- ISO 27001 and NIS2 require demonstrable training — without documentation, a training session is considered not conducted in an audit.
- Every training record must contain at minimum: participant, date, topic, trainer/source, and result.
- Three types of evidence form the basis: attendance confirmations, quiz/test results, and policy attestations.
- Training must be repeated at least annually, and deadline monitoring must be automated and escalatable.
- Policy acknowledgment is a separate documentation process that must not be confused with the awareness training.
Why training records are decisive in an audit
There is a simple rule in the world of information security audits: what is not documented did not happen. You may have conducted the best awareness training in the industry — with a brilliant trainer, enthusiastic employees, and genuine learning outcomes. If you cannot present evidence to the auditor, none of it counts.
ISO 27001 formulates the requirement in Chapter 7.2 (Competence) and Annex A.6.3 (Awareness, Education, and Training). Employees performing activities that influence information security performance must be competent, and the organization must retain appropriate documented information as evidence of competence. NIS2 supplements this requirement with an explicit obligation for cyber hygiene training and management training.
Auditors review training records regularly and systematically. They do not just ask "Do you conduct training?" but rather "Show me the evidence for the last training. Who participated? Who did not? What was the content? How was understanding tested?" If you do not have a structured answer to these questions, it becomes a finding in the audit report.
Training documentation is therefore not a bureaucratic obligation. It is the proof that your ISMS is alive — that the measures you have defined are actually implemented and that your employees have the necessary knowledge to work securely.
What must be documented in every training record
Regardless of the training format — whether in-person workshop, e-learning, or phishing simulation — there is a set of mandatory information that must be included in every record. These constitute the minimum an auditor expects.
The six mandatory fields
1. Participant (name and department)
Who was trained? Not as an anonymous group, but by name. For in-person training, this is classically via an attendance list; for e-learning, through the platform's login data. The assignment to a department or role is important because certain training sessions are target-group-specific, and you must demonstrate that the right target group was trained.
2. Date and timeframe
When did the training take place? For in-person training, the specific date with time; for e-learning modules, the period during which the module was completed (start and end time). The date is essential for deadline monitoring: if the training must be repeated annually, the deadline begins on the date of the last completion.
3. Topic and content
What was trained? A broad topic label like "IT security" is not sufficient. The record must show which specific content was covered — either through a description of the training content, a reference to a defined curriculum, or by attaching the training materials.
Example of an appropriate description: "Security Awareness foundational training: phishing detection, password security and password managers, social engineering via phone and in person, clean desk rules, reporting procedures for suspected incidents."
4. Trainer or training source
Who conducted the training? For in-person training, the trainer's name (internal or external); for e-learning modules, the platform and the specific module. For external trainers, it is advisable to document their qualifications so it is traceable that the training was conducted by a competent person.
5. Result or completion
Did the participant successfully complete the training? For training with a knowledge test: the test result and whether the minimum score was achieved. For training without a test: confirmation of participation (fully completed vs. abandoned). For phishing simulations: whether the link was clicked or not.
6. Signature or digital confirmation
For in-person training: the participant's signature on the attendance list. For e-learning: the automatically generated completion certificate from the platform. For policy attestations: the digital confirmation (checkbox, electronic signature). The confirmation documents that the participant was actually present or actively completed the module.
Optional but recommended information
Beyond the mandatory fields, there is information that enhances the documentation:
- Training material: Attachment or reference to the materials used (slides, handouts, e-learning module ID)
- Participant feedback: Anonymous evaluation of the training (helps with continuous improvement)
- Link to measures: Which ISMS measure or risk does the training address? This facilitates mapping in the audit
- Validity period: Until when is the record valid before a repeat is required?
The three types of training evidence
Not every record looks the same. Depending on the training format and objective, different types of evidence are used. Most ISMS programs work with a combination of all three.
Attendance confirmation
The simplest and most common form of evidence. It confirms that an employee participated in a training session. For in-person training, this is the signed attendance list; for e-learning, the automatically generated completion certificate.
An attendance confirmation documents presence but not understanding. The employee was there — whether they learned anything cannot be determined from it. Therefore, an attendance confirmation alone is not sufficient for a mature ISMS. It should be supplemented by a knowledge test or an attestation.
Typical format of an attendance confirmation for in-person training:
| Field | Content |
|---|---|
| Training title | Security Awareness Foundational Training 2026 |
| Date | March 14, 2026, 9:00–10:30 AM |
| Location | Conference Room 2, Headquarters |
| Trainer | Max Mustermann, ISO |
| Content | Phishing, passwords, social engineering, clean desk, reporting procedures |
| Participants | Name, department, signature (tabular) |
Quiz and test results
Knowledge tests at the end of a training document not only participation but also understanding of the content delivered. They are the strongest evidence you can present to an auditor because they show that the employee not only heard the content but also understood it.
Define a minimum score required for passing. 70 to 80% correct answers is a common threshold. Employees who fall below the minimum score must repeat the training or attend remedial training.
Document for quiz results:
- Participant name and test date
- Test designation and link to the training
- Overall result (e.g., 18 of 20 questions correct, 90%)
- Pass/fail based on the defined minimum score
- Detailed results per question (optional, but helpful for analyzing knowledge gaps)
For e-learning platforms, quiz results are typically documented and stored automatically. For in-person training with written tests, you must manually capture and file the results.
A note on retention: quiz results contain personal performance data. Clarify with your data protection officer how long this data may be retained and whether the works council needs to be involved.
Policy attestation
The third type of evidence differs from the other two because it does not refer to training in the classical sense but to the acknowledgment and acceptance of policies. More on this in the dedicated section below.
Deadline monitoring: when training must be repeated
Trained once does not mean trained forever. ISO 27001 requires that competencies be maintained, implying regular repetition. NIS2 also demands ongoing training measures, not just one-time actions.
Typical repetition intervals
| Training type | Interval | Rationale |
|---|---|---|
| Security awareness foundational training | Annually | Audit minimum requirement, incorporate current threats |
| Phishing simulation | Quarterly | Behavior change requires repetition |
| Policy attestation | With every policy change, at least annually | Ensure awareness of current rules |
| Management training (NIS2) | Annually | NIS2 obligation, liability relevance |
| Specialized training (IT admins, developers) | Annually to semi-annually | Rapidly changing threat landscape |
| Onboarding training | Once upon joining | Before access to production systems |
| Data protection training | Annually | GDPR requirement |
Deadline monitoring in practice
The biggest challenge is not setting deadlines but actually monitoring them. In a company with 100 employees, each having three to five different training requirements, a matrix of hundreds of due dates quickly emerges. Managing this manually — say, via an Excel spreadsheet — works up to a certain size but becomes error-prone and labor-intensive.
A dedicated tool like ISMS Lite takes this administrative burden 500 Euro pro Jahr off your hands and automatically escalates overdue training, without user limits. Automated deadline monitoring should offer the following features:
- Due date calculation: Automatic calculation of the next due date based on the date of the last training and the defined repetition interval
- Advance reminder: Notification to the employee (and optionally to the supervisor) 30 days before the due date
- Overdue warning: Escalation when the deadline has passed without the training being completed
- Dashboard overview: Overall view of the training status of all employees, filterable by department, training type, and status
Handling special cases
Not every employee fits into the standard scheme. There are special cases that must be addressed in deadline monitoring:
Extended absence (parental leave, illness): Employees who are absent for an extended period cannot complete training on schedule. Define how returning employees are handled: must they complete the missed training within 30 days of return?
Part-time and temporary staff: Part-time employees must also be trained. The training obligation applies regardless of employment scope. For temporary staff with very short employment periods, a simplified short training may be sensible.
External employees and service providers: If external employees access your systems, they must also be trained or at least informed about the applicable security rules. Document these records as well.
Escalation for non-participation
What happens when an employee does not complete their mandatory training? Without a defined escalation process, typically nothing happens — the deadline passes, nobody reacts, and in the next audit, a finding appears in the report.
An effective escalation process has multiple levels:
Level 1: Reminder (deadline reached)
The employee receives an automatic reminder that the training is due. Simultaneously, the direct supervisor is informed. The reminder contains a link to the training (for e-learning) or reference to the next training date (for in-person sessions).
Level 2: Warning (2 weeks overdue)
If the training has not been completed two weeks after the due date, a warning is sent to the employee with a copy to the supervisor. The warning points to the obligation to participate and sets an additional two-week deadline.
Level 3: Escalation to management (4 weeks overdue)
If the additional deadline has also passed, the case is escalated to the next higher management level or the ISO. At this point, it must be clarified whether there are organizational reasons for non-participation (lack of release time, technical problems) or whether it is a deliberate refusal.
Level 4: Consequences (6+ weeks overdue)
For continued non-participation without valid reason, labor law measures must be considered. This may be a formal admonishment, or in repeat cases, a written warning. At the same time, it must be evaluated whether the employee should continue to have access to systems for which the training is a prerequisite.
Document every escalation level. The auditor wants to see not only that you conduct training but also that you have a process for dealing with non-participation.
Escalation as a process, not arbitrariness
It is important that the escalation process is defined in advance, communicated, and applied uniformly. If one employee is escalated and another is not, it creates an impression of arbitrariness. The process must be transparent and apply to everyone — from the apprentice to the department head. Involve the works council in defining the escalation process, especially when labor law consequences are envisioned.
Policy acknowledgment as a separate process
Policy attestation is often conflated with awareness training but is a separate process with its own logic and evidence requirements.
What is a policy attestation?
In a policy attestation, the employee confirms that they have read and understood a specific policy and commit to complying with it. This typically concerns:
- Information security policy
- Password policy
- Policy for mobile devices and remote work
- Acceptable use policy for IT resources
- Data protection policy
- Confidentiality agreement
Difference from training
Training conveys knowledge and trains behavior. A policy attestation ensures that the employee knows the applicable rules and assures compliance. Both are necessary, but they are different things.
You can integrate a policy attestation into the awareness training (at the end of the training, the relevant policies are presented and attested), but the evidence must be maintained separately. The auditor wants to see which employees attested to which policies — independently of whether they participated in the last training.
Triggers for re-attestation
A policy attestation is not only repeated annually but also triggered on specific occasions:
- Policy was updated: When the content of a policy changes, all affected employees must attest the new version. It is not sufficient to only communicate the changes — the employee must confirm the entire updated policy.
- New employee: All relevant policies are attested during onboarding.
- Role change: When an employee moves to a new role requiring additional or different policies (e.g., transfer to IT administration), the corresponding policies must be attested.
Documenting the attestation
Every attestation must contain the following information:
| Field | Content |
|---|---|
| Policy | Name and version number |
| Employee | Name, department, role |
| Date of attestation | When the confirmation was given |
| Type of confirmation | Signature, digital checkbox, e-signature |
| Valid until | Due date for next attestation |
Retain both the attested version of the policy and the attestation itself. When a policy changes and an employee has still attested to the old version, it must be traceable which version they confirmed.
Digital vs. paper-based documentation
The question of whether training records are maintained digitally or on paper is not philosophical but practical. Both approaches are acceptable from an audit perspective, as long as the records are complete, findable, and intact. In practice, however, there are clear differences in effort and reliability.
Paper-based documentation
Paper records work. Signed attendance lists, printed quiz results, handwritten policy confirmations. For a small company with 20 employees and two training sessions per year, this can be sufficient.
The disadvantages become apparent with growing size:
- Search and access: Searching through folders for a specific employee's training record takes time. In an audit, when the reviewer says "show me the record for employee X," this can become embarrassingly slow.
- Deadline monitoring: Paper cannot support automatic deadline monitoring. You need a separate spreadsheet or calendar entries.
- Analysis: Aggregated analyses (what is the training coverage, which department is behind) are labor-intensive to impossible.
- Security: Paper can be lost, damaged, or fall into the wrong hands. Without backup, the records are irrecoverably gone.
- Distributed locations: When employees work at different locations, centralized filing of paper records becomes logistically challenging.
Digital documentation
Digital training records solve most problems of paper documentation but bring their own requirements:
- Integrity: Records must be protected against manipulation. Digital confirmations should not be retroactively alterable (audit trail, timestamps).
- Availability: Records must be accessible at all times, even after a system change. Proprietary formats readable only with a specific tool are a risk.
- Data protection: Digital training records contain personal data (name, test results, department). Access rights must be configured so that only authorized persons (ISO, HR, direct supervisor) have access.
- Backup: Like all digital data, training records must be regularly backed up.
Which approach fits?
For most organizations with 30 to 50 or more employees, digital documentation is clearly the better path. The time savings in searching, analysis, and deadline monitoring justify the effort of setting up a digital system. For very small organizations, a clean paper-based process can be sufficient as long as it is consistently maintained.
A hybrid variant commonly found in practice: in-person training is documented with paper attendance lists that are subsequently scanned and digitally archived. E-learning records are automatically generated digitally. Policy attestations are handled through a digital tool. This works but requires discipline in consolidating the various sources.
What the auditor really wants to see
After many sections about mandatory fields, types of evidence, and deadlines, it is worth looking at the audit reality. What does the auditor actually ask, and how do you prepare?
Typical audit questions about training records
"Show me your training plan." The auditor wants to see that training is planned and not conducted ad hoc. An annual plan with defined training topics, target groups, formats, and dates answers this question.
"Which training sessions were conducted in the past year?" Here you need an overview of all conducted training with date, topic, and number of participants. Ideally at a glance, not after ten minutes of searching through various folders.
"Show me the records for employee X." The auditor randomly selects employees and wants to see their training records. You must be able to quickly find the relevant records: when was the last awareness training completed? Which policies has the employee attested? What was the quiz result?
"How do you handle employees who do not participate in training?" This is about the escalation process. The auditor wants to see that there is a defined approach to non-participation and that it is actually applied.
"Has executive management participated in training?" Specifically relevant under NIS2. Executive management must have demonstrably participated in cybersecurity training. Keep the evidence for executive management separate and readily accessible.
"How do you ensure new employees are trained?" The auditor wants to see the onboarding process and evidence that it is actually followed. Pull records for the last three to five new hires as proof.
The golden rule for the audit
Prepare a training file per employee — physical or digital — containing all records: attendance confirmations, quiz results, policy attestations, onboarding record. If you can show the auditor the complete training history of any employee within two minutes, you have passed this checkpoint.
Retention periods and archiving
Training records must be retained for a defined period. The exact duration depends on various factors:
Regulatory requirements: ISO 27001 does not define a specific retention period but requires documented information to be retained as long as it is relevant. In practice, this means: at least through the entire certification cycle (three years) plus a buffer.
Labor law requirements: When training records serve as the basis for labor law measures (escalation for non-participation), labor law retention periods apply.
Data protection limitations: Training records contain personal data and may not be retained indefinitely. After an employee's departure, records should be deleted after a defined period (typically two to three years), unless another legal basis requires further retention.
Recommendation: Retain training records for at least five years, at most until three years after the employee's departure. Define the periods in a retention policy and implement them consistently.
Building a training record structure
To close, a concrete suggestion for how to structure training documentation in your ISMS. This structure can be implemented both digitally and (with limitations) on paper.
Level 1: Training plan
One document providing the annual overview:
| Training | Target group | Format | Frequency | Responsible | Q1 | Q2 | Q3 | Q4 |
|---|---|---|---|---|---|---|---|---|
| Awareness foundational training | All employees | E-learning + workshop | Annually | ISO | X | |||
| Phishing simulation | All employees | Simulation | Quarterly | ISO | X | X | X | X |
| NIS2 management training | Executive management | Workshop | Annually | ISO | X | |||
| IT admin deep dive | IT department | Workshop | Semi-annually | IT management | X | X | ||
| Data protection training | All employees | E-learning | Annually | DPO | X |
Level 2: Training records per session
For each conducted training, an evidence document with the six mandatory fields (participant, date, topic, trainer, result, confirmation).
Level 3: Employee training file
Per employee, an overview of all completed training, attestations, and open due dates. This is the file you must be able to present within two minutes in an audit.
Level 4: Reporting and KPIs
Aggregated analyses of training status: training coverage by department, overdue training, quiz score trends, phishing click rates. This level feeds into the management review.
Training records are not an end in themselves
Documenting training can feel like bureaucratic overhead. Filling out forms, maintaining lists, monitoring deadlines. But these records serve a dual purpose: they prove to the auditor that your ISMS works, and they give you the transparency you need to manage your training program.
Without records, you do not know whether all employees are trained. You do not know which department has deficits. You do not know whether the quiz results of the last training were better or worse than the previous one. You are flying blind.
With clean records, on the other hand, you have the foundation to continuously improve your program: where are the knowledge gaps? Which formats are well received? Which target groups need more attention? This makes the difference between a training program that fulfills compliance and one that actually works.
Further reading
- Building a Security Awareness Program: What Employees Really Need to Know
- ISMS aufbauen: Der komplette Leitfaden für Unternehmen mit 50 bis 500 Mitarbeitern
- Internes ISMS-Audit durchführen: Planung, Checkliste und Bericht
- Richtlinien-Lifecycle: Von der Erstellung bis zur Außerkraftsetzung
- Die wichtigsten ISMS-Rollen: ISB, CISO, Risikoeigner – wer macht was?
Start with the basics: create a training plan, define mandatory fields for every record, set deadlines, establish an escalation process. Build the rest iteratively — quarter by quarter, training by training. Perfect documentation does not exist on day one. But a consistent, traceable process that runs from the beginning is worth more in an audit than a theoretically perfect system with gaps in practice.