Quiz Entry - updated: 2026.07.05
Which seven steps does NIST SP 800-12 define for a formalized security awareness training program?
Scope & objectives → trainers → target groups → motivation → run the program → keep it current → evaluate effectiveness.
NIST SP 800-12, Chapter 13:
- Umfang und Zielsetzung identifizieren — identify scope and objectives
- Trainer identifizieren — who delivers the training (credibility matters)
- Zielgruppen identifizieren — identify target audiences
- Management und Mitarbeiter motivieren — motivate management and staff (buy-in before content)
- Das Programm einführen und verwalten — implement and administer the program
- Das Programm aktuell halten — keep it current
- Die Wirksamkeit evaluieren — evaluate effectiveness
Why a formalized process: it ensures the relevant security requirements reach the right people — instead of one generic e-learning for everyone, which bores experts and overwhelms novices.
Tip: Note steps 6 and 7 — the program is a loop, not a launch: maintenance and effectiveness measurement are built into the process, mirroring the ISMS's own PDCA/KVP logic.
Go deeper:
NIST SP 800-50 Rev. 1 — Building a Cybersecurity and Privacy Learning Program — NISTs aktueller Leitfaden zum Awareness-Programm (Lebenszyklus, Zielgruppen, Wirksamkeit).