If your awareness program never changes, employees stop paying attention and stop following security rules. A real example: a manufacturing unit in Maharashtra trained staff once on phishing, but never updated the training. Six months later, employees fell for a vendor payment scam because the attack method had evolved—the company lost ₹8 lakhs before catching it. Without feedback loops, you keep teaching old lessons while attackers use new tricks. Your compliance auditors will also note that static programs fail to meet DPDP Act requirements for continuous security improvement.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no record of any awareness program. Staff have never received formal security training and there is no process to collect feedback or learn from incidents.
Initial
You run occasional security awareness sessions (maybe once or twice a year), but you do not collect feedback from staff and you do not review or change the training based on what actually happened in security incidents.
Developing
You conduct regular awareness training and you ask staff for feedback through simple surveys or comments, but you only sometimes update the training content based on this feedback and do not systematically track incident-related improvements.
Defined
You run quarterly or bi-annual awareness sessions and you have a documented process to gather feedback through surveys and incident reviews. You update your training content at least once per year based on feedback and lessons from security incidents in your organization.
Managed
You conduct frequent awareness activities (monthly or more), maintain detailed records of feedback and incident analysis, update training content within 30 days of a lesson learned, and measure improvement through metrics like phishing click rates or compliance scores.
Optimised
You have a continuous improvement cycle where awareness is updated based on real-time feedback, incident post-mortems, threat intelligence, and measurable outcomes. Your program is formally reviewed every quarter, staff engagement is tracked, and training is personalized based on department-level risk and role-specific threats.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Document one basic awareness program (e.g., a 30-minute session on passwords and phishing). Hold it with all staff and collect simple feedback using a one-page form asking 'Did you find this useful? What would you change?' | IT person or designated owner | 3-5 days |
| 1 → 2 | Create a simple incident log template. After each security incident (phishing attempt, password misuse, unauthorized access), document what happened and what awareness gap it revealed. Use this to plan two awareness sessions per year instead of one. | IT person with manager input | 1-2 weeks |
| 2 → 3 | Formalize a feedback collection process: create a simple survey form (Google Form or paper), conduct it after every awareness session, and hold a monthly 30-minute team meeting to review feedback and incident learnings. Document what training changes will be made. | IT person and department heads | 2-4 weeks |
| 3 → 4 | Build a tracking system (spreadsheet or free tool) to measure program effectiveness: track phishing simulation results, password strength scores, incident frequency by type, and staff quiz scores. Update training within 30 days of any incident or feedback pattern. Conduct a formal quarterly review meeting. | IT person as owner, with HR and operations heads | 4-6 weeks |
| 4 → 5 | Integrate awareness into continuous operations: automate feedback collection via dashboard, link awareness directly to threat intelligence (adjust training when new threats emerge), conduct personalized training by role, and implement a peer-review process where staff suggest improvements. Review metrics monthly. | IT person (or security lead if role exists), with cross-functional team | Ongoing (2-3 hours per week) |
Documents and records that prove your maturity level.
- A log or record of security incidents in your organization, with documented root causes and any training gaps identified
- Feedback forms, survey results, or notes from at least two awareness sessions showing staff comments and suggestions
- A document or spreadsheet showing how you changed or updated your awareness training based on feedback or incidents (e.g., 'We added phishing simulation training after the May incident where 3 staff clicked a malicious link')
- Dated meeting notes or email showing discussion of awareness program effectiveness and decisions to improve it (at least annually)
- Records of awareness activities over the past 12 months (training dates, topics, number of attendees, and any metrics like quiz scores or phishing simulation results)
Prepare for these questions from customers or third-party reviewers.
- "Can you show me your awareness program plan for this year? How did you decide what topics to cover?"
- "Tell me about a security incident in the past 12 months. What awareness gap did it reveal and what did you change in your training?"
- "How do you collect feedback on whether your awareness training is actually working? Can I see the results?"
- "How often do you review and update your awareness program? Show me evidence of at least one update based on feedback or incident learning."
- "What metrics do you track to measure whether staff are actually applying the security lessons from your training?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Collect feedback from awareness sessions and track responses | Google Forms (built-in to Google Workspace) or Typeform free tier (up to 100 responses/month) | Typeform paid (₹9,000/year for advanced analytics) |
| Run phishing simulations to test if staff remember email security training | Gophish (open-source, self-hosted) or KnowBe4 Community Edition (limited) | KnowBe4 (₹40,000–₹200,000/year depending on company size) |
| Store and organize incident records and link them to training updates | Google Sheets, Notion free tier, or LibreOffice Calc | Microsoft Teams with Forms or specialized incident management tools like Freshservice (₹50,000+/year) |
| Create and deliver online awareness training modules | Moodle (open-source LMS) or Google Classroom | Teachable (₹15,000+/year) or Absorb LMS (custom pricing) |
| Track metrics and create dashboards to visualize awareness program performance | Google Data Studio or Metabase (open-source) | Tableau Public (free for public data) or Tableau Desktop (₹70,000+/year) |
- Running the same awareness presentation every year without any updates—staff tune it out because it feels stale and irrelevant to current threats
- Collecting feedback through surveys but never acting on it or communicating back to staff what changed—this kills trust in the program and staff stop providing honest feedback
- Not tying awareness updates to actual incidents—when staff see that training changed because of a real problem in the company, they take it seriously; generic updates feel disconnected
- Treating awareness as a one-time compliance checkbox instead of an ongoing cycle—auditors expect to see documented evidence that you review and improve at least quarterly
- Focusing only on new hire training and forgetting to refresh awareness for existing staff—experienced employees are often the most complacent and most targeted by social engineers
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 6 (reasonable security measures) and Section 8 (purpose limitation and accountability) require organizations to maintain awareness and continuously improve security practices based on feedback and incidents |
| CERT-In Guidelines 2022 | Direction 4 (awareness and training) emphasizes periodic and updated security awareness programs with feedback mechanisms |
| ISO 27001:2022 | Clause A.6.3 (information security awareness, education and training) and Clause 8.2.1 require organizations to ensure awareness is effective and periodically reviewed |
| NIST CSF 2.0 | GV.AT-02 (Security awareness and training) and GV.RO-04 (continuous improvement) require feedback loops and updates to awareness programs |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →