Most security teams review their awareness compliance once a year, right before the audit. They build the spreadsheet, gather the certificates, calculate the percentage, and breathe easy. The problem is that the number already expired. The training your people completed twelve months ago stopped being current at some point, probably without anyone noticing, and the spreadsheet kept showing the same green it always had.
When the auditor shows up in November, the compliance on the document and the organization’s actual compliance are two different things. And the gap didn’t open that day. It had been widening for a long time.
What does it mean that awareness compliance is continuous?
Awareness compliance is the share of your employee universe that holds current training at a given moment. The word that matters is current. Having trained someone once isn’t enough: that training has a date after which it stops counting, and from then on the person shows up as pending again.
The standards that require awareness understand it this way. Both ISO/IEC 27001 and the more recent regulatory frameworks talk about a program sustained over time, not a course delivered once and filed away. The audit is a single snapshot, but the obligation it verifies is permanent. That is why measuring compliance only once a year leaves the other eleven months uncovered.
It helps to compare it to something more physical. No one would show an inspector a fire extinguisher inspection certificate signed three years ago and assume the equipment is still in working order. We understand that the guarantee expires and that the check repeats at intervals. The same happens with awareness, except its expiry leaves no visible label. People keep working, systems keep running, and the only sign that coverage lapsed appears when someone goes looking for it and it is no longer there.
Why does it break in March and not on audit day?
Because awareness expires silently. Think of an organization that trained its entire staff in March last year and closed the period with flawless compliance. Twelve months later, that training reaches its expiry date. From one day to the next, a large share of the universe that counted as covered no longer is, even though no one did anything different.
On top of that comes the normal movement of any company. Everyone who joined after the last campaign enters the universe untrained. Every role change exposes someone to risks their earlier training never covered. The real compliance number drops week by week, gradually, while the document you built at the time sits untouched in a folder.
The audit breaks nothing. It just turns on the light in a room that was already a mess.
What stays exposed while compliance has lapsed?
The uncomfortable part isn’t the red box in the audit. It’s what happens during the months when the coverage is gone and no one logs it. Someone trained more than a year ago keeps part of what they learned, but the signals blur right as the attacks change shape. And the people who joined after the last campaign never had that baseline.
The result is an organization that believes it is covered and operates, for a stretch of the year, with protection that already expired. It isn’t something you notice day to day, because it leaves no alert. You notice it the day someone exploits that window, or the day the auditor asks for the evidence and the date doesn’t line up.
Why do manual plans always run late?
A spreadsheet is a snapshot, and a snapshot ages. By the time you finish building the annual plan (defining the universe, assigning the courses, loading the dates) weeks have passed, and the reality you were trying to capture has changed. Excel doesn’t know that someone’s training expired yesterday or that fifteen new employees joined this morning. It doesn’t warn you either. It keeps showing what you entered the last time you opened it.
The manual plan also measures what is easy to count, not what matters. It counts completed courses against assigned courses and celebrates the percentage, without asking whether that universe is the right one or whether the training it adds up is still current. It chases the completeness of a closed list when real compliance depends on continuity over a universe that moves every day.
The result is predictable. The effort concentrates in the weeks before the audit, the period closes with a good number, and the clock starts running against you again the next day. It is a lot of work for compliance that lasts very little.
And that work is paid for by the security team, which spends several weeks a year rebuilding by hand a state that changed while they were rebuilding it: cross-referencing staff lists, reviewing who did what, chasing the ones who are missing, redoing the spreadsheet. It is expensive people’s time spent on an administrative task that, on top of everything, is out of date as soon as it is delivered. The sense of control that comes from closing the period with a good number is real while it lasts, and it lasts until the first expiry.
What does compliance look like when it is measured as a living state?
The moment you look at the number changes. Instead of calculating it once a year, you have it available every day: what share of your universe holds current training today, who just expired, who joined and hasn’t been trained yet. Compliance stops being a pre-audit sprint and becomes an indicator you watch like any other security metric.
This is how we think about awareness compliance at SMARTFENSE, as part of the human risk measured through observed behavior rather than an annual declaration. Measuring currency person by person, in real time, has an important side effect: when the auditor arrives, there is nothing to rebuild. The evidence that the program was active all year is already there, because it was generated on its own while the program ran.
That is the difference between proving you complied and proving you keep complying. The first is thrown together at the last minute; the second sustains itself.
Compliance that lasts the whole year
Awareness compliance isn’t won in November with a last-minute push. Either it holds across all twelve months, or it doesn’t exist the day someone looks closely. The annual spreadsheet gives a sense of control that reality contradicts as soon as the first expiry passes.
If you want to see how your program’s compliance is measured as a living state, rather than a snapshot that ages on its own, you can explore the platform or reach out for a demo on your own data.
Leave a Reply