA, device lock, reporting.

      • Role-Based Modules: Tailored to job functions.

      • Reporting Process: How to flag suspicious activity.

    4. Save the file as PDF/DOCX and circulate it to staff.

    5. Keep records of who attended or completed training (this links to the separate artefact “Users Training Completion Screenshot” ).

4. Evidence Format

  • Accepted file types: DOCX, PDF.

  • Suggested naming format:
    YourCompanyName_CyberAwarenessTraining_YYYY-MM-DD.pdf

5. What “Good” Looks Like

  • Clearly structured content (topics and objectives).

  • Role differentiation — e.g. IT staff vs. general staff.

  • Practical advice (not just theory).

  • Version/date visible — shows it’s kept current.

Why it matters: auditors want proof that training isn’t just a tick-box — but an active, documented program.

6. Tips

  • Update the content annually (cyber threats evolve quickly).

  • Use quizzes or sign-off forms to confirm completion (ties to completion evidence).

  • Keep language simple — staff should understand it without needing IT expertise.