Annual Compliance Security Awareness Training
Refresh the entire workforce on a yearly cycle, mapped to the frameworks your auditors actually ask about. Per-control evidence, time-to-complete benchmarks, and a single export ready for the next audit.
By Dmytro Koziatynskyi Last reviewed
The Yearly Refresh, Without the Yearly Friction
Almost every regulated organization owes auditors proof of annual security awareness training. HIPAA Security Rule, GLBA Safeguards, NYDFS 23 NYCRR 500, ISO 27001 A.7.2.2, GDPR Article 39, and NIST 800-171 control 3.2 each carry a workforce training expectation. Most security teams cope by sending the same 30-minute video out every January and hoping completion rates clear 80%.
The yearly refresh is a chance to drive measurable behavior change, not check a box. The same exercises a hire takes in onboarding need to feel different a year later, with new threat patterns, new scenarios, and a knowledge check that produces a real score. Otherwise the refresh becomes muscle-memory clicking.
RansomLeak runs the annual cycle as a 60-day window with rotating exercise content, framework-mapped reporting, and an executive sponsor email at kickoff. Every completed employee produces a per-control evidence record, scored knowledge check, and time-to-complete benchmark. The audit package compiles automatically at end of window.
How It Works
Pick your frameworks
Select one or more frameworks from the catalogue: HIPAA, GLBA Safeguards, NYDFS 500, ISO 27001 (A.7.2.2 and Annex A 6.3), GDPR Article 39, NIST 800-171 (3.2.1 / 3.2.2), CMMC, PCI DSS 12.6, and SOC 2 CC1.4. Mapping populates automatically across exercises.
Customize the exercise mix
Default curriculum covers phishing, ransomware, social engineering, BEC, data classification, and incident reporting. Customers swap or add exercises by department, role, or framework requirement. Engineering, finance, and clinical roles get optional deep-dive modules.
Set the 60-day completion window
A standard cycle opens with an executive sponsor email and runs 60 days. Per-department reminder cadence: weekly for the first three weeks, then twice weekly until close. Non-completers get a manager escalation at day 50 and an HR ops escalation at day 60.
Track distribution, not just completion
Real-time dashboards show completion rate, average time-to-complete, scoring distribution, and per-exercise drop-off. Slice by department, location, manager, or any HRIS attribute to spot lagging populations early.
Compile the audit evidence package
At end of window, the platform generates a single PDF and CSV export per framework. Each control ID maps to the exercises that cover it, the completion records that prove it, and the scoring data behind it. Drop into the audit portal, no manual cross-walking.
What You Get
Completion certificate per employee
Every employee finishing the cycle receives a dated PDF certificate listing the exercises completed, frameworks covered, and scoring summary. Stored in the employee record and exportable in bulk.
Per-control evidence package
A single export maps each control ID (e.g. ISO 27001 A.7.2.2, HIPAA § 164.308(a)(5)(i), NIST 800-171 3.2.1) to the exercises, completion records, and scores that prove it. Auditor-ready format reviewed against SOC 2 Type II, ISO surveillance, and HHS audit templates.
Time-to-complete benchmarks
Distribution data showing how long completion takes by role, department, and location. Surfaces hidden friction (overloaded teams, language gaps, role-curriculum mismatch) before they become an audit finding.
Scoring distribution per exercise
See which scenarios produce the lowest first-attempt scores across the workforce. Use the data to plan targeted micro-training in the next quarter, or to surface roles that need a deeper curriculum.
Executive readout in one slide
A single auto-generated slide with completion rate, scoring distribution, top three weakest scenarios, and year-over-year comparison. Drop straight into the board or audit committee deck.
Featured Exercises for Security Awareness Training
The exercise sequence we recommend for this use case, pulled from the 100+ catalogue.
Phishing Email Detection
The single highest-leverage exercise for any annual refresh. Scenarios rotate yearly to test pattern recognition, not memorization.
Try the exerciseRansomware First-Hour Response
Walks through the containment and reporting decisions every employee needs to know. Required by ISO 27001 A.5.24 and HIPAA § 164.308(a)(6).
Try the exerciseSocial Engineering Defense
Covers pretexting, impersonation, and out-of-band verification. Maps to NIST 800-171 3.2.2 and HIPAA security reminders.
Try the exerciseGDPR Data Breach Response
Walks the 72-hour notification clock under GDPR Article 33 and the equivalent timelines under HIPAA Breach Notification and state laws.
Try the exerciseBusiness Email Compromise
Required by carrier supplemental applications and frequently called out in NYDFS 500.16 risk assessments. Tailored for finance roles.
Try the exerciseEmployee Security Responsibilities
The yearly affirmation that every workforce member understands their accountability for incident reporting, data handling, and device hygiene.
Try the exerciseThreats this use case covers
Read the pillar guide for each attack type and the exercises that train against it.
What Is Annual Compliance Security Awareness Training?
Annual compliance security awareness training is the yearly mandatory refresh that every regulated workforce completes to satisfy framework-specific training requirements. HIPAA Security Rule § 164.308(a)(5), GLBA Safeguards Rule, NYDFS 23 NYCRR 500.14, ISO 27001 Annex A.7.2.2, GDPR Article 39, and NIST 800-171 control 3.2 all carry a workforce education expectation. Auditors expect dated completion records per employee, per-control mapping, and ideally evidence of behavior change rather than passive viewing.
Modern annual programs run on a 60-day window with rotating content, an executive sponsor email at kickoff, and a knowledge check that produces a real score. Static yearly videos technically satisfy the rule, but auditors increasingly probe for scoring distribution and time-to-complete data. The refresh is also the cleanest place to capture year-over-year behavior-change metrics for the board.
RansomLeak runs the annual cycle as interactive 3D simulations mapped to every common framework, with per-department reminder cadence and an audit-ready evidence export at end of window. Each completed employee produces a dated certificate, scored knowledge check, and per-control evidence record. The audit package compiles automatically without spreadsheet cross-walking.
Frequently Asked Questions
What security teams ask before picking this use case.
Which compliance frameworks does the annual program map to?
How long does the annual refresh take per employee?
Can we run multiple framework audits from a single cycle?
What does the audit evidence export contain?
How do we handle non-completers at end of window?
Does content rotate year-over-year?
Can we deliver the cycle in multiple languages?
Related Reading
Run This Use Case With Your Team
Book a 30-minute walkthrough. Tell us what you are running. We will scope the assignment template and rollout timeline.