Compliance evidence for security awareness: what NIS2, SOC 2, ISO 27001, and NIST CSF actually require

Why completion rates are not evidence

Completion proves attendance. It does not prove behavior, understanding, or decision quality.

Most security awareness programs report completion: how many employees finished the assigned training. Completion is easy to measure and easy to present in a board deck. It is also a weak signal of the underlying control objective, which is to reduce the probability that employee decisions create security incidents.

Regulators and auditors have noticed. NIS2 expects governance and human-factor measures, not just training. ISO 27001:2022 A.6.3 expects effectiveness evaluation, not attendance. SOC 2 evaluates evidence of competence and communication, rather than relying solely on enrollment or completion metrics. NIST CSF 2.0 expects role-differentiated outcomes (PR.AT) and management oversight (GV.OV), not completion percentages. The shift in audit expectation is consistent: regulators and auditors increasingly look for evidence of effect, not evidence of activity.

What each framework requires

NIS2 (Article 21 and Article 20)

NIS2 Article 21(2)(g) requires essential and important entities to implement “basic cyber hygiene practices and cybersecurity training” as one of ten minimum cybersecurity risk-management measures. Article 20(1) makes management bodies responsible for approving and overseeing those measures, and Article 20(2) requires them to follow training themselves. Article 21(2)(f) further requires policies and procedures to assess the effectiveness of cybersecurity risk-management measures.

The European Union Agency for Cybersecurity (ENISA) publishes practical Technical Implementation Guidance with examples of evidence that go beyond completion records, including the awareness programme outline, distributed materials, participation records, effectiveness testing (for example with quizzes or scenarios), and periodic review. These are illustrative examples that organizations can use to demonstrate Article 21(2)(g) compliance, not universal legal requirements.

ISO 27001:2022 (A.6.3 and Clauses 7.3, 9.1, 9.3, 10)

ISO 27001:2022 Annex A control A.6.3 (Information security awareness, education and training) requires personnel and relevant interested parties to receive ongoing, role-appropriate awareness, education, and training, with documented evaluation of effectiveness. The main-body Clause 7.3 (Awareness) reinforces this requirement at the management-system level.

Effectiveness is the operative word. The standard does not specify a curriculum or a completion threshold. It requires the organization to define what to measure (Clause 9.1 monitoring and measurement), review the program at planned intervals (Clause 9.3 management review), and act on findings through corrective action and continual improvement (Clause 10). Documented information must be retained as evidence at every step.

SOC 2 (CC1.4, CC2.2, and supporting criteria)

The AICPA Trust Services Criteria evaluate security awareness primarily under CC1.4 (commitment to attract, develop, and retain competent individuals) and CC2.2 (internal communication of internal control responsibilities). CC1.5 (accountability for internal control responsibilities) and CC5.3 (policies and procedures) are typically applied in support.

SOC 2 has criteria and points of focus, not numbered clauses. Auditors evaluate the program against two report types. A Type 1 report confirms that the program is designed correctly at a point in time. A Type 2 report evaluates operating effectiveness across an audit period (typically 6 to 12 months). For a Type 2 report, auditors expect per-person completion records reconciled to the personnel roster, evidence of new-hire training within onboarding, and evidence that the program operated continuously across the period.

NIST CSF 2.0 (PR.AT, GV.RR, GV.OV)

NIST CSF 2.0 covers awareness and training under PR.AT, with two subcategories: PR.AT-01 (personnel general awareness and training) and PR.AT-02 (specialized roles). The Govern function, new in CSF 2.0, makes leadership accountability and oversight explicit through GV.RR (roles, responsibilities, and authorities) and GV.OV (oversight).

CSF is a voluntary, outcome-based framework rather than a control catalog. It defines what to achieve, not how to achieve it. Evidence quality, role-differentiated curricula, performance data, and documented management review matter more than completion percentages. The full reference text is in the NIST CSF 2.0 publication.

What audit-ready evidence looks like

Audit-ready evidence for security awareness shares four properties. Each property maps to a specific question an auditor asks.

This model is formalized in the Human Risk Evidence Map, which connects each behavioral signal to the evidence it produces and the control it supports.

Behavioral signals tied to controls

The evidence records what an employee did or decided, not what they were shown. Behavioral signals include comprehension results from scenario-based checks, decisions made in realistic, role-relevant situations, and policy acknowledgements that capture both receipt and acceptance. Each signal references a specific control in NIS2, ISO 27001, SOC 2, or NIST CSF, so the auditor can trace the artifact to the control objective.

Time-stamped acknowledgements and decisions

Every record carries a verifiable timestamp, the policy or content version it relates to, and the identity of the employee. Time-stamping is what allows the auditor to test the evidence against the audit period and confirm that the program operated continuously, not just in the weeks before the audit.

Framework-mapped exports

Evidence is exportable in formats auditors and GRC tools can ingest (JSON, CSV, structured reports). The export references controls at the artifact level, so the alignment is auditable rather than asserted. Mapping at the artifact level, where each record directly references a control, is the single most important difference between a reporting-led platform and an audit-ready evidence model.

Management review records

Auditors increasingly ask for evidence that leadership reviewed program output and acted on findings. Management review records typically include a periodic report, the action owner, the improvement decision, and the date of review. NIS2 Article 20, ISO 27001 Clauses 9.3 and 10, and NIST CSF GV.OV all reference this layer.

How to produce this evidence without an internal program

Most lean security and compliance teams (mid-market, SMB, scale-up) do not have the capacity to operate an internal security awareness program. They are not going to design scenarios, curate content, schedule campaigns, run effectiveness evaluations, and maintain framework alignment in-house, regardless of how their platform is positioned.

This is the gap a managed human risk program is designed to fill. Most security awareness platforms are built for organizations that can run programs. SafeHabits is built for organizations that cannot.

A managed program suits the lean-team operating model when it satisfies four conditions:

• Behavioral signal capture and evidence generation included by default
• Framework-aligned exports available without configuration work
• Management review records produced and retained systematically
• Fast deployment, measured in days rather than months

For a comparison of platforms that produce different types of evidence, see the comparison of human risk management tools.

SafeHabits evidence outputs

SafeHabits is a human risk management platform providing habit-driven security awareness and audit-ready compliance evidence. Designed for lean teams from startups to mid-market, it delivers immediate value without the internal administrative overhead. SafeHabits is a B2B SaaS platform delivered as a fully managed human risk management program.

The evidence outputs available to customers include:

• Time-stamped scenario decisions per employee, with the chosen action and the correct action
• Comprehension results per policy area, time-stamped per topic
• Policy acknowledgement records, time-stamped per policy version
• Management review records, with action owner and improvement decisions
• Framework-aligned exports in JSON, CSV, and structured reports, with artifact-level evidence mapped at the record level to NIS2, ISO 27001, SOC 2, and NIST CSF controls

Each completed habit can produce named acknowledgement records with timestamp, content version, and framework alignment. This makes the evidence traceable without publishing the full internal mapping model.

For the underlying evidence model and the Human Risk Evidence Map, see the definition of human risk management.

Comparison: completion-style vs audit-ready evidence

A side-by-side view of evidence types and how they support each framework. Cells reflect typical auditor expectations and framework wording at the time of writing.

FAQ

What evidence do I need for security awareness training under SOC 2?

Under SOC 2, you need a documented training policy, curriculum or content evidence, and per-person completion records with timestamps reconciled to your HR roster across the audit period (typically 6 to 12 months for a Type 2 report). Auditors apply CC1.4 (commitment to competence) and CC2.2 (internal communication) most directly, with CC1.5 and CC5.3 in support. Phishing simulations and behavioral results are accepted as supporting evidence; they are not standalone requirements.

What does NIS2 require for human risk and awareness?

NIS2 Article 21(2)(g) requires basic cyber hygiene practices and cybersecurity training as one of ten minimum risk-management measures. Article 20 makes management bodies accountable for approving and overseeing those measures and requires them to follow training themselves. ENISA’s Technical Implementation Guidance offers practical examples of evidence that go beyond completion records, including programme design, distributed materials, effectiveness testing, and periodic review.

What evidence does ISO 27001 A.6.3 require?

ISO 27001:2022 A.6.3 requires evidence that personnel receive ongoing, role-relevant security awareness, education and training, and that the program’s effectiveness is evaluated. Completion records alone do not meet the effectiveness expectation. In practice, auditors look for documented training plans, completion records, comprehension or behavioral evidence, and a closed loop into Clause 9.1 measurement, Clause 9.3 management review, and Clause 10 improvement.

Does completion rate count as evidence for ISO 27001?

Completion rate is one input but is generally weak evidence on its own under ISO 27001:2022 A.6.3, which requires effectiveness evaluation. A completion percentage shows enrollment but does not demonstrate that the workforce understands the material, applies it correctly, or that leadership has reviewed and acted on the results.

How do auditors evaluate human risk programs against NIST CSF 2.0?

NIST CSF 2.0 is a voluntary, outcome-based framework. Auditors and assessors evaluate human risk programs by asking whether the organization can show role-differentiated awareness outcomes (PR.AT-01 for general personnel and PR.AT-02 for specialized roles), defined accountability and HR linkage (GV.RR), and management review that feeds strategy adjustments (GV.OV). They look for evidence of effect, not attendance.

Behavioral evidence vs completion evidence: what is the difference?

Completion evidence proves an event occurred (the employee was enrolled or finished the module). Behavioral evidence proves what the employee actually did or decided (selected the correct action in a realistic scenario, acknowledged a specific policy version, demonstrated comprehension). Auditors increasingly weight the second.

Can lean teams produce audit-ready evidence without an internal awareness program?

Yes, through a managed operating model such as SafeHabits. Signal capture, scenario delivery, evidence generation, framework alignment, and management review records are operated as a service. The internal team retains policy ownership and approves the output. For organizations that cannot staff a full internal awareness function, this is the only realistic operating model.

Are phishing simulations required for SOC 2 or ISO 27001?

Neither SOC 2 nor ISO 27001 specifically requires phishing simulations. They require appropriate awareness, communication, competence, and evidence that controls are designed and operating effectively. Phishing simulations can support that evidence, but they are not the only valid method.

How quickly can audit-ready evidence be generated?

With internally operated programs, audit-ready evidence typically emerges over several months as campaigns run and data accumulates. Managed programs with pre-built scenarios and evidence pipelines can begin producing usable evidence within days, although auditors still evaluate consistency over time for formal assurance.

For the platform landscape and how managed programs compare to customer-operated alternatives, see the comparison of human risk management tools.