What is SOC 2 Security Awareness Training

CC1.4 is one of the nine Common Criteria families in the AICPA Trust Services Criteria (TSP Section 100, 2017 with 2022 revised points of focus). It requires the service organization to demonstrate a commitment to attract, develop, and retain competent individuals in alignment with objectives.

The control activity language is explicit: the entity provides training to enable personnel to develop and maintain the competencies needed to support the achievement of objectives. Auditors read this as requiring a documented security awareness program with per-employee completion evidence and role-based content depth.

Yes. Security awareness training is named explicitly in Common Criterion CC1.4 within the Trust Services Criteria. The criterion is mandatory for any SOC 2 report that includes the Security category, which is the only category required for every SOC 2 attestation.

The criterion is enforced through a documented program, per-employee completion records, role-based content, and a refresh cadence sufficient to keep the workforce competent against current threats. Type II auditors test that the control operated effectively across the entire period of operating effectiveness, not just at a single point in time.

The Trust Services Criteria do not name a specific refresh frequency. Annual is the practical floor that most auditors accept for a baseline program, and it is what most service organizations document in their training policy.

Modern auditor practice notes from firms like Schellman, A-LIGN, and Coalfire increasingly read CC1.4 as requiring more than annual: quarterly micro-modules, monthly role-based exercises, or refreshers tied to new attacker techniques. A program that runs one all-hands video and nothing else across a twelve-month period of operating effectiveness will draw an exception from a thoughtful auditor.

Auditors expect three artifacts. First, a documented training program description: curriculum, cadence, scope, assignment policy, and completion criteria. Second, a per-employee completion register for the full period of operating effectiveness, listing user identifier, role, training assigned, completion timestamp, and pass status. Third, evidence of role-based content depth that matches the risk profile of each job function.

Acceptable evidence is an LMS export (Cornerstone, Workday Learning, Docebo, SAP SuccessFactors, Moodle) or a SCORM completion record. Screenshots, signed PDFs, and email receipts are weak evidence and invite follow-up requests. Auditors sample from the personnel listing and trace each sample back to the source training record.

Type I evidence is point-in-time: the program exists, the policy is documented, the LMS is configured, and assignments have been made. The auditor inspects design and confirms the control is in place on a single date.

Type II evidence is operational: the program ran throughout the period of operating effectiveness (six or twelve months), every in-scope person completed it on time, exceptions were tracked and remediated, and management reviewed completion status on a defined cadence. Enterprise buyers usually require Type II reports because Type II tells them the control worked in practice across the audit window, not just on the day the auditor visited.

Yes, when contractors hold access to in-scope systems or data during the audit period. The SOC 2 personnel population includes employees, contractors, interns, and any third party with logical or physical access relevant to the trust boundary.

The most frequent qualified opinion pattern in Type II reports is missing completion evidence for contractors who held access for a short window during the period and never received the training assignment. The control needs to operate effectively for that population during the days they held access, not after they left.

The intent is similar; the framing differs. ISO/IEC 27001 Annex A (specifically A.7.2.2 in the 2013 version, A.6.3 in the 2022 version) requires information security awareness, education, and training. SOC 2 places the same requirement inside Common Criterion CC1.4 of the Trust Services Criteria, with CC1.5, CC2.2, and CC2.3 layering in personnel responsibility and communication.

The audit mechanic is also different. ISO 27001 is a certification against a management system standard with a three-year cycle and annual surveillance. SOC 2 is an attestation by a CPA firm that issues a report against the Trust Services Criteria for a defined period. Most enterprise buyers in North America ask for SOC 2; most enterprise buyers in Europe and APAC ask for ISO 27001. Many service organizations hold both.

The auditor records an exception in the Type II report against the relevant Common Criterion (usually CC1.4). The exception describes the population sampled, the gap found, and the affected period. Depending on severity and scope, the report opinion is either unqualified with noted exceptions or qualified.

A qualified opinion is the failure mode that procurement teams flag. Buyers reviewing a qualified report ask follow-up questions, request remediation evidence, and may delay or block the contract. The remediation path is to close the gap, document the corrective action, and earn an unqualified opinion in the next reporting period.