This document is under active development and has not been finalized.

Training Program

Mandatory Training

Basic Training -- All Employees

Module	Content	Duration	Interval
Information Security Fundamentals	Protection goals, data classification, responsibilities	30 min	Annually
Phishing & Social Engineering	Recognition, current attack patterns, reporting channels	30 min	Annually
Password & Access Security	Password managers, MFA, screen locking	20 min	Annually
Incident Reporting	Reporting obligation, channels, contacts, examples	15 min	Annually
Data Protection	Personal data, GDPR fundamentals, data subject rights	20 min	Annually

Total duration: ~2 hours per year

Management Training (§38(3) BSIG)

Content	Description
Current threat landscape	Relevant attacks, trends, industry-specific risks
NIS2/BSIG obligations	§30 measures, §32 reporting obligations, §38 liability
Risk management	Reading and assessing risk analyses, approving measures
Incident escalation	Role of management during incidents, communication decisions

Duration: 2--3 hours per year, delivered by ISO or external trainer

Role-Specific Training

Target Group	Modules	Duration	Interval
IT Administration	Secure configuration, patch processes, log management, hardening	4h	Annually
Software Development	Secure coding, OWASP Top 10, dependency management, code review	4h	Annually
Project Management	Security requirements, risk assessment in projects	2h	Annually
Helpdesk / Support	Social engineering recognition, escalation, data protection	2h	Annually

Training Methods

Method	Application
E-learning	Basic and mandatory training, self-paced
In-person training	Management training, role-specific workshops
Phishing simulation	Practical awareness testing, semi-annually
Security advisories	Current warnings via email during acute threats