cism-d3-security-program-is-awareness-and-training

IS Awareness and Training

isaca-cism · framework · Gold standard

Drawn fromCISM Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is IS Awareness and Training

IS Awareness and Training is a structured organizational program that systematically builds security-conscious behaviors across the workforce by designing, delivering, measuring, and continuously improving security knowledge and skills. It encompasses the full lifecycle: needs analysis, audience segmentation, curriculum design, multi-modal delivery (e-learning, simulations, instructor-led sessions, microlearning), behavioral measurement, and feedback-driven improvement. As a CISM competency, it is the mechanism by which security policy intent is translated into consistent human behavior. It is NOT a single annual compliance checkbox, a generic online module deployed to all staff, or a purely technical control—it is a people-centric risk reduction program governed by strategy, measured by behavioral outcomes, and sustained through continuous improvement.

Where it stops · what it isn't

—IS Awareness and Training IS the design, implementation, and governance of human-behavior-focused security programs—it does not include technical security controls such as firewalls, DLP, or endpoint protection.
—IS NOT the same as IT security policy documentation or IS program development; it specifically operationalizes those policies through human behavior change.
—IS NOT limited to annual compliance training; modern programs are continuous, role-differentiated, and measured by behavioral metrics—not just completion rates.
—IS NOT solely an HR or L&D function; it requires security leadership ownership, threat-informed content, and integration with incident response and risk management processes.
—Covers internal workforce AND extends to third-party/vendor workforce awareness requirements—but does not include technical vendor management controls.
—Effectiveness is measured by behavioral change (phishing click rates, reporting rates, policy adherence)—NOT by training hours logged or quiz pass rates alone.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

Information Security Program Management

REQUIRES

IS Risk Assessment and Risk TreatmentInformation Security Governance and Strategy

RELATED TO

IS Standards, Frameworks, and ComplianceIS Program Development and ResourcesIS Program Communications and Reporting

ENABLES

Incident Response EffectivenessRegulatory Compliance and Audit Defense

CONSTRAINS

Human-Element Breach Probability

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.