14 - Knowledge and training


The purpose of this category is to ensure that the PKI personnel have the required knowledge and skills to perform their duties and responsibilities. Education and continuous gathering of required knowledge and skills to manage the PKI is important to be aware and properly react to current trends and threats that may impact the PKI.

Each of the personnel should be aware of the PKI policies and procedures, and should be able to perform their duties and responsibilities in accordance with the PKI policies and procedures.

Category maturity levels description

Maturity levelDescription
1 - InitialThere is no training plan or education plan for the PKI personnel.
2 - BasicTraining plan is defined, however, there is no responsibility for the execution of the plan.
3 - AdvancedTraining plan is defined and integrated in the organization. PKI personnel are aware of the training plan and their responsibilities.
4 - ManagedTraining plan is defined, maintained and integrated in the organization. It is executed and requirements on the knowledge and proficiency are monitored.
5 - OptimizedTraining plan is periodically reviewed and updated. Education plan is defined and maintained. PKI personnel are aware of the training plan and their responsibilities that are fully aligned with the PKI policies and procedures.


1Establish training plan2
2Responsible personnel receive training2
3Perform security awareness training2
4Establish education plan1
5Periodically review knowledge2


Establish training plan


The training plan should be established and maintained to ensure that personnel have the required knowledge and skills to perform their duties and responsibilities. It should reflect the current state of the PKI implementation and be updated when the PKI implementation changes, and provide necessary information for all personnel that are involved in the PKI implementation.

Training plan is built with PKI needs and requirements in mind and should cover:

  • Training prerequisites
  • Training matrix (who needs to be trained and what training should be received)
  • Training schedule
  • Training format and methods
  • Requirements on training reports and records
  • Training plan review and update

There can be different methods of training, depending on the needs and requirements:

  • Instructor-led training
  • Internal or external webinars
  • Coaching
  • Self-paced training
  • Online resources
  • Shadowing or reverse-shadowing


  • Documented training plan
  • Training plan is up-to-date
  • Training plan is approved and communicated to all personnel
  • Training plan is integrated in organization


Responsible personnel receive training


The responsible personnel should be aware of the current policies and procedures that are related to the context of the PKI implementation. Training should be provided to personnel that are responsible for the management, operation, and administration of the PKI.

Training is provided in accordance with the current and approved training plan.

Methods and training content can vary, depending on personnel roles and covers:

  • New hires as part of the onboarding process
  • Periodic training for all personnel (the frequency of the training depends on the role and responsibilities)

For each training, attendance should be recorded and documented, and in case the training is not completed, the reason should be documented. In case there are requirements for score or threshold to be achieved, the results should be documented.


  • Review training matrix
  • Review documented training results
  • Review training records
  • Relevancy of the training content
  • Training is provided in accordance with the training plan
  • Training completeness


Perform security awareness training


Security awareness education is an ongoing activity. The security awareness program is implemented to make all personnel aware of their role in protecting the security and establishing trust by the PKI implementation. It should stay up to date to reflect latest security trends, threats, and challenges.

Security awareness should ensure that personnel are knowledgeable about the threat landscape, their responsibility for the operation of relevant security controls, and are able to access assistance and guidance when required.

Different methods can be applied to provide security awareness, for example:

  • Posters and letters with the specific topic
  • Team meetings and webinars
  • Security incentives and rewards
  • Training and education


  • Examine security awareness program
  • Interview personnel to verify that they are aware of their responsibilities
  • Review security awareness training records
  • Security awareness training is provided in accordance with the training plan
  • Review content of the security awareness training


Establish education plan


Proper education plan is required to stay up to date with the development of the latest technologies, security practices, and controls that have impact on the PKI and its future development.

The education plan should establish a robust base for the personnel to gain relevant knowledge that are out of scope of the internal training plan, but should be aligned with it to ensure that the personnel are able to perform their duties and responsibilities. The education plan should cover:

  • Education requirements and prerequisites
  • Recommended education approach and methods
  • Approach to monitor and assess the education results

Methods to provide education can vary:

  • Internal or external courses
  • Incentives and rewards
  • Mentoring, coaching, and shadowing
  • Competitions and challenges


  • Review education plan and its alignment with the training plan
  • Interview personnel to verify their educational goals
  • Validate education records


Periodically review knowledge


The training plan should be reviewed and updated periodically to ensure that it is up-to-date and covers all aspects of the specific PKI implementation.

Periodical review of the training plans helps to maintain required skills and knowledge for the responsible personnel. It provides assurance that the expected controls are active and working as intended.


  • Training plan review process
  • Implementation of review process
  • Validation of documentation and reviews


Participate in our community discussions and/or join the consortium