AT.L2-3.2.2—Role-Based Training
Level 2
800-171: 3.2.2
>Control Description
Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •How do you identify role-specific security training requirements?
- •What is your process for developing and approving security training curricula?
- •How do you ensure training content remains current with evolving threats?
- •Who is responsible for managing the role-based training program?
- •How do you track and enforce training completion requirements?
Technical Implementation:
- •What platforms deliver role-based security training?
- •How do you technically assign training based on user roles?
- •What mechanisms verify training completion before granting access?
- •How is specialized training delivered to privileged users?
- •What tools track role-specific training requirements and completion?
Evidence & Documentation:
- •What training materials and curricula can you provide?
- •What training completion records and certificates demonstrate compliance?
- •What training attendance rosters and sign-in sheets can you show?
- •What LMS reports show training assignment and completion?
- •What documentation shows training content is current and role-appropriate?
- •What evidence demonstrates initial and refresher training?
Ask AI
Configure your API key to use AI features.