Defensible staff training checklist

LakeRidge’s control brief for 1‑10‑2 instructs organizations to appoint a named program owner who documents scope, roles, budget, and formal leadership approval. (lakeridge.io) The firm prescribes a baseline curriculum covering phishing, password hygiene, data handling, remote‑work security, and device protection, and gives the concrete example of tying objectives to a target such as “reduce phishing click rate by X% in 12 months.” (lakeridge.io) Recommended delivery cadence includes monthly micro‑lessons plus quarterly workshops, mandatory onboarding modules for new hires, and an annual refresher for all staff. (lakeridge.io) Testing and remediation guidance calls for realistic phishing simulations that track click and credential‑submission rates, time‑to‑report, repeat offenders, and assigns targeted remedial training and role‑specific advanced modules (finance, HR, sysadmins), including hands‑on IT exercises like patching and secure configuration. (lakeridge.io) LakeRidge advises defining measurable metrics — phishing click rate, training completion rate, time‑to‑report, and post‑training quiz scores — and reporting those metrics to leadership on a monthly cadence while conducting periodic program reviews under ECC 1‑10‑5. (lakeridge.io (lakeridge.io)) The company offers a free 15‑minute compliance consultation with limited availability and maintains other operational checklists (for example, an incident‑response checklist) and stated mappings to NIST SP 800‑171 for organizations needing cross‑framework alignment. (lakeridge.io (lakeridge.io (lakeridge.io)) The ECC referenced in LakeRidge’s materials is part of the National Cybersecurity Authority’s Essential Cybersecurity Controls (ECC 2‑2024), which the NCA published as an updated national control framework. (nca.gov.sa)