Security Awareness Training Procedure

1. Purpose

This procedure establishes a systematic approach for security awareness training and education at Swedwise AB. It ensures that all employees, contractors, and relevant third parties understand their security responsibilities and are equipped to recognize and respond appropriately to security threats.

2. Scope

This procedure applies to:

• All Swedwise employees (permanent and temporary)
• Contractors and consultants
• Board members
• Third parties with system access (as appropriate)
• All locations and work arrangements (office, remote, customer sites)

Training types in scope:

• Initial security awareness (onboarding)
• Annual security awareness refresher
• Role-specific security training
• Specialized technical training
• Security awareness campaigns and communications
• Phishing simulations
• Incident response training

3. Definitions

Term	Definition
Security Awareness	Understanding of security threats, responsibilities, and appropriate behaviors
Security Training	Formal education to develop security knowledge and skills
Onboarding Training	Initial security training for new employees
Refresher Training	Periodic training to maintain and update security knowledge
Role-Specific Training	Training tailored to specific job functions or security responsibilities
Phishing Simulation	Simulated phishing attack to test and educate users
Security Champion	Designated individual promoting security awareness within their team

4. Responsibilities

Role	Responsibility
CISO	Overall security awareness program, content development, effectiveness measurement, reporting
HR	Integrating security training into onboarding, tracking completion, coordination with managers
Line Managers	Ensuring team completes training, reinforcing security behaviors, escalating concerns
IT Operations	Delivering technical training, providing training platform support
Training Coordinator	Scheduling training, tracking completion, sending reminders, reporting
All Staff	Completing required training on time, applying security awareness in daily work, reporting incidents

5. Security Awareness Training Program

5.1 Program Objectives

Primary Goals:

• Ensure all staff understand information security policies
• Enable staff to recognize common security threats
• Promote secure behaviors in daily work
• Reduce human error and security incidents
• Foster a security-conscious culture
• Meet ISO 27001 and compliance requirements

Target Outcomes:

• 100% completion of mandatory training
• Measurable reduction in security incidents caused by human error
• Improved phishing simulation performance
• Positive security culture indicators

5.2 Training Framework

Multi-Layered Approach:

Layer 1: Foundation (All Staff)

• Onboarding security awareness
• Annual refresher training
• Monthly security tips and reminders
• Phishing simulations

Layer 2: Role-Specific (Targeted Groups)

• Developers: Secure coding
• Managers: Security responsibilities
• IT Operations: Technical security controls
• Customer Success: Data protection and customer communication

Layer 3: Specialized (Selected Individuals)

• Incident response team training
• Security certifications (CISSP, etc.)
• Advanced technical training
• Security conference attendance

6. Onboarding Security Training

6.1 New Employee Onboarding

Timing: First week of employment (before system access granted)

Delivery Method: Online self-paced module + live Q&A session

Duration: 60-90 minutes

Content Topics:

1. Introduction to Information Security

   • Why security matters at Swedwise
   • Security as everyone's responsibility
   • ISO 27001 and compliance overview

2. Information Security Policies

   • Information Security Policy overview
   • Acceptable Use Policy
   • Data classification and handling
   • Clean desk and screen policy
   • Mobile device security

3. Password and Authentication

   • Strong password requirements
   • Password manager use (mandatory)
   • Multi-factor authentication (MFA)
   • Never share passwords

4. Common Threats

   • Phishing and social engineering
   • Malware and ransomware
   • Physical security threats
   • Insider threats

5. Safe Computing Practices

   • Email safety (attachments, links)
   • Web browsing security
   • Software installation restrictions
   • Public Wi-Fi risks
   • Working remotely securely

6. Data Protection and Privacy

   • GDPR basics and responsibilities
   • Handling customer data
   • Data classification
   • Information sharing guidelines

7. Physical Security

   • Office access controls
   • Visitor management
   • Equipment protection (laptops, phones)
   • Clean desk policy

8. Incident Reporting

   • What to report
   • How to report (security@swedwise.se)
   • Who to contact
   • No blame culture for honest mistakes

9. Customer Site Security

   • Following customer security policies
   • Protecting customer information
   • Representing Swedwise professionally

Assessment:

• 10-15 question quiz
• 80% passing score
• Unlimited retakes
• Results tracked in LMS

Acknowledgment:

• Sign acceptable use policy
• Acknowledge receipt of security policies
• Confirm understanding of responsibilities

Completion Requirement:

• Must complete before full system access granted
• HR tracks completion
• Reminder sent if not completed within 5 days

6.2 Contractor and Third-Party Onboarding

For Contractors/Consultants:

• Abbreviated training (30-45 minutes)
• Focus on: Acceptable use, data handling, incident reporting
• NDA acknowledgment
• Completion before access granted

For Third-Party Vendors:

• Security briefing if on-site or accessing systems
• Document review (acceptable use, security requirements)
• Signed acknowledgment

7. Annual Security Awareness Training

7.1 Refresher Training

Audience: All employees (annually)

Timing: Scheduled in Q1 each year (January-March)

Delivery Method: Online self-paced course

Duration: 45-60 minutes

Content Topics:

• Updates to security policies and procedures
• Current threat landscape (relevant examples)
• Common attack techniques (with examples)
• Data protection and privacy updates
• Incident response reminders
• Password and MFA best practices
• Mobile device security
• Social engineering awareness
• Case studies (recent incidents, anonymized)

Refreshed Content:

• Update examples and scenarios annually
• Incorporate lessons learned from Swedwise incidents
• Reference current events and emerging threats
• Tailor content to Swedwise context

Assessment:

• 15-20 question quiz
• 80% passing score
• Two retake attempts
• Results tracked in LMS

Completion Deadline:

• All staff must complete by March 31
• HR and managers notified of non-completion
• Escalation process for persistent non-compliance

Tracking and Reminders:

• Initial notification in early January
• Reminders at 30 days and 15 days before deadline
• Manager notification for non-compliant team members
• Final escalation to department head

7.2 Exemptions and Extensions

Exemptions (rare):

• Extended leave of absence (>6 months)
• Departure scheduled before training due

Extensions:

• Request via manager to HR
• Valid business reason required (e.g., parental leave, extended sick leave)
• Maximum 3-month extension
• Complete upon return

8. Role-Specific Training

8.1 Manager Training

Audience: All people managers

Frequency: Annually (in addition to general awareness training)

Duration: 30-45 minutes

Content:

• Manager security responsibilities
• Setting security expectations for team
• Conducting access reviews
• Recognizing insider threats
• Incident escalation and response
• Supporting security culture
• Approving access requests
• Performance management for security violations

Delivery: Live session or online module

8.2 Developer Training

Audience: All developers and engineers

Frequency:

• Initial: Upon hire or role change
• Refresher: Annually

Duration: 2-3 hours (initial), 1 hour (refresher)

Content:

• Secure coding principles
• OWASP Top 10 vulnerabilities
• Input validation and sanitization
• Authentication and authorization
• Cryptography best practices
• Secure API design
• Code review for security
• Dependency management (supply chain security)
• Secrets management (no hardcoded credentials)
• Security testing (SAST, DAST)

Delivery: Online course + workshops

Assessment: Practical exercises and quiz

8.3 IT Operations Training

Audience: IT Operations staff, system administrators

Frequency: Ongoing (as needed) + annual refresher

Content:

• System hardening and configuration management
• Patch management
• Access control implementation
• Logging and monitoring
• Incident detection and response
• Backup and recovery
• Cloud security (Azure, Microsoft 365)
• Network security
• Vulnerability management

Delivery: Mix of online courses, workshops, vendor training

8.4 Customer Success and Sales Training

Audience: Customer-facing roles

Frequency: Initial + annual update

Duration: 30-45 minutes

Content:

• Handling customer data securely
• Confidentiality and NDAs
• Customer site security
• SaaS security features (to communicate to customers)
• Data breach communication protocols
• Customer inquiries about security
• Competitive positioning on security

Delivery: Online module + live Q&A

8.5 Incident Response Team Training

Audience: Designated incident response team members

Frequency:

• Initial: Comprehensive training upon designation
• Refresher: Semi-annually
• Exercises: Quarterly tabletop drills

Content:

• Incident management procedure
• Incident detection and classification
• Containment and eradication techniques
• Evidence preservation
• Communication protocols
• Post-incident review process
• Legal and regulatory requirements

Delivery: Live training + tabletop exercises

9. Specialized Training

9.1 Professional Certifications

Support for Security Certifications:

• CISSP, CISM, CEH, OSCP, etc.
• Training budget allocation [TBD - amount per person/year]
• Study time allowance
• Exam fee coverage
• Recertification support

Eligible Roles:

• CISO and security team
• IT Operations leads
• Developers (security-focused certifications)

Process:

• Request via manager
• CISO approval
• Document business justification
• Commitment to remain at Swedwise for defined period post-certification

9.2 Technical Training

Ongoing technical skill development:

• Cloud security (Azure Security, AWS Security)
• Security tools (SIEM, vulnerability scanners, etc.)
• Vendor-specific training (Microsoft, OpenText, etc.)
• Online learning platforms (Pluralsight, Udemy, etc.)

Allocation:

• Training budget per IT staff member
• Time allowance for self-directed learning
• Lunch-and-learn sessions (monthly)

9.3 Security Conferences and Events

Annual budget for conference attendance:

• Security conferences (e.g., OWASP, Black Hat, RSA)
• Vendor events (Microsoft Ignite, etc.)
• Local security meetups

Selection:

• CISO approves conference attendance
• Prioritize relevance and value
• Attendee shares learnings with team

10. Security Awareness Campaigns

10.1 Monthly Security Tips

Format:

• Email newsletter or Teams post
• Short (2-3 minutes read)
• Practical tips and reminders
• Real-world examples

Topics (rotating):

• January: Password security and MFA
• February: Phishing awareness
• March: Data classification and handling
• April: Physical security
• May: Mobile device security
• June: Social engineering
• July: Travel security
• August: Ransomware
• September: Secure remote work
• October: Cybersecurity Awareness Month (expanded content)
• November: Incident reporting
• December: Holiday scams and year-end reminders

Delivery:

• Email to all staff
• Posted in Teams security channel
• Posted on intranet [TBD]

Metrics:

• Open rates
• Engagement (clicks, reactions)

10.2 Targeted Campaigns

Based on Threat Intelligence or Incidents:

• Immediate alerts for emerging threats (e.g., widespread phishing campaign)
• Remediation guidance after incidents
• Seasonal campaigns (holiday scams, tax season phishing)

Format:

• Email alert
• Teams notification
• Short video or infographic
• Actionable guidance

10.3 Security Posters and Visuals

Physical Office:

• Security posters in common areas
• Stickers for laptops (security reminders)
• Screen savers with security tips

Digital:

• Intranet security page [TBD]
• Digital signage (if available)
• Teams channel graphics

11. Phishing Simulation Program

11.1 Objectives

• Test user ability to recognize phishing
• Identify high-risk individuals for additional training
• Measure effectiveness of awareness training
• Reinforce secure behaviors

11.2 Simulation Schedule

Frequency: Monthly (1 simulation per month)

Targets:

• All staff (random sample each month)
• Rotate to ensure all staff tested at least twice annually

Timing:

• Varied days and times to be realistic
• Not immediately after training (avoid priming effect)

11.3 Simulation Design

Phishing Scenarios:

• Mix of difficulty levels (easy, moderate, difficult)
• Realistic scenarios:
  • Fake IT alerts (password reset, account verification)
  • Package delivery notifications
  • Invoice or payment requests
  • LinkedIn or social media lures
  • Current events or seasonal themes
• Rotate scenarios to avoid pattern recognition

Safe Simulations:

• No actual malware or harmful links
• Links lead to education page (not login forms)
• Clear identification after click (training opportunity)

Vendor or Tool: [TBD - Phishing simulation platform]

11.4 Simulation Results

Metrics Tracked:

• Email open rate
• Link click rate
• Credential submission rate (if applicable)
• Reported as suspicious rate (desired behavior)

Individual Results:

• Users who click receive immediate training (micro-learning)
• Users who report are praised (positive reinforcement)
• No punishment for honest mistakes

Aggregate Reporting:

• Monthly report to CISO
• Quarterly trends to management
• No individual shaming

11.5 Follow-Up Actions

For High-Risk Individuals (multiple failures):

• Manager notification (confidential)
• Additional training assigned
• Follow-up simulation targeted
• Coaching and support (not punitive)

For Teams with High Click Rates:

• Team-wide refresher training
• Manager briefing and support

For Successful Reporters:

• Recognition in security communications
• Positive reinforcement

Program Improvements:

• Analyze results to improve training content
• Adjust simulation difficulty
• Share learnings (anonymized)

12. Training Delivery and Platform

12.1 Learning Management System (LMS)

Platform: [TBD - LMS system or integrated with web application]

Requirements:

• Course hosting and delivery
• Progress tracking
• Assessment and quizzing
• Completion reporting
• Certificate generation
• Automated reminders
• Integration with HR systems (if possible)
• SCORM or xAPI support

12.2 Content Development

Internal Content:

• CISO and security team develop Swedwise-specific content
• Collaborate with external trainers or consultants if needed
• Incorporate real incidents and lessons learned (anonymized)
• Update content annually

External Content:

• Leverage vendor training for tools and products
• Online security awareness courses (if quality and relevant)
• Industry resources (SANS, NIST, etc.)

Content Formats:

• Interactive online modules
• Videos (short, engaging)
• Infographics and quick reference guides
• Quizzes and assessments
• Scenario-based learning

12.3 Training Delivery Methods

Online (Primary):

• Self-paced e-learning
• Accessible anytime, anywhere
• Mobile-friendly
• Supports distributed workforce

Live Sessions:

• Onboarding Q&A sessions
• Specialized technical training
• Tabletop exercises
• Workshops and hands-on labs

Blended:

• Combination of online and live
• Online for foundational content, live for discussion and practice

13. Training Tracking and Compliance

13.1 Completion Tracking

HR and Training Coordinator:

• Track completion in LMS
• Generate compliance reports
• Send reminders for overdue training

Tracked Metrics:

• Completion rate (overall and by department)
• Time to complete
• Assessment scores
• Overdue training

Reporting Frequency:

• Weekly: Overdue training list to managers
• Monthly: Completion dashboard to management
• Quarterly: Comprehensive training report to CISO and CEO

13.2 Compliance Enforcement

Consequences for Non-Completion:

Week 1-2 after due date:

• Automated email reminders

Week 3:

• Manager notified
• Manager follows up with employee

Week 4:

• Department head notified
• HR contacted

Week 5+:

• Escalation to CEO
• Performance management action (per HR policy)
• System access may be suspended (critical security training)

Persistent Non-Compliance:

• Documented as performance issue
• Disciplinary action per HR policy

13.3 New Hire Compliance

Onboarding Training Gate:

• Security training must be completed before full system access granted
• Temporary limited access for initial login and training only
• HR holds back access provisioning until completion confirmed

13.4 Audit and Evidence

ISO 27001 Compliance:

• Training records maintained for audit
• Completion certificates
• Assessment results
• Attendance logs (for live sessions)
• Acknowledgment signatures

Records Retention:

• Training completion records: 3 years
• Assessment results: 3 years
• Certificates: Permanent (individual personnel file)
• Training content versions: 5 years

14. Measuring Effectiveness

14.1 Key Performance Indicators

Metric	Target	Measurement
Training completion rate	100% (mandatory training)	Completed / Total required
Onboarding training completion	100% within 1 week	New hires completing on time
Annual training completion	100% by deadline	Staff completing by March 31
Assessment pass rate (first attempt)	> 85%	First-attempt passes / Total attempts
Phishing click rate	< 10%	Clicks / Total simulations sent
Phishing reporting rate	> 30%	Reports / Total simulations sent
Security incidents (human error)	Trend down	Year-over-year comparison

14.2 Effectiveness Assessment

Indicators of Effective Training:

• Improved phishing simulation performance
• Reduced security incidents caused by user error
• Increased incident reporting by staff
• Positive feedback in surveys
• Observed behavior changes

Annual Review:

• Analyze training metrics and trends
• Survey staff on training quality and relevance
• Review incident data for training gaps
• Update training content based on findings
• Report effectiveness to management

14.3 Surveys and Feedback

Post-Training Survey:

• Sent after completing training (optional)
• Rate content quality, relevance, clarity
• Suggestions for improvement
• Identify confusing topics

Annual Security Culture Survey:

• Assess overall security awareness
• Gauge attitudes and behaviors
• Identify areas for improvement
• Benchmark year-over-year

15. Continuous Improvement

15.1 Program Reviews

Quarterly Reviews:

• Training completion trends
• Phishing simulation results
• Incident correlation (training gaps)
• Feedback themes

Annual Review:

• Full program effectiveness assessment
• Content updates needed
• Delivery method improvements
• Budget and resource evaluation

15.2 Content Updates

Annual Content Refresh:

• Update threat landscape information
• Incorporate new policies or procedures
• Add recent incident examples (anonymized)
• Refresh scenarios and assessments
• Update videos and graphics

Trigger-Based Updates:

• After major incidents (add case study)
• New threats or attack techniques
• Policy or regulatory changes
• Technology changes (new tools, platforms)

15.3 Best Practices

• Keep content concise and engaging
• Use real-world examples
• Make it relevant to Swedwise context
• Avoid overly technical jargon
• Positive tone (empowerment, not fear)
• Interactive and hands-on where possible
• Mobile-friendly content
• Accessible (multiple languages if needed, subtitles)

16. Security Champions Program

16.1 Program Overview

Objective: Promote security awareness within teams through peer influence

Security Champion Role:

• Volunteer or nominated from each department/team
• Acts as security liaison between CISO and team
• Promotes security awareness in daily work
• First point of contact for security questions
• Provides feedback on training and policies

16.2 Champion Responsibilities

• Complete enhanced security training
• Attend quarterly security champion meetings
• Share security tips and updates with team
• Encourage training completion
• Report security concerns or suggestions
• Participate in security initiatives

16.3 Champion Support

Benefits:

• Enhanced training and access to resources
• Direct line to CISO
• Recognition (e.g., certificate, mention in communications)
• Professional development opportunity

Meetings:

• Quarterly security champion meetings
• Share updates, discuss challenges, gather feedback
• Provide resources and support

17. Inputs and Outputs

Inputs:

• Security policies and procedures
• Incident lessons learned
• Threat intelligence and security trends
• Compliance requirements
• User feedback and survey results
• Phishing simulation results

Outputs:

• Trained and aware workforce
• Training completion records and certificates
• Training effectiveness reports
• Updated training content
• Audit evidence
• Security culture improvements

18. Records

Record	Retention Period	Location
Training completion records	3 years	[TBD - LMS or HR system]
Assessment results	3 years	[TBD - LMS]
Training certificates	Permanent (in personnel file)	[TBD - HR system]
Attendance logs (live training)	3 years	[TBD - Training files]
Phishing simulation results	2 years	[TBD - Phishing platform]
Training content (versions)	5 years	[TBD - Content repository]
Acknowledgment forms (policies)	7 years	[TBD - HR system]

19. Related Documents

Policies:

• SW-ISMS-POL-001: Information Security Policy
• SW-IMS-POL-001: Integrated Management System Policy
• [TBD - SW-ISMS-POL-002: Acceptable Use Policy]

Procedures:

• SW-IMS-PRO-001: Document Control Procedure
• SW-IMS-PRO-002: Competence and Training Procedure (general)
• SW-ISMS-PRO-001: Incident Management Procedure

Guidelines:

• [TBD - SW-ISMS-GUI-001: Information Classification Guideline]
• [TBD - SW-ISMS-GUI-003: Password and Authentication Guideline]
• [TBD - SW-ISMS-GUI-008: Incident Reporting Quick Guide]

Training Materials:

• [TBD - Onboarding Security Training Course]
• [TBD - Annual Security Awareness Course]
• [TBD - Role-Specific Training Courses]

External:

• ISO 27001:2022 - Clause 6.3 (Awareness), 7.2 (Competence), 7.3 (Awareness)
• NIST Cybersecurity Framework - PR.AT (Awareness and Training)

20. Document Control

Version	Date	Author	Changes	Approved By
1.0	[TBD]	[TBD - CISO]	Initial procedure creation	[TBD - CEO]

Next Review Date: [TBD - typically 12 months from effective date]

Document Classification: Internal

Document Owner: CISO

---

This procedure is approved by Swedwise AB management and is effective from the date specified above. All staff are required to read, understand, and comply with this procedure.