GRCWatch
Sign inStart free trial

CIS Control 14.2: Train Workforce Members to Recognize Social Engineering Attacks

Social engineering remains one of the fastest paths to a breach—exploiting human judgment rather than software vulnerabilities. CIS Control 14.2 requires your organization to actively train employees to identify and resist phishing, pretexting, tailgating, and similar manipulation tactics. A well-trained workforce becomes your strongest defensive layer.

What this means

This control mandates ongoing security awareness training that teaches workforce members to recognize and respond appropriately to social engineering attempts. Social engineering attacks manipulate people into divulging confidential information or performing actions that compromise security. Training must cover common attack vectors including phishing emails designed to steal credentials, pretexting (fraudulent requests for sensitive data), tailgating (unauthorized physical access), baiting, and quid pro quo schemes. The goal is building a security-conscious culture where employees instinctively question suspicious communications and report threats.

How to comply

  1. 1.Develop a formal social engineering awareness training program covering phishing, pretexting, tailgating, baiting, and quid pro quo attacks
  2. 2.Deliver initial training to all workforce members upon hire and annually thereafter at minimum
  3. 3.Include real-world examples, attack scenarios, and hands-on simulations relevant to your industry
  4. 4.Establish clear reporting procedures for suspected social engineering attempts
  5. 5.Measure training effectiveness through periodic simulated phishing campaigns and track employee reporting rates
  6. 6.Document all training completion and maintain records for compliance audits
  7. 7.Update training content quarterly to reflect emerging attack techniques and threat intelligence
  8. 8.Assign accountability to security or HR teams for ongoing program management

Evidence auditors look for

  • Training attendance logs showing 100% workforce participation
  • Annual security awareness training curriculum documents
  • Email phishing simulation results and employee click-through rates
  • Documented procedures for reporting social engineering incidents
  • Training completion certificates or LMS records
  • Incident response metrics showing employee-reported phishing attempts
  • Updated threat briefings addressing recent attack campaigns
  • Policy documentation on acceptable use and security expectations

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates workforce training assignment and tracks completion rates across all employees, sending reminders and generating compliance reports for CIS 14.2 audits—eliminating manual tracking and spreadsheet chaos.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS 14.1 — Security Awareness and Training ProgramCIS 14.3 — Implement a Security Awareness ProgramCIS 15.1 — Establish and Maintain an Incident Response PlanNIST Cybersecurity Framework — PR.AT-1 (Awareness and Training)