Security Awareness Survey (NIS2 & ISO 27001)
Measures security behaviour, phishing recognition and reporting channels across the workforce – as effectiveness evidence for your awareness programme.
Whether NIS2, ISO 27001 or plain common sense: anyone investing in information security needs to know whether the measures reach the people – because that is where day-to-day security is decided. This anonymous survey measures three levels: reported behaviour (password manager, locking screens, reporting suspicious emails), knowledge via a concrete phishing scenario, and awareness of reporting channels. Together with the question about the most recent training, you get a picture you can present to auditors as an effectiveness measurement of your awareness programme – and that shows internally which department needs which support. Repeat the measurement annually or after awareness campaigns.
When should you use this template?
This template is a great fit for:
- As an annual effectiveness measurement for awareness programmes (NIS2, ISO 27001)
- Before and after security training or phishing campaigns
- As a needs analysis showing which departments need targeted training
Every question in this template
- 1Consent
I understand that participation is voluntary and anonymous, and I take part. *
- 2Matrix
Security behaviour in daily work
How often do you do the following?
Never Rarely Mostly Always I check the sender address of unexpected emails before reacting. I report suspicious emails through the designated channel. I lock my screen when leaving my desk. I use a unique, strong password for every service (e.g. via a password manager). I only use approved services and storage locations for work data. - 3Single choice
You receive an email, seemingly from senior management: you should urgently review and approve an invoice in the attachment (“invoice.zip”). What do you do first?
- Open the attachment to see what it is about
- Reply to the email and ask
- Report the email as suspicious via the official channel
- Forward the email to colleagues and ask their opinion
- Just delete the email
- 4Single choice
Do you know where and how to report a security incident?
- Yes, exactly
- Roughly
- No
- 5Matrix
How confident do you feel about the following topics?
Very unsure Somewhat unsure Somewhat confident Very confident Recognising phishing attempts Rules for handling personal and customer data What to do if a device or credentials are lost Using AI tools safely with company data - 6Single choice
When did you last take part in information security training?
- Within the last 6 months
- 6 to 12 months ago
- More than a year ago
- Never
- 7Long text
What makes it hard for you to behave securely in daily work?
From questionnaire to dashboard
The dashboard turns self-reports into an awareness map for your CISO, IT and management:
- Awareness index: The mean across behaviour and confidence statements as a gauge – your figure for the management review and year-on-year comparison.
- Quiz success rate: The share of correct answers in the phishing scenario as a KPI tile – measured knowledge instead of perceived safety.
- Behaviour profile: The behaviour matrix as stacked bars shows which practices are established (locking screens) and which are not (reporting suspicious emails).
- Department heatmap: Awareness topics crossed with departments – so you plan targeted training instead of one-size-fits-all courses. Only analyse with sufficient group sizes.
- Training recency: When was the last security training? The donut delivers the evidence building block for audits – and shows backlogs instantly.
- Everyday obstacles: What makes secure behaviour hard? The open question, clustered via AI topic analysis, uncovers the usability problems of your security measures.
Related survey templates
- Employee Net Promoter Score (eNPS)Measure in just three questions how loyal your employees are and how likely they are to recommend your company as an employer.
- Psychosocial Risk Assessment (Workplace)Anonymous employee survey to fulfil the psychosocial risk assessment required under the German Occupational Safety Act (§5 ArbSchG), along the recognised GDA assessment areas.
- AI Literacy Assessment (EU AI Act Art. 4)Anonymous self-assessment of your employees' AI literacy – as a needs analysis and documentation basis for the training obligation under Article 4 of the EU AI Act.
- Employee SatisfactionAnonymous survey on the satisfaction and engagement of your employees – along the key drivers from tasks and leadership to work-life balance.
Frequently asked questions
Why anonymous – don't we want to attribute risks?
Does the survey satisfy NIS2 or ISO 27001 requirements?
Doesn't the phishing scenario give away the right answer?
Start with this template
Load the template into DataLion, adapt it to your brand and start collecting responses — GDPR-compliant, in minutes.