Which Compliance Standards Require Security Awareness Training?
HIPAA, PCI DSS, SOC 2, ISO 27001, GLBA, NYDFS, and CMMC, a plain-English rundown of which frameworks require security awareness training and where phishing tests fit.
"Train your people" is one of the most common lines in the security-compliance world. Nearly every major framework requires some form of security awareness training, and several now name phishing and social engineering specifically. Here is the plain-English version of who requires what.
This is general information, not legal or compliance advice. Always confirm the specifics that apply to your organization.
The short version
| Framework | Who it applies to | Training requirement |
|---|---|---|
| PCI DSS v4.0 | Anyone handling card payments | At hire and annually; names phishing and social engineering |
| HIPAA | Healthcare and business associates | Security awareness program for the whole workforce |
| SOC 2 | SaaS and service providers | Documented, recurring awareness training |
| ISO/IEC 27001:2022 | Any certified org | Awareness, education, and training for all staff |
| GLBA (FTC Safeguards) | Financial institutions | Security awareness training for personnel |
| NYDFS 23 NYCRR 500 | NY financial services | Annual training that covers phishing and social engineering |
| CMMC / NIST 800-171 | DoD contractors | Awareness training, including recognizing and reporting threats |
PCI DSS v4.0
If you process card payments, Requirement 12.6 mandates a formal security awareness program: training at hire and at least annually. Version 4.0 went further and explicitly calls out phishing and social engineering as topics the program must cover, with the program reviewed at least every 12 months. Phishing simulations are directly aligned with this.
HIPAA
The HIPAA Security Rule requires a security awareness and training program for every member of the workforce, including management. It calls out protection from malicious software and security reminders as part of that program. Simulated phishing with follow-up training is a natural fit.
SOC 2
SOC 2 is built on the Trust Services Criteria rather than a checklist, but auditors consistently expect to see documented, recurring security awareness training as evidence that an organization takes its control environment seriously. A repeatable phishing program with records is strong evidence.
ISO/IEC 27001:2022
The 2022 revision includes a dedicated control for information security awareness, education, and training. All employees, and relevant contractors, should receive appropriate awareness training and regular updates as they relate to their role.
GLBA and the FTC Safeguards Rule
The updated FTC Safeguards Rule requires financial institutions, a category broader than banks and including the likes of accountants, auto dealers, and mortgage brokers, to provide security awareness training to personnel as part of a written information security program.
NYDFS 23 NYCRR 500
New York's financial services cybersecurity regulation requires covered entities to provide cybersecurity awareness training at least annually, and it specifically calls for training that addresses social engineering, including phishing. Regular phishing simulations are a clear way to satisfy and evidence this.
CMMC and NIST 800-171
Defense contractors and their suppliers fall under CMMC, which builds on NIST SP 800-171. Its awareness and training controls require that personnel are trained to recognize and report security threats, phishing very much included.
Where phishing simulations fit
Notice the pattern: these frameworks require training, and several name phishing directly. Awareness training is broader than phishing tests alone, but simulations with click tracking and reporting give you something auditors and cyber-insurance carriers increasingly want: documented, repeatable evidence that the control is real and ongoing, not a one-time slide deck.
Cyber-insurance underwriting has moved the same direction. Many carriers now expect awareness training and phishing testing as a condition of coverage or for better premiums.
You can see the same standards summarized on our compliance overview.
Turn the requirement into evidence
phis3d gives you the repeatable phishing simulations and clean reporting that map to these training requirements, without an enterprise rollout. Sign up and we will include a free baseline test for your team.