Training Needs Analysis Worksheet
A Training Needs Analysis (TNA) identifies the gap between current competence and required competence, helping you plan effective training programs.
Purpose
Use this worksheet to:
- Systematically assess training needs across your organization
- Prioritize training initiatives based on risk and compliance requirements
- Create a targeted training plan aligned with ISO 27001 requirements
- Document competence requirements for audit evidence
- Support Clause 7.2 compliance
Step 1: Identify Roles and Responsibilities
List all roles that have information security responsibilities in your organization.
Example Roles:
- Executive Management
- ISMS Manager / Information Security Officer
- IT Security Team
- System Administrators / IT Support
- Software Developers
- HR Staff
- Facilities / Physical Security
- Department Heads / Process Owners
- All Employees
- Contractors and Third Parties
Step 2: Define Required Competencies
For each role, identify the required security competencies:
| Role | Required Competencies | Current Level | Target Level | Gap |
|---|---|---|---|---|
| ISMS Manager | ISO 27001 requirements | Advanced | Expert | Training needed |
| ISMS Manager | Risk assessment | Intermediate | Advanced | Training needed |
| IT Team | Network security | Advanced | Advanced | None |
| IT Team | Incident response | Basic | Advanced | Significant gap |
| All Staff | Phishing awareness | Basic | Intermediate | Refresher needed |
Competence Levels:
- None: No knowledge or skills in this area
- Basic: Awareness level understanding
- Intermediate: Can perform with some guidance
- Advanced: Can perform independently
- Expert: Can train and guide others
Step 3: Assessment Methods
How to assess current competence:
1. Skills Assessment
- Self-assessment questionnaires
- Manager evaluations and 360-degree feedback
- Practical tests or demonstrations
- Review of qualifications and certifications
2. Performance Review
- Analysis of security incident involvement
- Review of audit findings related to performance
- Security policy adherence metrics
- Quality and accuracy of security-related work
3. Gap Analysis
- Compare required vs. current competence
- Identify specific knowledge or skill gaps
- Determine training priority (High/Medium/Low)
- Consider business impact of gaps
Step 4: Training Needs Matrix
| Role/Person | Competency Gap | Training Required | Priority | Timeline | Delivery Method | Budget |
|---|---|---|---|---|---|---|
| ISMS Manager | Internal auditing | ISO 27001 LA course | High | Q1 2024 | External course | $2,500 |
| IT Team | Cloud security | AWS/Azure Security | Medium | Q2 2024 | Online training | $1,000 |
| All Staff | Phishing awareness | Security awareness refresh | High | Q1 2024 | E-learning | $500 |
| Developers | Secure coding | OWASP Top 10 workshop | High | Q2 2024 | Workshop | $3,000 |
Priority Levels:
- High: Critical for ISMS operation, addresses significant risk, or compliance requirement
- Medium: Important for effectiveness improvement, moderate risk
- Low: Beneficial for enhancement but not immediately critical
Step 5: Training Plan Development
Induction Training (All New Joiners):
- Topics: ISMS overview, information security policy, key procedures, responsibilities
- Duration: 1 hour
- Delivery: In-person presentation + digital handbook
- Assessment: Online quiz (80% pass rate required)
- Frequency: Upon joining (within first week)
Annual Awareness Training (All Staff):
- Topics: Policy updates, current threat landscape, incident case studies, best practices
- Duration: 30-45 minutes
- Delivery: E-learning module
- Assessment: Short quiz at completion
- Frequency: Annually (January-March)
Role-Specific Training: Identify and schedule specific training for each role:
- ISMS Manager: Lead auditor course, advanced risk management
- IT Security Team: Technical controls, incident response, forensics
- Developers: Secure coding, application security testing
- HR: People controls, screening procedures, confidentiality
- Facilities: Physical security, access control systems
Specialized Training:
- ISO 27001 Lead Auditor / Lead Implementer courses
- Professional certifications (CISSP, CISM, CISA, CEH)
- Risk management methodologies (ISO 31000, FAIR)
- Incident response and forensics training
- Privacy and data protection (GDPR, CCPA)
Step 6: Training Delivery Methods
Choose appropriate delivery methods based on content, audience, and resources:
| Method | Best For | Advantages | Disadvantages |
|---|---|---|---|
| E-learning | Large audiences, basic topics | Scalable, cost-effective, flexible timing | Less engaging, no real-time interaction |
| Classroom | Complex topics, discussions | Interactive, immediate Q&A, hands-on | Expensive, scheduling challenges |
| Workshops | Practical skills | Real-world scenarios, team building | Time-intensive, limited capacity |
| On-the-job | Procedural skills | Contextual learning, immediate application | Requires qualified mentors |
| Webinars | Distributed teams | Accessible remotely, recorded | Limited interaction |
| Self-study | Individual development | Self-paced, flexible | Requires motivation, no validation |
Step 7: Budget Estimation
Training Budget Components:
| Item | Estimated Cost |
|---|---|
| External training courses (Lead Auditor, certifications) | $______ |
| E-learning platform subscription (annual) | $______ |
| Training materials development (content creation) | $______ |
| Internal trainer time (hours × rate) | $______ |
| Certification exams and renewals | $______ |
| Travel and accommodation (for external training) | $______ |
| Tools and resources (books, subscriptions) | $______ |
| Total Annual Training Budget | $______ |
Typical ranges:
- Small organization (50 employees): $10,000-$25,000
- Medium organization (500 employees): $50,000-$100,000
- Large organization (5000+ employees): $200,000+
Step 8: Effectiveness Evaluation Plan
Define how you'll measure training effectiveness:
Evaluation Criteria:
- Post-training assessment scores (target: minimum 80% pass rate)
- Reduction in security incidents attributed to human error
- Improved internal audit findings year-over-year
- Manager feedback on employee performance improvements
- Self-assessment improvements (before/after training)
- Practical skill demonstrations and application
- Time to proficiency in new roles
Evaluation Timeline:
- Immediate: Post-training knowledge assessment
- 1 month: Behavioral observation and manager feedback
- 3 months: Performance review and skill application check
- 6-12 months: Impact on ISMS metrics and incident rates
Step 9: Documentation Requirements
Create and maintain the following records for Clause 7.2 compliance:
Required Documents:
- Training Needs Analysis Report - This completed worksheet
- Annual Training Plan - Detailed schedule of all planned training activities
- Training Materials - Presentations, e-learning modules, handouts, guides
- Attendance Records - Who attended which training sessions (dates, duration)
- Assessment Results - Quiz scores, test results, practical evaluations
- Effectiveness Evaluations - Evidence that training achieved objectives
- Individual Training Records - Personal training history per employee (maintained by HR)
- Competence Evidence - Certificates, qualifications, performance reviews
Store records according to your document control procedure and retention schedule (typically employment duration + 5 years for training records).
Step 10: Review and Update Triggers
Review and update your Training Needs Analysis when:
Scheduled Reviews:
- Annually as part of the training plan cycle
- Quarterly progress reviews against training plan
Triggered Reviews:
- New roles or significant role changes created
- After major ISMS changes or scope expansion
- Following internal or external audit findings
- After security incidents revealing competence gaps
- When new threats or technologies emerge
- After organizational restructuring or mergers
- When regulatory requirements change
Action Items Checklist
- Complete the Training Needs Matrix for all roles in your organization
- Prioritize training initiatives based on risk, compliance, and business impact
- Develop detailed annual training plan with specific dates and owners
- Obtain budget approval from management
- Schedule and book first quarter training sessions
- Prepare or procure training materials and platforms
- Establish evaluation and tracking mechanisms
- Communicate training requirements and schedule to all affected staff
- Document everything for audit evidence and Clause 7.2 compliance
- Set reminders for quarterly training plan reviews
Integration with Other ISMS Components
Your Training Needs Analysis supports:
- Clause 7.2 (Competence): Evidence of systematic approach to competence
- Clause 7.3 (Awareness): Input to awareness program design
- A.6.3 (Information security awareness, education and training): Control implementation evidence
- A.5.2 (Information security roles and responsibilities): Competence requirements per role
Next Lesson: Design a comprehensive Awareness Program to build a strong security culture across your organization.