View on Github
Training

Training #

Control ID: SDLC-CTRL-0017 | Type: Preventive

Summary #

All team members complete annual security awareness training covering the OWASP Top 10, ensuring a security-conscious development workforce.

Mitigates Risk

SDLC-RISK-0002:
Insider Threat

Description #

Security awareness reduces the likelihood of negligent or accidental insider threats and ensures every team member understands their responsibilities in the software development lifecycle. Training covers the most common security risks and their implications for software development and operations.

New employees and members of the tech team receive this training as part of the onboarding process, and all team members refresh their knowledge at least annually.

Requirements #

  • All team members MUST complete security awareness training covering the OWASP Top 10 at least annually
  • New employees MUST complete security awareness training as part of onboarding
  • Training completion MUST be documented in an audit trail
  • Training content SHOULD be reviewed and updated annually to reflect current threats

How we implement this control #

  • The team study the OWASP Top 10 security risks and discuss their implications for our software development and operations, at least annually.
  • The activity and participants are logged in a Kosli audit trail.
  • For new employees the OWASP Top 10 is done together with one of the other team members.

Compliance Frameworks #

NIST SP 800-53 Rev. 5
  • AT-2 — Literacy training and awareness — requires security awareness training for all personnel.
  • AT-3 — Role-based training — requires training tailored to the individual's role and responsibilities in the SDLC.
  • AT-4 — Training records — requires documentation and retention of training completion.
  • PM-13 — Security and privacy workforce — requires maintaining a security-aware development workforce.
SOC 2 Type II
  • CC1.4 — Requires the entity to attract, develop, and retain competent individuals; training ensures personnel have the skills to fulfil their security responsibilities.
  • CC2.2 — Requires communication of responsibilities to internal personnel; security awareness training ensures staff understand their role in maintaining controls.
The Secure SDLC Process Template is maintained by
© Kosli 2026, all rights reserved
CCPA Do not sell my info