⚡ LIMITED TIME Get our FREE €500+ Compliance Starter Kit Ends Sept 30, 2025
Get It Now →
Compliance ISO 27001 NIS2 DORA

How to Build a Phishing Resilience Program That Actually Works

ClarySec team
14 min read
#ISO 27001:2022 #Risk Management #Incident Response #Data Protection #Compliance

Your technical controls are strong, but your people remain the primary target for phishing attacks. This guide provides a structured, ISO 27001 aligned path to building a phishing resilience program that transforms your team from a vulnerability into your strongest line of defence, reducing human error and meeting regulatory demands from frameworks like NIS2 and DORA.

What’s at stake

Technical defences like email filters and endpoint protection are essential, but they are not infallible. Attackers know that the easiest way into a secure network is often through a person. A single click on a malicious link can bypass millions of pounds worth of security technology. User accounts are the most targeted entry points for cyberattacks, and a successful phishing campaign can lead to credential theft, malware infection, and unauthorised access. The consequences are not just technical; they are deeply commercial. A compromised account can result in fraudulent wire transfers, the exposure of sensitive customer data, and significant operational downtime while systems are cleaned and restored.

The regulatory landscape is also unforgiving. Frameworks like GDPR, NIS2, and DORA explicitly mandate that organisations implement security measures that include ongoing staff training and awareness. Article 21 of the NIS2 Directive, for example, requires essential and important entities to provide cybersecurity training and promote basic cyber hygiene practices. Similarly, DORA’s Article 13 requires financial entities to establish comprehensive training programs. Failure to demonstrate a robust awareness program can lead to severe penalties, reputational damage, and a loss of customer trust. The risk is not abstract; it is a direct threat to your financial stability and legal standing. Human error is a key risk source, and regulators expect you to treat it with the same seriousness as any technical vulnerability.

Consider a mid sized logistics company. An employee in the finance department receives a convincing email, seemingly from a known supplier, requesting an urgent payment to a new bank account. The email signature looks correct, and the tone is familiar. Under pressure to process invoices quickly, the employee makes the transfer without verbal verification. Days later, the real supplier calls about the overdue payment. The company has lost £50,000, and the subsequent investigation causes significant disruption. This incident was entirely preventable with a strong phishing resilience program that trains staff to spot red flags and verify unusual requests through a separate communication channel.

What good looks like

A successful phishing resilience program moves your organisation from a reactive posture to a proactive one. It fosters a security conscious culture where employees are not just passive recipients of training but active participants in the company’s defence. This state is defined by measurable improvements in behaviour and a tangible reduction in human related risk. It directly addresses the requirements of ISO/IEC 27001:2022, particularly Clause 7.3 on awareness and Annex A control A.6.3 on information security awareness, education, and training. Good looks like a workforce that understands its security responsibilities and has the competence to fulfil them.

In this ideal state, employees can confidently identify and report suspicious emails, rather than ignoring them or, worse, clicking on them. The reporting process is simple, well known, and integrated into their daily workflow. When a simulated phishing campaign is run, the click rate is low and consistently decreasing, while the reporting rate is high and increasing. This data provides clear evidence to auditors, management, and regulators that the program is effective. More importantly, it demonstrates that your people have become a human firewall, capable of detecting threats that automated systems might miss. This culture of vigilance is a core component of cyber hygiene, a principle central to modern regulations like NIS2.

Imagine a software development SME where a developer receives a sophisticated spear phishing email. The email appears to be from a project manager and contains a link to a document described as “urgent project specification changes”. The developer, trained to be sceptical of unexpected urgent requests, notices the sender’s email address is subtly incorrect. Instead of clicking, they use the dedicated “report phishing” button in their email client. The security team is immediately alerted, analyses the threat, and blocks the malicious domain across the entire organisation, preventing a potential breach. This is what good looks like: a trained, aware employee acting as a critical sensor in your security apparatus.

Practical path

Building a durable phishing resilience program is a systematic process, not a one off event. It requires a structured approach that combines assessment, training, and continuous reinforcement. By breaking the implementation into manageable phases, you can build momentum and demonstrate value quickly. This path ensures your program is not just a box ticking exercise for compliance but a genuine enhancement of your security posture. Our implementation guide, the Zenith Blueprint, provides the overarching framework for integrating this type of awareness initiative into your Information Security Management System (ISMS).1

Phase 1: Foundation and Baseline Assessment

Before you can build resilience, you need to understand your starting point. The first phase is about establishing a baseline of your team’s current awareness and identifying the specific competencies required for different roles. This involves more than just assuming everyone needs the same generic training. Your finance team faces different threats than your software developers. A thorough assessment helps you tailor your program for maximum impact, ensuring the content is relevant and engaging for its audience. This aligns with ISO 27001 Clause 7.2, which requires organisations to ensure people are competent based on appropriate education and training.

  • Identify Required Competencies: Map out the specific security knowledge needed for different roles. For example, HR staff need to understand how to handle personal data securely, while IT administrators need deep knowledge of secure configuration.
  • Assess Current Awareness: Conduct an initial, unannounced phishing simulation to establish a baseline click rate. This provides a concrete metric to measure future improvement against.
  • Define Program Objectives: Set clear, measurable goals. For example, “Reduce the phishing simulation click rate by 50% within six months” or “Increase the phishing reporting rate to 75% within one year.”
  • Select Your Tools: Choose a platform for delivering training and running simulations. Ensure it can provide detailed analytics on user performance and reporting.

Phase 2: Content Development and Initial Training

With a clear baseline and defined objectives, the next step is to develop and deliver the core training content. This is where you start closing the knowledge gaps identified in Phase 1. The key is to make the training practical, relevant, and continuous. A single annual training session is insufficient. Effective programs embed security awareness into the entire employee lifecycle, starting from day one. The goal is to equip every individual with the ability to identify and avoid common threats like phishing and malware.

  • Develop Role Based Training Modules: Create specific content for high risk departments. Finance teams should receive training on business email compromise and invoice fraud, while developers get training on secure coding practices.
  • Launch Foundational Training: Roll out a mandatory security awareness module for all employees. This should cover the basics of phishing, password hygiene, social engineering, and how to report a security incident.
  • Integrate into Onboarding: Ensure that all new hires complete security awareness training as part of their onboarding process. This sets clear expectations from their very first day. Use this opportunity to have them acknowledge key policies.

Phase 3: Simulation, Reporting, and Feedback

Training alone is not enough; behaviour must be tested and reinforced. This phase focuses on running regular, controlled phishing simulations to give employees a safe environment to practice their skills. Just as important is establishing a frictionless process for them to report suspicious messages. When an employee reports a potential threat, they are providing valuable, real time intelligence. Your response to these reports is critical for building trust and encouraging future reporting. A clear and practical incident response plan is essential here.

  • Schedule Regular Phishing Simulations: Move from the baseline test to a regular cadence of simulations, perhaps monthly or quarterly. Vary the difficulty and themes of the templates to keep employees vigilant.
  • Establish a Simple Reporting Mechanism: Implement a “report phishing” button in your email client. This makes it easy for users to report suspicious emails with a single click, removing any friction or uncertainty about what to do.
  • Provide Immediate Feedback: When a user clicks a simulation link, provide instant, non punitive feedback explaining the red flags they missed. If a user reports a simulation, send an automated “thank you” to reinforce the positive behaviour.
  • Analyse and Share Results: Track metrics like click rates, reporting rates, and time to report. Share anonymised, high level results with management and the wider team to demonstrate progress and maintain engagement.

Policies that make it stick

A successful phishing resilience program cannot exist in a vacuum. It must be supported by a clear and enforceable policy framework that formalises expectations, defines responsibilities, and integrates security awareness into the fabric of the organisation. Policies translate strategic goals into operational rules that guide employee behaviour and provide a basis for accountability. Without this documented foundation, training efforts can feel optional and their impact will fade over time. The central document for this is the Information Security Awareness and Training Policy.2 This policy establishes the mandate for the entire program, from onboarding to ongoing education.

This core policy should not stand alone. It must be linked to other critical governance documents to create a cohesive security culture. For instance, your Acceptable Use Policy3 sets the ground rules for how employees use company technology, making it a natural place to reference their responsibility to be vigilant against phishing. When a security event does occur, the Incident Response Policy4 must clearly define the steps an employee should take to report it, ensuring that the intelligence gathered from a reported phishing attempt is handled swiftly and effectively. Together, these policies create a system of interlocking controls that reinforce secure behaviours.

For example, during a quarterly ISMS review meeting, the CISO presents the latest phishing simulation results. They show a slight increase in clicks on invoice fraud templates. The team decides to update the Information Security Awareness and Training Policy to mandate specific, targeted training for the finance department before the next quarter. This decision is documented, and the updated policy is communicated to all relevant staff, ensuring the program adapts to emerging risks in a structured and auditable way.

Checklists

To ensure your program is comprehensive and effective, it helps to break down the work into distinct stages: building the foundation, operating it day to day, and verifying its impact. These checklists provide a practical guide for each stage, helping you stay on track and ensure you are meeting the expectations of auditors and regulators. A well documented program is far easier to defend during an audit.

Build: Building a Phishing Resilience Program

A strong foundation is critical for long term success. This initial phase involves strategic planning, securing resources, and designing the core components of your program. Rushing this stage often leads to generic, ineffective training that fails to engage employees or address your specific risk profile. Taking the time to build it right will pay dividends in improved security posture and a more resilient workforce.

  • Define clear objectives and key performance indicators (KPIs) for the program.
  • Secure management buy in and an adequate budget for tools and resources.
  • Conduct a baseline phishing simulation to measure initial vulnerability.
  • Identify high risk user groups and the specific threats they face.
  • Develop or procure foundational and role specific training content.
  • Integrate security awareness training into the new hire onboarding process.
  • Establish a simple, one click process for users to report suspicious emails.

Operate: Maintaining Program Momentum

Once launched, a phishing resilience program requires continuous effort to remain effective. This operational phase is about maintaining a regular cadence of activities that keep security top of mind for all employees. It involves running simulations, communicating results, and adapting the program based on performance data and the evolving threat landscape. This is where you turn a one time project into a sustainable business process.

  • Schedule and run regular phishing simulations with varied templates and difficulty levels.
  • Provide immediate, educational feedback to users who click on simulation links.
  • Acknowledge and thank users who correctly report simulated and real phishing emails.
  • Publish regular, anonymised reports on program performance to stakeholders.
  • Deliver ongoing awareness content through newsletters, tips, or internal communications.
  • Update training modules annually or when significant new threats emerge.

Verify: Auditing Program Effectiveness

Verification is about proving that your program works. This involves gathering and presenting evidence to auditors, regulators, and senior management. An effective program is data driven, and you should be able to demonstrate a clear return on investment through reduced risk. Auditors will look for objective evidence, not just assertions. Using a structured library of control objectives like the Zenith Controls can help ensure your evidence aligns with standards like ISO 27001.5

  • Maintain detailed records of all training activities, including schedules and attendance logs.
  • Keep copies of all training materials and phishing simulation templates used.
  • Track and document phishing simulation click rates and reporting rates over time.
  • Collect evidence of post incident reviews where phishing was a root cause.
  • Conduct periodic assessments, such as interviews or quizzes, to gauge knowledge retention.
  • Be prepared to show auditors how the program has measurably reduced human related risk.

Common pitfalls

Even with the best intentions, phishing resilience programs can fail to deliver results. Avoiding these common mistakes is just as important as following best practices. Being aware of these traps can help you design a program that is engaging, effective, and sustainable.

  • Treating training as a one time event. Security awareness is not a “one and done” task. It requires continuous reinforcement. An annual training session is quickly forgotten and does little to build a lasting security culture.
  • Creating a culture of blame. Punishing users who fail phishing simulations is counterproductive. It discourages reporting and creates fear, driving security issues underground. The goal is education, not discipline.
  • Using unrealistic or generic simulations. If your phishing templates are obviously fake or irrelevant to your business context, employees will quickly learn to spot the simulations, but not real world attacks.
  • Ignoring the C suite. Attackers frequently target senior leaders with highly personalised spear phishing attacks. Executives and their assistants must be included in training and simulations.
  • Making reporting difficult. If an employee has to search for instructions on how to report a suspicious email, they are less likely to do it. A simple, one click reporting button is non negotiable.
  • Failing to act on reported incidents. When users report real phishing emails, they are providing critical threat intelligence. If the security team does not acknowledge or act on these reports, users will stop bothering.

Next steps

Building a resilient human firewall is an essential part of any modern security strategy. By implementing a structured, continuous phishing awareness program, you can significantly reduce your risk of a breach and demonstrate compliance with key regulations.

References

  1. Clarysec. (2025). Zenith ISMS Implementation Blueprint↩︎

  2. Clarysec. (2025). P8S Information Security Awareness and Training Policy↩︎

  3. Clarysec. (2025). P3S Acceptable Use Policy↩︎

  4. Clarysec. (2025). P30S Incident Response Policy↩︎

  5. Clarysec. (2025). Zenith Controls Library for ISO 27001:2022↩︎

Share this article

Related Articles