Security awareness training is the control that organisations rely on most heavily and trust least. ISO 27001 Annex A.6.3 requires it, NIS2 expects it of in-scope entities, and almost every customer questionnaire asks how often it runs. The honest answer in many organisations is "annually, by clicking through a deck most people will not remember by next week".
The shape of useful training is well understood and rarely followed. Content is tied to roles, so engineering staff get scenarios that match what they actually do and finance staff get scenarios that match what targets them. It runs on a published cadence rather than once per year, with shorter refreshers between modules. Simulated phishing exercises calibrate the actual susceptibility of the workforce rather than the policy-documented intention. And the metric that matters is behavioural, not completion: did reported phishing attempts go up, did clicked links go down, did the response time for a real incident shorten?
The training also has to live within the ISMS, not as a parallel programme. Records of who completed which module belong in the same evidence base as the rest of the controls, and the management review should look at the trend rather than the snapshot. The Askara Solutions agent keeps the completion register, the curriculum, and the behavioural metrics tied to the risks the training is meant to reduce, so the auditor sees a control that is calibrated rather than a calendar event.