ISO 27001:2022 Training Evidence for NIS2 and DORA
It is 09:12 on a Tuesday morning in February 2026. A finance analyst at a rapidly scaling FinTech receives an email that appears to come from the CFO, asking for an urgent review of a supplier payment file. The attachment opens a convincing Microsoft login page. The analyst hesitates, remembers last month’s phishing simulation and payment fraud module, and reports the email through the security portal instead of entering credentials.
For the CISO, that single decision is a control working in real life.
For the auditor, the story is not enough.
The evidence request lands a week later: “Provide evidence of a comprehensive, role-based information security awareness and training program, including effectiveness metrics and records demonstrating coverage for all personnel, including management.”
That sentence changes the conversation. A spreadsheet showing “Completed” beside 97 percent of employees is no longer sufficient. The auditor will ask who trained the analyst, when the training was assigned, whether it was mandatory, whether it was role-based, whether finance received additional payment fraud awareness, whether new hires and contractors were included, whether management approved the program, whether training changed after the last phishing campaign, and whether completion records were retained.
In 2026, security awareness training evidence sits at the intersection of ISO/IEC 27001:2022, NIS2, DORA, GDPR and NIST CSF 2.0. It is no longer a yearly HR exercise. It is board governance, risk treatment, incident readiness, legal accountability and audit evidence.
Clarysec treats security awareness as an operational evidence system, not a slide deck. Zenith Blueprint: An Auditor’s 30-Step Roadmap Zenith Blueprint, Zenith Controls: The Cross-Compliance Guide Zenith Controls, Information Security Awareness and Training Policy - SME Information Security Awareness and Training Policy - SME, and Information Security Awareness and Training Policy Information Security Awareness and Training Policy connect role-based training to the ISMS, regulatory obligations, incident response, supplier access and management review.
Why generic security awareness training fails in 2026
The regulatory shift is clear. NIS2 makes cybersecurity a management responsibility for essential and important entities. Article 20 requires management bodies to approve cybersecurity risk-management measures, oversee implementation and receive training. Article 21 includes basic cyber hygiene and cybersecurity training as part of the required risk-management baseline. For cloud providers, data centre providers, managed service providers, managed security service providers, DNS providers, TLD registries, online marketplaces and search engines, training has become a board-level issue.
DORA raises the bar for financial entities and ICT providers serving the financial sector. It applies from 17 January 2025 and requires financial entities to maintain an internal governance and control framework for ICT risk management. Management bodies must oversee ICT risk, budgets, audits, third-party arrangements, business continuity, response and recovery plans, and digital operational resilience. DORA Articles 17 to 19 also require ICT-related incidents to be detected, classified, escalated, communicated and reported. Training is what makes those procedures executable under pressure.
ISO/IEC 27001:2022 gives organizations the management system backbone. Clauses 4 to 10 cover context, interested parties, leadership, risk assessment, risk treatment, competence, awareness, documented information, performance evaluation and improvement. The standard is scalable across sectors and sizes, which is why Clarysec uses it as the operating model for integrated ISO, NIS2, DORA, GDPR and NIST alignment ISO/IEC 27001:2022.
GDPR adds the accountability layer. Organizations must demonstrate that personal data is processed lawfully, fairly, securely and with appropriate technical and organizational measures. Employees who handle personal data, administer systems, build software, support customers or investigate incidents need privacy and breach escalation training.
NIST CSF 2.0 reinforces the same direction. Its GOVERN function connects legal, regulatory, contractual, privacy and stakeholder requirements with roles, responsibilities, policies, resources, oversight and enterprise risk management. NIST CSF Profiles also help translate training obligations into current-state and target-state improvement plans.
The result is simple: audit-ready security awareness training must prove that people know their responsibilities, that training is tailored to role and risk, and that evidence is complete enough for auditors, regulators, customers and management.
The audit problem: “we trained everyone” is not evidence
Many organizations fail audits not because they did no training, but because they cannot prove that training was designed, assigned, completed, reviewed and improved.
A weak evidence pack usually includes one annual PDF, a completion spreadsheet with no dates, no onboarding evidence, no contractor coverage, no privileged user training, no management training, no role-based modules for developers or finance, no link to the risk assessment and no proof that training was updated after incidents or regulatory change.
Auditors do not want a motivational poster. They want a chain of evidence.
Clarysec’s SME policy makes that expectation explicit. Information Security Awareness and Training Policy - SME, Objectives, clause 3.3, requires organizations to:
“Establish documented records of completion to demonstrate compliance with legal, contractual, and audit requirements.”
The same SME policy turns training into retained documented information. Policy Implementation Requirements, clause 6.3.2, states:
“A central spreadsheet or Human Resource Information System must maintain these records for a minimum of three years.”
For enterprise environments, Information Security Awareness and Training Policy, Purpose, clause 1.2, sets a more structured expectation:
“This policy supports ISO/IEC 27001 Clause 7.3 and Annex A Control 6.3 by requiring a structured, risk-informed awareness and training framework tailored to organizational roles and evolving threats.”
That phrase matters: structured, risk-informed, role-tailored and threat-aware. It is the difference between awareness theatre and defensible competence.
Start with roles, not courses
The most common mistake is buying content before defining responsibilities. In an integrated compliance program, the right first question is not “Which training platform should we use?” The right question is “Which roles create, manage, approve, process, secure or recover information assets?”
ISO/IEC 27001:2022 Clause 5.3 requires assignment and communication of responsibilities and authorities for information security roles. Clause 7.2 requires competence for persons doing work under the organization’s control, based on education, training or experience. Clause 7.3 requires awareness of the information security policy, contribution to ISMS effectiveness and implications of nonconformity.
In Zenith Blueprint, ISMS Foundation & Leadership, Step 5: Communication, Awareness, and Competence, Clarysec translates this into implementation language:
“Identify Required Competencies: Determine what knowledge and skills are necessary for different roles in your ISMS.”
The Blueprint gives practical examples: IT staff may need secure server configuration, developers need secure coding, HR needs secure personal data handling and general staff need phishing awareness. It also emphasizes records:
“Maintain Records of Competence: Clause 7.2 expects you to retain documented information as evidence of competence.”
That means the training program should start with a role-to-risk matrix.
| Role group | Training focus | Evidence to retain | Compliance value |
|---|---|---|---|
| All employees | Phishing, password hygiene, MFA, acceptable use, device security, incident reporting | Completion report, quiz score, policy acknowledgement, content version | ISO/IEC 27001:2022 Clause 7.3, ISO/IEC 27002:2022 control 6.3, NIS2 Article 21 |
| Executives and board | Cyber risk governance, NIS2 Article 20 duties, DORA oversight, risk appetite, crisis decisions | Attendance record, board pack, minutes, program approval | NIS2 Article 20, DORA Article 5, ISO/IEC 27001:2022 leadership evidence |
| Developers | Secure coding, OWASP Top 10, secure SDLC, API security, vulnerability handling, secrets management | Module completion, lab results, secure coding checklist, remediation evidence | ISO/IEC 27002:2022 controls 8.25 and 8.28, DORA ICT risk expectations |
| IT and system administrators | Privileged access, logging, vulnerability management, backup restore, change control, hardening | Completion record, access review linkage, tabletop participation | ISO/IEC 27002:2022 controls 8.8 and 8.13, DORA resilience readiness |
| HR | Confidentiality, onboarding and offboarding, disciplinary process, special category data handling | HR training record, onboarding checklist, policy acknowledgement | GDPR accountability, ISO/IEC 27002:2022 people controls |
| Finance | Payment fraud, supplier impersonation, segregation of duties, suspicious request escalation | Targeted module completion, phishing simulation results | Fraud risk reduction, NIS2 and DORA incident readiness |
| Customer support | Identity verification, secure ticket handling, personal data protection, escalation paths | Role module completion, ticket review sample, privacy acknowledgement | GDPR processor accountability, customer assurance |
| Incident responders | Classification, escalation, evidence preservation, regulatory notification timelines, lessons learned | Exercise record, scenario report, role assignment, action tracker | NIS2 Article 23, DORA Articles 17 to 19, ISO/IEC 27002:2022 incident controls |
| Contractors with system access | Acceptable use, reporting channel, data handling, access conditions | Contractor acknowledgement, onboarding record, access approval linkage | Supplier assurance, access governance, contractual compliance |
This matrix is not just a training schedule. It is a compliance map showing why different populations receive different training.
Connect training to the control chain
In Zenith Controls, ISO/IEC 27002:2022 control 6.3, Information Security Awareness, Education and Training, is categorized as a preventive control supporting confidentiality, integrity and availability. Its cybersecurity concept is Protect, its operational capability is Human Resource Security, and its security domains are Governance and Ecosystem.
The Zenith Controls cross-compliance interpretation is direct:
“Control 6.3 addresses NIS2’s mandate for security training and awareness by implementing a structured awareness program covering cyber hygiene, emerging threats, and staff responsibilities.”
The same mapping connects ISO/IEC 27002:2022 control 6.3 to GDPR expectations for employees handling personal data, DORA ICT security training tailored to roles, and NIST SP 800-53 Rev.5 AT-2, AT-3 and AT-4 for literacy training and awareness, role-based training and training records.
The key point is that control 6.3 does not stand alone. Zenith Controls ties it to ISO/IEC 27002:2022 control 5.2, Information Security Roles and Responsibilities, because roles define who needs which training. It ties it to control 6.8, Information Security Event Reporting, because employees cannot report what they cannot recognize. It also ties it to control 5.36, Compliance with Policies, Rules and Standards for Information Security, because compliance depends on people knowing the rules.
That creates a practical control chain:
- Define responsibilities.
- Assign baseline and role-based training.
- Prove completion.
- Test understanding.
- Monitor compliance.
- Correct gaps.
- Feed lessons into risk treatment and management review.
This matters for NIS2 because Article 21 requires risk analysis, policies, incident handling, business continuity, supply chain security, secure acquisition and maintenance, control effectiveness assessment, cyber hygiene and training, cryptography, HR security, access control, asset management, and MFA or secure authentication where appropriate.
It matters for DORA because governance, incident management, response and recovery, third-party risk and resilience testing only work if people know what to do before the incident happens.
Build the audit-ready evidence pack
A mature evidence pack contains more than attendance logs. It shows governance, design, delivery, completion, effectiveness and improvement. Clarysec recommends a six-folder structure.
| Evidence folder | What it contains | Why it matters |
|---|---|---|
| 01 Governance | Approved policy, training objectives, management approval, budget, annual plan | Shows leadership commitment and oversight |
| 02 Role mapping | Role inventory, competency matrix, training assignment rules, contractor scope | Proves risk-based and role-based design |
| 03 Training content | Course decks, LMS modules, phishing templates, security bulletins, version history | Shows what people were actually taught |
| 04 Completion records | LMS exports, HRIS records, attendance logs, quiz results, acknowledgements | Demonstrates participation and retained documented information |
| 05 Effectiveness evidence | Phishing simulation metrics, interview results, incident reporting trends, tabletop outcomes | Shows whether training changed behavior |
| 06 Improvement | Corrective actions, updated modules, lessons learned, management review inputs | Shows continual improvement |
The enterprise Clarysec policy requires onboarding, annual refresher training and role-based modules. Information Security Awareness and Training Policy, Governance Requirements, clause 5.1.1.2, states:
“Include onboarding, annual refresher training, and role-based training modules”
The same policy assigns evidence ownership. Governance Requirements, clauses 5.3.1 and 5.3.1.1, state:
“The CISO or delegate must maintain:”
“Completion records for each user”
For SMEs, the SME policy adds a pragmatic cadence. Information Security Awareness and Training Policy - SME, Policy Implementation Requirements, clause 6.1.1, states:
“Materials must be practical, role-appropriate, and updated annually.”
It also covers change-triggered training. Clause 6.5.1 states:
“When job roles change or systems are introduced, targeted awareness training may be required (e.g., secure file sharing, new data protection, and data minimization requirements).”
That clause is especially important in 2026 because cloud migration, AI tools, new payment integrations, new processors and regulatory reporting changes can alter risk faster than an annual cycle.
A one-week rescue plan before the audit
Consider a 180-person SaaS or FinTech provider preparing for ISO/IEC 27001:2022 surveillance, DORA customer due diligence, GDPR accountability review and NIS2-driven customer questions. The CISO has one week to turn generic completion records into a defensible evidence pack.
Day 1: Confirm scope and obligations
Use ISO/IEC 27001:2022 Clauses 4.1 to 4.4 to confirm context, interested parties and ISMS scope. Capture customer contractual commitments, GDPR controller or processor obligations, NIS2 expectations from critical customers and DORA-related ICT supplier due diligence requests.
Then translate those obligations into training needs. GDPR requires staff handling personal data to understand confidentiality, minimization, retention and breach escalation. NIS2 requires cyber hygiene, employee training and management oversight. DORA-driven customers will expect evidence that teams supporting critical services understand incident escalation, resilience, access control, backup and recovery, and third-party coordination.
Day 2: Build the role-based matrix
Use the guidance in Zenith Blueprint and the mappings in Zenith Controls for ISO/IEC 27002:2022 controls 5.2 and 6.3. Include employees, contractors, privileged users, developers, support teams, HR, finance, executives and incident responders.
Tie each role to systems and risks. Developers get secure coding and vulnerability handling. Support teams get identity verification and secure ticket handling. Finance gets payment fraud and supplier change verification. Executives get governance, legal accountability, risk appetite and crisis decision-making.
Day 3: Align policy and assignments
Adopt or update the appropriate Clarysec policy. Use the SME policy for a lightweight operating model, or the enterprise policy for stronger governance and evidence ownership. Confirm that the policy includes onboarding, annual refreshers, role-based modules, evidence retention, contractor coverage and change-triggered training.
Publish the policy, collect acknowledgements and link training modules to job families in the HRIS or LMS.
Day 4: Deliver targeted training
Do not train everyone on everything. Train everyone on baseline controls, then assign role-specific modules.
The baseline module should cover phishing and social engineering, password hygiene and MFA, acceptable use, secure handling of information, incident reporting channels, lost device reporting and data protection basics.
Role-specific modules should cover secure SDLC for developers, privileged access and backup restoration for IT, employee data for HR, payment fraud for finance, incident classification for responders, and NIS2 and DORA governance for executives.
Day 5: Export and validate evidence
Create the six-folder evidence pack. Export completion reports, quiz scores, course version numbers, policy acknowledgements and training schedules. Identify non-completions and open corrective actions.
Then test understanding through interviews. Ask employees from different departments:
- What security training did you complete?
- How do you report a suspicious email?
- What would you do if you lost a laptop?
- Where can you find the information security policy?
- What personal data do you handle in your role?
Record the results as an internal audit sample. Auditors frequently use interviews to verify whether awareness has been absorbed, not just delivered.
Day 6: Link training to incident response
Use incident reporting training as a bridge to ISO/IEC 27002:2022 control 6.8, NIS2 Article 23 and DORA Articles 17 to 19.
NIS2 Article 23 requires staged reporting for significant incidents, including early warning within 24 hours of awareness, notification within 72 hours and a final report within one month. DORA requires major ICT-related incidents to be classified, escalated, communicated and reported through the required reporting lifecycle.
Employees do not need to memorize legal timelines, but they must report suspected incidents quickly enough for the organization to meet them.
In Zenith Blueprint, Controls in Action, Step 16: People Controls II, Clarysec states:
“An effective incident response system begins not with tools, but with people.”
That is not soft guidance. It is operational resilience.
Day 7: Prepare the audit narrative
The final audit narrative should be short and evidence-backed:
“We identified training needs based on ISMS roles, legal and contractual obligations, risk assessment results and system access. We assigned baseline and role-based modules through the LMS. We retained completion records, quiz scores, content versions and acknowledgements. We tested effectiveness through phishing simulations, interviews and incident reporting metrics. Non-completion is tracked as corrective action. Management reviews the program annually and after significant changes.”
Supported by evidence, that narrative can withstand ISO/IEC 27001:2022 audit questioning, NIS2 governance scrutiny, DORA customer due diligence, GDPR accountability review and NIST-style control assessment.
Cross-compliance mapping for security awareness training
Security awareness is often misclassified as an HR task. In practice, it is a cross-compliance control that touches governance, risk management, privacy, incident response, supplier assurance and resilience.
| Framework or regulation | Training relevance | Clarysec implementation point |
|---|---|---|
| ISO/IEC 27001:2022 | Competence, awareness, leadership, role assignment, documented information, monitoring, internal audit and improvement | Zenith Blueprint Step 5 and Step 15, policy clauses on onboarding, annual refreshers, role-based training and evidence |
| ISO/IEC 27002:2022 | Control 6.3 awareness, education and training, linked to 5.2 roles, 6.8 event reporting and 5.36 compliance monitoring | Zenith Controls maps attributes, related controls, audit expectations and cross-framework alignment |
| NIS2 | Management training, employee cybersecurity training, cyber hygiene, incident readiness and governance accountability | Board module, employee baseline, incident reporting module, management approval evidence |
| DORA | ICT governance, management oversight, learning and evolving, incident escalation, resilience testing and third-party expectations | Executive training, ICT role modules, incident responder training, supplier-facing evidence pack |
| GDPR | Accountability, secure processing, privacy role awareness, breach recognition and personal data handling | Privacy training for HR, support, sales, engineering and incident teams |
| NIST CSF 2.0 | GOVERN function, roles, policies, legal obligations, oversight, profiles and improvement planning | Current and target training profile, gap register and prioritized action plan |
| NIST SP 800-53 Rev.5 | Awareness training, role-based training and training records | Mapping to AT-2, AT-3 and AT-4 through Zenith Controls |
| COBIT 2019-informed assurance | Governance objectives, accountability, capability, performance metrics and management reporting | Training KPIs, role ownership, management review and corrective action closure |
NIST CSF 2.0 is especially useful for organizations that need to explain maturity to non-ISO stakeholders. Its Organizational Profiles method supports current-state and target-state planning. For example, a Current Profile may state that baseline awareness exists but developer secure coding training is incomplete. A Target Profile may require all developers to complete secure coding, vulnerability disclosure and secrets management training by Q3.
How auditors and regulators test training evidence
Different reviewers ask different questions, but they all test the same truth: does the organization know what people must do, and can it prove people are prepared to do it?
An ISO/IEC 27001:2022 auditor will connect training evidence to Clauses 5.3, 7.2, 7.3, 7.5, 9.1, 9.2, 10.1 and 10.2, plus Annex A controls. Expect questions about how competence requirements were determined, how employees know the information security policy, how new hires and contractors are trained, how non-completion is handled, how role-based training links to the risk assessment and Statement of Applicability, and how effectiveness is evaluated.
Zenith Controls notes that auditors using ISO/IEC 19011:2018 will review curriculum, schedules, materials, attendance records, completion certificates and trainer competence. It also notes that ISO/IEC 27007:2020 auditors may use interviews to determine whether employees know how to report incidents and recall key training messages.
A NIS2-focused review will look beyond completion rates. It will ask whether the management body approved and oversaw cybersecurity risk-management measures, whether management received training, whether staff cyber hygiene training is regular and whether incident reporting is understood. Article 21 also requires procedures to assess the effectiveness of cybersecurity risk-management measures, so phishing metrics, incident reporting trends and audit findings become control effectiveness evidence.
A DORA review, especially from a financial customer assessing an ICT provider, will focus on operational resilience. Expect questions about personnel supporting critical financial services, training records for teams managing payment systems, management training on ICT third-party risk, incident classification under DORA Article 18 and contractor training for customer environment access.
A GDPR review will focus on accountability. The organization must show that staff handling personal data understand lawful processing, confidentiality, minimization, retention, secure handling and breach escalation. For SaaS, FinTech and managed service providers, training evidence is part of proving privacy requirements are embedded into operational behavior.
Metrics that prove control effectiveness
Completion is necessary, but it is not enough. A stronger 2026 dashboard shows whether training improved behavior.
| Metric | What it shows | Audit interpretation |
|---|---|---|
| Completion by role | Whether assigned populations completed required modules | Basic compliance and coverage |
| New hire completion within target | Whether onboarding controls work | HR and access governance maturity |
| Privileged user training completion | Whether high-risk users are prepared | Risk-based prioritization |
| Phishing simulation click and report rate | Whether behavior is improving | Awareness effectiveness |
| Incident reports from employees | Whether people recognize and report events | Link to incident readiness |
| Time from suspicious email to report | Whether reporting supports regulatory timelines | NIS2 and DORA readiness |
| Repeat non-completion | Whether enforcement and escalation work | Compliance monitoring |
| Training updates after incidents or changes | Whether lessons learned drive improvement | Continual improvement |
These metrics support ISO/IEC 27001:2022 Clause 9.1 for monitoring and measurement, Clause 9.2 for internal audit, Clause 10.1 for continual improvement and Clause 10.2 for nonconformity and corrective action. ISO/IEC 27002:2022 control 5.36 reinforces that compliance with policies, rules and standards must be monitored, evaluated and remediated.
Common findings Clarysec sees in audits
The same weaknesses appear repeatedly.
Organizations train employees but forget executives. Under NIS2 and DORA, management training is part of governance, not a maturity bonus.
Organizations deliver annual training but ignore role changes. A support engineer moving into DevOps needs privileged access, logging, backup and incident escalation training.
Organizations include employees but forget contractors. Zenith Blueprint Step 15 advises extending training to contractors or third parties who have access to systems or data.
Organizations teach incident reporting but create fear. If staff believe they will be punished for clicking a phishing link, they may stay silent. Zenith Blueprint Step 16 emphasizes simple reporting channels, awareness-backed reporting and a blame-free culture.
Organizations cannot prove content versioning. If an auditor asks what employees completed in March, the current deck on SharePoint is not enough. Retain the version delivered.
Organizations fail to connect training to risk treatment. If ransomware, payment fraud, cloud misconfiguration or data leakage is a top risk, the training plan should show targeted treatment for the relevant roles.
Where Clarysec fits
Clarysec helps organizations build one defensible program instead of five disconnected compliance tracks.
The Information Security Awareness and Training Policy - SME gives smaller organizations a practical baseline: role-based expectations, documented records, annual updates, change-triggered training and retention for at least three years.
The enterprise Information Security Awareness and Training Policy gives larger organizations stronger governance: structured risk-informed awareness, onboarding, annual refreshers, role-based modules, CISO ownership of records and readiness for regulatory inspections under GDPR, DORA and NIS2.
Zenith Blueprint tells implementation teams what to do in sequence. Step 5 builds competence and awareness into the ISMS foundation. Step 15 operationalizes ISO/IEC 27002:2022 control 6.3 with annual training, role-specific modules, onboarding, phishing simulations, participation evidence, targeted bulletins, contractor training and behavioral reinforcement. Step 16 connects awareness to personnel-driven incident reporting.
Zenith Controls gives compliance teams the crosswalk. It connects ISO/IEC 27002:2022 control 6.3 to roles, event reporting, compliance monitoring, ISO/IEC 27005:2024 human factor risks, GDPR training expectations, NIS2 Article 21, DORA ICT training, NIST awareness controls and audit methodologies. It also connects control 5.2 to governance responsibilities and control 5.36 to compliance monitoring and corrective action.
Together, these resources let a CISO explain not only what training happened, but why it happened, who required it, what risk it treated, how it was evidenced and how it improves.
Make security training evidence audit-ready now
If your current evidence is a spreadsheet, a slide deck and a hope that employees remember the reporting email, now is the time to mature it.
Start with four actions this week:
- Create a role-based training matrix linked to ISMS responsibilities, system access and regulatory obligations.
- Adopt or update your Clarysec awareness policy using Information Security Awareness and Training Policy - SME or Information Security Awareness and Training Policy.
- Build the six-folder evidence pack for governance, role mapping, content, completion, effectiveness and improvement.
- Use Zenith Blueprint and Zenith Controls to map training evidence to ISO/IEC 27001:2022, NIS2, DORA, GDPR and NIST audit expectations.
Security awareness is valuable when it changes behavior. Compliance evidence is valuable when it proves that behavior consistently.
Clarysec helps you build both.
Frequently Asked Questions
About the Author
Igor Petreski
Compliance Systems Architect, Clarysec LLC
Igor Petreski is a cybersecurity leader with over 30 years of experience in information technology and a dedicated decade specializing in global Governance, Risk, and Compliance (GRC).Core Credentials & Qualifications:• MSc in Cyber Security from Royal Holloway, University of London• PECB-Certified ISO/IEC 27001 Lead Auditor & Trainer• Certified Information Systems Auditor (CISA) from ISACA• Certified Information Security Manager (CISM) from ISACA • Certified Ethical Hacker from EC-Council
