Security Awareness Training for Annual Compliance
Refresh the entire workforce on a yearly cycle, mapped to the frameworks your auditors actually ask about. Per-control evidence, time-to-complete benchmarks, and a single export ready for the next audit.
The Yearly Refresh, Without the Yearly Friction
Almost every regulated organization owes auditors proof of annual security awareness training. HIPAA Security Rule, GLBA Safeguards, NYDFS 23 NYCRR 500, ISO 27001 A.7.2.2, GDPR Article 39, EU AI Act Article 4, and NIST 800-171 control 3.2 each carry a workforce training expectation. Most security teams cope by sending the same 30-minute video out every January and hoping completion rates clear 80%.
The yearly refresh is a chance to drive measurable behavior change, not check a box. The same exercises a hire takes in onboarding need to feel different a year later, with new threat patterns, new scenarios, and a knowledge check that produces a real score. Otherwise the refresh becomes muscle-memory clicking.
RansomLeak runs the annual cycle as a 60-day window with rotating exercise content, framework-mapped reporting, and an executive sponsor email at kickoff. Every completed employee produces a per-control evidence record, scored knowledge check, and time-to-complete benchmark. The audit package compiles automatically at end of window.
How It Works
Pick your frameworks
Select one or more frameworks from the catalogue: HIPAA, GLBA Safeguards, NYDFS 500, ISO 27001 (A.7.2.2 and Annex A 6.3), GDPR Article 39, EU AI Act Article 4, NIST 800-171 (3.2.1 / 3.2.2), CMMC, PCI DSS 12.6, and SOC 2 CC1.4. Mapping populates automatically across exercises.
Customize the exercise mix
Default curriculum covers phishing, ransomware, social engineering, BEC, data classification, and incident reporting. Customers swap or add exercises by department, role, or framework requirement. Engineering, finance, and clinical roles get optional deep-dive modules.
Set the 60-day completion window
A standard cycle opens with an executive sponsor email and runs 60 days. Per-department reminder cadence: weekly for the first three weeks, then twice weekly until close. Non-completers get a manager escalation at day 50 and an HR ops escalation at day 60.
Track distribution, not just completion
Real-time dashboards show completion rate, average time-to-complete, scoring distribution, and per-exercise drop-off. Slice by department, location, manager, or any HRIS attribute to spot lagging populations early.
Compile the audit evidence package
At end of window, the platform generates a single PDF and CSV export per framework. Each control ID maps to the exercises that cover it, the completion records that prove it, and the scoring data behind it. Drop into the audit portal, no manual cross-walking.
What You Get
Completion certificate per employee
Every employee finishing the cycle receives a dated PDF certificate listing the exercises completed, frameworks covered, and scoring summary. Stored in the employee record and exportable in bulk.
Per-control evidence package
A single export maps each control ID (e.g. ISO 27001 A.7.2.2, HIPAA § 164.308(a)(5)(i), NIST 800-171 3.2.1) to the exercises, completion records, and scores that prove it. Auditor-ready format reviewed against SOC 2 Type II, ISO surveillance, and HHS audit templates.
Time-to-complete benchmarks
Distribution data showing how long completion takes by role, department, and location. Surfaces hidden friction (overloaded teams, language gaps, role-curriculum mismatch) before they become an audit finding.
Scoring distribution per exercise
See which scenarios produce the lowest first-attempt scores across the workforce. Use the data to plan targeted micro-training in the next quarter, or to surface roles that need a deeper curriculum.
Executive readout in one slide
A single auto-generated slide with completion rate, scoring distribution, top three weakest scenarios, and year-over-year comparison. Drop straight into the board or audit committee deck.
Featured Exercises for Annual Compliance
The exercise sequence we recommend for this use case, pulled from the 100+ catalogue.
Phishing Email Detection
The single highest-leverage exercise for any annual refresh. Scenarios rotate yearly to test pattern recognition, not memorization.
Read the guideRansomware First-Hour Response
Walks through the containment and reporting decisions every employee needs to know. Required by ISO 27001 A.5.24 and HIPAA § 164.308(a)(6).
Read the guideSocial Engineering Defense
Covers pretexting, impersonation, and out-of-band verification. Maps to NIST 800-171 3.2.2 and HIPAA security reminders.
Read the guideGDPR Data Breach Response
Walks the 72-hour notification clock under GDPR Article 33 and the equivalent timelines under HIPAA Breach Notification and state laws.
Read the guideBusiness Email Compromise
Required by carrier supplemental applications and frequently called out in NYDFS 500.16 risk assessments. Tailored for finance roles.
Read the guideEmployee Security Responsibilities
The yearly affirmation that every workforce member understands their accountability for incident reporting, data handling, and device hygiene.
Read the guideThreats this use case covers
Read the pillar guide for each attack type and the exercises that train against it.
Frequently Asked Questions
Which compliance frameworks does the annual program map to?
How long does the annual refresh take per employee?
Can we run multiple framework audits from a single cycle?
What does the audit evidence export contain?
How do we handle non-completers at end of window?
Does content rotate year-over-year?
Can we deliver the cycle in multiple languages?
References
Primary sources cited above.
- SOC 2 Trust Services Criteria (CC1.4 — commitment to competence) — AICPA & CIMA
- HIPAA Security Rule — 45 CFR §164.308(a)(5) Security Awareness and Training — U.S. Department of Health & Human Services (HHS)
- ISO/IEC 27001:2022 — Information security management systems (Clause 7.3 Awareness) — International Organization for Standardization (ISO)
- Regulation (EU) 2016/679 (GDPR) — Articles 32 and 39 (security of processing; DPO awareness duties) — EUR-Lex (Publications Office of the European Union)
- NIST SP 800-50 Rev. 1 — Building a Cybersecurity and Privacy Awareness and Training Program — NIST Computer Security Resource Center
- Directive (EU) 2022/2555 (NIS2) — Article 21(2)(g) cyber hygiene and security training — EUR-Lex (Publications Office of the European Union)
- SANS 2024 Security Awareness Report — Managing Human Risk — SANS Institute
Related Reading
See RansomLeak in Action
Try the free exercises or book a demo to see analytics, SCORM export, SSO, and custom content in your environment.