Content

    This article covers 8 points on how to prove in an audit that your staff is properly trained:

    1. What auditors and authorities expect to see (ISO 27001, GDPR, NIS2)
    2. What evidence you need to have ready
    3. How to organise evidence so it is exportable
    4. Sampling and interviews: how auditors validate
    5. How to prepare your organisation to audit training
    6. Mistakes that can undermine your proof
    7. How PrivaLex can help
    8. FAQs and next step

    Training in security and privacy is not enough on its own: you must be able to prove it. In an ISO 27001 audit, a GDPR compliance inspection, or NIS2 supervisory review, authorities do not accept verbal statements. 

    They want clear evidence that your team has been trained appropriately and on an ongoing basis.

    This guide explains what evidence auditors and authorities expect, how to organise it, and what mistakes to avoid so the audit runs smoothly. At PrivaLex Partners we design training and audit-ready documentation so that every review is an opportunity to demonstrate real compliance.

    What auditors and authorities expect to see (ISO 27001, GDPR, NIS2)

    Each framework has its own emphasis, but they all share one idea: training is not enough; you must be able to prove it.

    ISO 27001

    Auditors look for training and awareness records aligned with clauses 7.2 and 7.3 (competence and awareness) and with Annex A control A.6.3 (information security awareness, education and training on an ongoing basis). 

    In practice they expect: a training plan with scope and frequency, records of who received what training and when, and evidence that awareness is effective (evaluations, simulations or metrics). 

    If you are working towards certification, how to obtain ISO 27001 certification helps frame the rest of the controls.

    GDPR

    GDPR audit and data protection authority inspections typically ask for documentation showing that people who process personal data know the basic principles, data subject rights, and internal procedures (breaches, rights requests, sharing with third parties).

    The GDPR requires proactive accountability: being able to demonstrate compliance. Documented training is a central part of that demonstration.

    NIS2

    Under NIS2, supervisory authorities can require periodic training plans covering staff, technical teams and management, plus participation records and evaluations

    It is not a certification like ISO: supervision can come at any time, so it pays to have evidence ready and up to date. 

    For the official directive text, see Directive (EU) 2022/2555. Cybersecurity and privacy both rely on staff knowing how to act and the organisation being able to prove it.

    “In compliance, what is not documented is treated as if it did not exist.”

    In short: ISO 27001 wants to see ongoing competence and awareness with records and evaluations; GDPR wants to see that anyone processing personal data knows their obligations and procedures, with documentation to prove it; NIS2 wants to see periodic plans, participation by staff and management, and exportable evidence. 

    Preparing one well-structured evidence pack lets you respond to all three frameworks without duplicating effort.

    What evidence you need to have ready

    If you want to prove in an audit that your staff is properly trained, prepare an evidence pack that you can hand over or export. 

    Auditors typically ask for concrete items such as:

    • Training plan and annual schedule (scope, audiences, frequency, owners), including refreshers and post-incident sessions where relevant.
    • Attendance lists (signatures), LMS exports, or online course access logs, with dates and attendee identification.
    • Training materials: slide decks, manuals, videos or internal policy summaries, with version and date.
    • Evaluation results: short quizzes, phishing simulations, tabletop exercises, satisfaction surveys.
    • Onboarding protocols and evidence for new joiners (and, where relevant, third parties): what was trained and when.

    Having this evidence organised and exportable is the difference between a smooth audit and a non-conformity or corrective measure request.

    Two additional elements strengthen the story: an exceptions and remediation log (what happens when someone does not attend, evidence of catch-up sessions) and simple KPIs (completion rate, simulation results, time to report). 

    That demonstrates continuous improvement, which is what auditors and regulators expect when they see a recurring programme.

    What each type of evidence is for (auditor’s view): The plan shows the programme exists and is thought through (scope, cadence, owners). 

    Attendance or completion shows training was delivered. Materials show what was taught and that it aligns with policies and risk. Evaluations (quizzes, simulations) support that training is effective, not just formal. Onboarding evidence shows new joiners are not left out. 

    If any of these pillars is missing, the auditor can question whether staff are “properly” trained in the sense the standards require.

    How to organise evidence so it is exportable

    In audits and supervisory reviews it is usually not enough to say “it’s all in the LMS”. You need to be able to export plan, attendance, materials and results. A stable internal structure makes the work and the review easier:

    • Training/Plan/ – annual plan, scope, role-based competence matrix.
    • Training/Materials/ – slide versions and dates.
    • Training/Records/YYYY/ – attendance, LMS exports, completion logs.
    • Training/Assessments/YYYY/ – quizzes, simulation results, drill notes.
    • Training/Onboarding/ – checklists and completion evidence for new joiners.

    It helps to define who updates each folder and how often, so that in an inspection you do not have to improvise. If your LMS allows exports by period and by course, keep at least a quarterly or annual export in a repository accessible to Compliance or Security.

    Quick pre-audit checklist: Can you export within 24 hours a pack that includes (1) current annual plan, (2) attendance or completion records for the last year by module/role, (3) dated versions of materials used, (4) evaluation or simulation results for the period, (5) list of joiners and onboarding evidence? If any is missing, prioritise closing that gap before the review. 

    Having a clear owner of the evidence pack (Compliance, Security or HR) and a quarterly or six-monthly review cycle avoids last-minute surprises.

    Sampling and interviews: how auditors validate

    In many audits assessors sample reality beyond the paperwork. That can include:

    • Interviews with employees from different departments: for example asking where they would report phishing or an incident, or what they would do if they thought they had shared a sensitive file by mistake.
    • Request for evidence for a specific period (e.g. a month or a quarter): not “your best deck”, but real logs and attendance.
    • Questions about updates: how training is updated when new risks appear (new supplier, new SaaS, recent incident).

    If you prepare for that approach, the audit feels predictable: your plan describes what you do, your records show you did it, and your people can explain the basics without improvising. 

    A practical indicator: if a non-technical employee cannot answer “where would you report a suspicious email?”, the programme is formal but not operational.

    “Real audit success is not about showing paperwork; it is about proving your team knows how to respond.”

    How to prepare your organisation to audit training

    The best approach is to integrate training into the security and privacy management cycle, not treat it as a one-off project. Every session should leave a documentary trail and every new joiner should receive training from day one.

    You should also put in place periodic evaluations that measure real effectiveness: not just meeting the requirement, but showing that staff know how to act in an incident or when handling a rights request. Including simulations (phishing, tabletop incidents) and recording results helps show that training has impact.

    Finally, define what happens when someone does not complete training: reminders, catch-up window, exceptions log, and evidence of closure. Without that loop, training is seen as an “event” rather than a control maintained over time.

    Assign an owner for the training programme and the evidence pack (Compliance, Information Security or HR, depending on your structure). 

    That owner should at least quarterly check that folders are up to date, that exceptions have remediation, and that basic KPIs (completion, simulation results) are recorded. 

    Then when an audit or supervisory review comes, the response does not depend on one person or a last-minute search.

    Update materials when policies, tools or risks change (new supplier, new SaaS, incident). Auditors often ask how content is kept current; having dated versions and a clear “when we update” rule strengthens the programme’s credibility. If you run tabletop or incident-response exercises, document date, participants and outcomes: they are strong evidence that staff know how to act.

    4 Mistakes that can undermine your proof

    1. Relying on “everyone knows the basics” without records. If you cannot show who received what training and when, the claim will not stand up to review. Documentation is the basis of proof.

    2. Limiting training to one profile (e.g. IT) and forgetting the rest. ISO 27001, NIS2 and the GDPR expect coverage appropriate to risk. If only IT has training records, interviews in other departments can expose the gap.

    3. Not updating content or repeating sessions at the right frequency. A single annual session is rarely defensible. Auditors expect continuity: plan, cadence, and evidence that the programme is maintained and reviewed.

    4. Not preparing exportable evidence. If everything is scattered or only “in the LMS” with no clear way to export plan, attendance and materials, the audit becomes slow and can lead to non-conformities or corrective measure requests.

    These failures can leave an organisation with good intentions in formal non-compliance in the eyes of the auditor or authority. Auditors want to see that training is recurring, role-appropriate and effective—so build a clear cycle: plan → deliver → record → evaluate → update. Fixing them with a documented plan, organised evidence and an exceptions process is how you prove that your staff is properly trained.

    How PrivaLex can help

    At PrivaLex Partners we design training aligned with ISO 27001, GDPR and NIS2, and we ensure everything is documented for audit: from plans and materials to records and evaluations. We offer:

    • Design and delivery of role-based training (staff, technical teams, management).
    • Evidence packs ready for audit (structure, templates, export guidance).
    • Integration with your security and privacy cycle (cadence, onboarding, post-incident).
    • FUNDAE management in Spain so that meeting these requirements does not become a financial burden.

    The aim is for every training to be an investment and every audit an opportunity to prove that your team is properly trained, with clear, exportable evidence. We can help you define the minimum evidence set for your context (ISO 27001, GDPR, NIS2 or a combination), design the folder structure and update rhythm, and leave you with templates and an export checklist so that the next audit does not turn into a scramble for documents.

    Schedule a strategic session with PrivaLex and we will help you prepare the evidence pack and the strategy to prove in an audit that your staff is properly trained.

    Frequently Asked Questions (FAQs)

    What evidence do ISO 27001 auditors typically ask for on training?

    They usually ask for a training plan with scope and frequency, attendance or completion records, materials used, and evaluation results (quizzes, simulations), plus onboarding evidence for new joiners. Clauses 7.2, 7.3 and control A.6.3 require ongoing competence and awareness.

    Does the GDPR require a training certificate?

    It does not require a specific certificate, but it does require that you can demonstrate that people who process personal data know their obligations and internal procedures. Documented training (plan, attendance, content) is the practical way to show that proactive accountability.

    What can an authority ask for under NIS2 on training?

    They can request periodic training plans covering staff, technical teams and management, participation records and evaluations. Evidence should be available and, in practice, exportable for review.

    Is it enough to have an LMS with completed courses?

    It helps, but it is usually not enough on its own. Auditors and authorities typically expect to review plan, attendance (or LMS exports), materials and results. Organising everything in an exportable structure (by year, by module, by role) makes the review easier and signals seriousness.

    What to do when an employee has not completed training?

    Define a process: reminders, catch-up window, exceptions log, and evidence that the gap was closed (catch-up session, documented justification). Without that loop, training is seen as an event rather than a maintained control.

    How do I show that training is effective, not just “done”?

    Include evaluations (quizzes, phishing simulations, tabletop exercises), metrics (completion rate, results, time to report) and, where possible, improvement over time. That shows the programme is not only formal but has an impact on behaviour.

    How far in advance should the evidence pack be ready?

    There is no single legal deadline, but in practice it pays to keep the pack continuously up to date (plan, last year’s records, current materials, onboarding). If you know an audit or supervisory review is coming, check at least two weeks ahead that everything is exportable and that no department or critical period is missing from the records.

    Next step

    Proving in an audit that your staff is properly trained is not a paperwork exercise: it is how you convince auditors and authorities that your organisation really complies and that security and privacy are part of corporate culture. Schedule a strategic session with PrivaLex and we will help you prepare the evidence pack and strategy for your next audit or supervisory review.