Once you have read my article, you will have a good idea of how to approach your compliance awareness campaign. You will get concrete advice on choosing topics, forming alliances, and measuring the effectiveness of your campaign.
Compliance is hardly known for being the world's most interesting topic. In the eyes of many, it is time-consuming, limiting, and boring.
A run-down car can get purple fringe tail lights, 30-inch fins, and a Palomino dashboard - and become Greased Lightnin'. Similarly, you can give compliance a makeover in order to make the topic more accessible, relevant, and exciting.
This is what you do:
You must first and foremost ensure the involvement of the management. There are two reasons for this:
For one thing, the employees should hear from the management why compliance is important. The message then carries more weight.
For another thing, awareness campaigns are not free. They cost the organisation time. You will only get the resources you need if you make it clear to the management why you need a compliance awareness campaign. If a compliance audit has resulted in findings and recommendations or if you need to follow ISO 27001/2, NIS2, or any other standards, you will have a compelling argument.
Awareness is a requirement under ISO 27001 and ISO 27002, so there is no way around it. A focus on compliance can furthermore save you time and money. Both your finances and your image take a hit when a user error causes a data leak or system breakdown.
Moreover, awareness is about communication. If this is not your strong suit, you should become good friends with your communications or marketing department, if you have one in the company. They will be able to help you contact us in a language the employees understand.
Most organisations treat security awareness as a one-time exercise. This post looks at how to make compliance a living part of your culture — not just a box you tick once a year.
Read: From Static Checklists to Resilient Cultures — The New GRC Frontier →
With the backing of your new allies, you should now determine the areas your awareness campaign should focus on. There are many topics to choose from, some heavier than others, and unnecessary information needs to be removed.
Consider the problems you have experienced due to user ignorance. A few examples may be:
If you are unsure of anything, get hold of HelpDesk or IT support if you have those functions. They can tell you what employees most often ask about and what they are unsure of. You can also consider whether you recently began using new systems or performing tasks in a new way. Have the employees become familiar with this, or are there many mistakes?
You will possibly find more problems than you can address in a single awareness campaign. Focus on the most important parts and save the less important ones until your next campaign. We must ensure we use simple, powerful messages. Prepare short campaigns with simple themes, and then run campaigns more often.
Completion rates look great on paper — but our Nordic survey shows 25% of employees say annual training hasn't changed their behaviour at all. Find out why, and what to do instead.
Read: Why 95% Training Completion Isn't the Same as 95% Security →
Now you need to go out and meet people where they are. The employees sit at their computers, eat in the cafeteria, and attend Friday morning meetings. This is where you should meet them. One way to do this is by means of:
An employee awareness quiz can also demonstrate to management that your awareness campaign has had an impact on people. Set a realistic goal for yourself. If half of all the employees take the quiz, you have done a great job! A quiz also shows you the areas where your employees need more training.
So, can you make compliance interesting? You can at least go a long way toward making it accessible, relevant, and engaging.
Many tools can help you deliver awareness training. The challenge is often proving that awareness activities align with your compliance programme and can be documented during audits.
With NorthGRC, awareness is integrated directly into your Governance, Risk, and Compliance framework. You can create your own awareness campaigns and quizzes, monitor participation and results, and document employee understanding of relevant policies, procedures, and compliance requirements.
The platform also includes a library of compliance-related questions and answers, making it easier to build targeted awareness activities that support frameworks such as ISO 27001.
Learn More About the Awareness Module →
With NorthGRC, awareness is an integrated part of your compliance setup. By managing policies, controls, and awareness activities on a single platform, you create a clear link between compliance requirements and employee behaviour. This eliminates the disconnect that often exists between training systems and compliance management tools.
The result is a more structured and auditable approach to human risk management, where awareness is documented as a control rather than a separate activity.
NorthGRC makes it easy to plan, run, and track compliance awareness campaigns — from quizzes and training to management reporting. See how we can help your team make compliance stick.
Book a free demo Explore the platform