Back to Blog
SOC 2 7 min read

SOC 2 Security Training Requirements: CC1.4 Explained

SOC 2 requires security awareness training for all staff. Learn what CC1.4 requires, how to run compliant training, what evidence auditors collect, and common gaps.

Key Takeaways
  • CC1.4 requires that all personnel with access to in-scope systems complete security awareness training at least annually.
  • Training must cover topics relevant to your threat landscape — phishing, password hygiene, data handling, incident reporting.
  • Completion records with timestamps are the primary evidence auditors collect; a report showing "87% completion" is not sufficient — every person with access must complete training.
  • New hire training must occur before or shortly after access is granted to in-scope systems.
  • Phishing simulation programs strengthen the training evidence record and demonstrate ongoing security culture, not just checkbox compliance.

In this guide

  1. Criteria and Scope
  2. Required Training Content
  3. Frequency and Timing
  4. Evidence Requirements
  5. New Hire Training
  6. Phishing Simulations
  7. Training Tools and Platforms

Criteria and Scope

Security awareness training for SOC 2 is primarily governed by CC1.4, which addresses the organization's commitment to attracting, developing, and retaining competent personnel aligned with security objectives. Training is the mechanism by which the organization communicates and reinforces those security objectives across the workforce. CC2.2 also applies — it requires the entity to internally communicate information necessary for staff to carry out their security responsibilities.

The scope of who must complete training matches the scope of who has access to in-scope systems and data. For most SaaS companies, this is all full-time employees and contractors with access to production environments, internal systems, or customer data. Staff in purely non-technical roles (executive assistants, finance staff) who have no system access may be excluded from your defined scope, but this must be documented.

Auditors interpret "all personnel" broadly. If your engineering team completes training but your customer success team (which accesses the CRM containing customer PII) does not, that is a scope gap the auditor will identify.

Required Training Content

SOC 2 does not prescribe specific training modules, but your training content must be relevant to the actual security risks your employees face. Core topics typically include: phishing and social engineering recognition; password management and MFA usage; acceptable use of company systems and data; data handling and classification; physical security (clean desk, secure device handling); incident reporting procedures; and remote work security.

The training should be updated periodically to reflect new threat types. A training program built in 2019 that still references floppy disks but says nothing about AI-generated phishing emails or SaaS credential compromise would look dated to an auditor. Annual reviews of training content, with documentation of what was updated and why, demonstrates a living program rather than a static checkbox.

Role-specific training adds depth beyond the baseline. Engineers should receive additional training on secure coding practices, dependency management, and secrets hygiene. Administrators of cloud environments should receive training on IAM best practices and least-privilege principles. This additional training does not need to be formally tracked for SOC 2 unless you reference it in your policy, but it contributes to the overall evidence of a mature security culture.

Frequency and Timing

Annual training is the standard frequency accepted by SOC 2 auditors. Your policy must state the required frequency, and your completion records must demonstrate that every in-scope employee completed training within the stated interval during the observation period. If your policy says "annual" and an employee's last training was 14 months ago, that is an exception.

Many companies run their annual security training in Q1 as part of their annual security calendar. A company on a calendar-year observation period (January–December) should ensure all training is completed by no later than December 31. Setting a hard deadline of November 30 gives you time to chase non-completers before year-end.

Training completion dates should align with employment start dates for new hires. An employee who started in July should have a training completion date between July and the following July for the next annual cycle. Your HRIS or training platform should track the per-employee training due date based on their start date or last completion date.

Evidence Requirements

The primary evidence for training compliance is a completion report showing each in-scope employee's name, training module completed, completion date, and pass/fail status (if the training includes a quiz). Most training platforms (KnowBe4, Proofpoint Security Awareness, Curricula, SANS Security Awareness) can generate this report in a CSV or PDF format.

Auditors will cross-reference the completion report against your employee roster. If 52 people were in scope but the training report shows 49 completions, the auditor will ask about the three missing employees. Acceptable explanations include: the employee was on leave during the training period and completed it upon return (show the completion date); the employee was terminated before the training cycle ended; or the employee joined after the training cohort and is completing onboarding training separately.

Retain training completion reports in your compliance evidence library, not just within the training platform. Training platform accounts can be deactivated or data can be lost during platform migrations. Exporting the annual completion report to your evidence repository ensures it is available at audit time regardless of platform changes.

New Hire Training

New hires present a specific timing requirement. Your policy should state when new hires must complete security awareness training relative to their start date. Common standards: "within 30 days of employment start" or "before access to production systems is granted." The latter is a stronger security posture and easier to audit — if access provisioning is gated on training completion, there cannot be a gap.

New hire training can be the same content as annual training, or a condensed version. The key is that it covers incident reporting procedures and acceptable use — the two areas where a new hire is most likely to make an accidental security mistake in their first weeks. Document the content of new hire training separately from the annual training if they differ.

Onboarding checklists should include security training as a tracked item with a checkbox and date field. This creates a record in your HRIS onboarding workflow that auditors can review alongside the training platform completion report.

Phishing Simulations

Phishing simulation programs send realistic (but fake) phishing emails to employees to test their ability to recognize and avoid social engineering attacks. Platforms like KnowBe4 and Proofpoint automate campaign creation, email delivery, click tracking, and remedial training assignment for employees who fail.

Phishing simulations are not explicitly required by SOC 2 but are strongly associated with a mature security awareness program. Auditors who see a phishing simulation program with click rate trends over time — ideally showing improvement — view this as strong evidence of CC1.4 operating effectively. Companies running quarterly phishing simulations can point to 4+ data points per year showing the program's impact.

Document phishing simulation results in your evidence library: campaign date, number of employees targeted, click rate, and remedial training assignment rate. Trend analysis showing declining click rates demonstrates that training is actually changing behavior, not just satisfying a checkbox. This kind of behavioral evidence is more compelling than completion rates alone.

Training Tools and Platforms

Common security awareness training platforms used by SOC 2-certified companies include KnowBe4 (market leader, strong phishing simulation capabilities), Proofpoint Security Awareness (strong email security integration), Curricula (modern UX, narrative-based learning), SANS Security Awareness (strong content depth), and Wizer (free tier available for small teams). Google Workspace and Microsoft 365 both include basic security training modules in their admin consoles at no additional cost.

If you use a compliance automation platform like AuditPath that integrates with your training provider, training completion data can be pulled automatically into your evidence library. This eliminates the manual step of exporting and uploading completion reports before each audit.

Whatever platform you use, configure automated reminders to non-completers. Most platforms support automated email reminders at configurable intervals (30 days before due, 14 days before due, overdue). Automated reminders reduce the compliance manager's administrative burden and increase completion rates — important for avoiding exceptions in the audit sample.

Frequently Asked Questions

Does security training need to be in-person or can it be online?
Online self-paced training is entirely acceptable for SOC 2 and is the dominant format used by companies at all scales. The format does not matter — what matters is that completion is tracked individually with a timestamp. In-person training sessions are acceptable but create additional evidence challenges: you need an attendance record with signatures or electronic confirmation rather than an automated platform completion log.
What if an employee refuses to complete security training?
Refusal to complete mandatory security training is a disciplinary matter, not a SOC 2 exception — as long as you have a documented process for following up and escalating non-completion. Your policy should state that security training is a condition of continued access to company systems, and that non-completion will result in access being suspended pending completion. Document the escalation steps taken for any non-completer.
Does board-level or executive staff need to complete training?
Executives who have access to in-scope systems (which most do — email, CRM, internal tools) are within scope for security training. Board members who have no system access to in-scope environments may be excluded. Requiring and documenting executive training completion demonstrates tone at the top, which auditors view positively as evidence of the broader commitment embedded in CC1.4.
Can we build training in-house rather than using a platform?
Yes. Home-built training content (internal slides, recorded videos, custom modules) is acceptable. The requirement is that the content is relevant, that completion is tracked individually, and that the training is updated periodically. The challenge with in-house training is usually the completion tracking infrastructure — without a platform, you need another mechanism (quiz submission form, signature log) to generate per-employee completion records.
How long must training records be retained?
Retain training completion records for at least the current observation period plus one prior period — effectively two years minimum. Auditors in subsequent years may want to confirm that your prior-period exceptions were addressed and that employees who failed previous cycles completed remedial training. Longer retention (3–5 years) aligned to your general records policy is a common practice.

Automate your compliance today

AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.

Start for free

Related Articles

SOC 2

SOC 2 Background Checks: CC1.4 Requirements Explained

SOC 2

What Is SOC 2? The Complete Guide for Software Companies

SOC 2

SOC 2 Access Review: How to Run Quarterly User Reviews