Security Awareness Survey (NIS2 & ISO 27001)

Measures security behaviour, phishing recognition and reporting channels across the workforce – as effectiveness evidence for your awareness programme.

Security Awareness Survey (NIS2 & ISO 27001) – questionnaire preview

Whether NIS2, ISO 27001 or plain common sense: anyone investing in information security needs to know whether the measures reach the people – because that is where day-to-day security is decided. This anonymous survey measures three levels: reported behaviour (password manager, locking screens, reporting suspicious emails), knowledge via a concrete phishing scenario, and awareness of reporting channels. Together with the question about the most recent training, you get a picture you can present to auditors as an effectiveness measurement of your awareness programme – and that shows internally which department needs which support. Repeat the measurement annually or after awareness campaigns.

When should you use this template?

This template is a great fit for:

  • As an annual effectiveness measurement for awareness programmes (NIS2, ISO 27001)
  • Before and after security training or phishing campaigns
  • As a needs analysis showing which departments need targeted training

Every question in this template

  1. 1

    I understand that participation is voluntary and anonymous, and I take part. *

    Consent
  2. 2

    Security behaviour in daily work

    How often do you do the following?

    Matrix
    NeverRarelyMostlyAlways
    I check the sender address of unexpected emails before reacting.
    I report suspicious emails through the designated channel.
    I lock my screen when leaving my desk.
    I use a unique, strong password for every service (e.g. via a password manager).
    I only use approved services and storage locations for work data.
  3. 3

    You receive an email, seemingly from senior management: you should urgently review and approve an invoice in the attachment (“invoice.zip”). What do you do first?

    Single choice
    • Open the attachment to see what it is about
    • Reply to the email and ask
    • Report the email as suspicious via the official channel
    • Forward the email to colleagues and ask their opinion
    • Just delete the email
  4. 4

    Do you know where and how to report a security incident?

    Single choice
    • Yes, exactly
    • Roughly
    • No
  5. 5

    How confident do you feel about the following topics?

    Matrix
    Very unsureSomewhat unsureSomewhat confidentVery confident
    Recognising phishing attempts
    Rules for handling personal and customer data
    What to do if a device or credentials are lost
    Using AI tools safely with company data
  6. 6

    When did you last take part in information security training?

    Single choice
    • Within the last 6 months
    • 6 to 12 months ago
    • More than a year ago
    • Never
  7. 7

    What makes it hard for you to behave securely in daily work?

    Long text

From questionnaire to dashboard

The dashboard turns self-reports into an awareness map for your CISO, IT and management:

  • Awareness index: The mean across behaviour and confidence statements as a gauge – your figure for the management review and year-on-year comparison.
  • Quiz success rate: The share of correct answers in the phishing scenario as a KPI tile – measured knowledge instead of perceived safety.
  • Behaviour profile: The behaviour matrix as stacked bars shows which practices are established (locking screens) and which are not (reporting suspicious emails).
  • Department heatmap: Awareness topics crossed with departments – so you plan targeted training instead of one-size-fits-all courses. Only analyse with sufficient group sizes.
  • Training recency: When was the last security training? The donut delivers the evidence building block for audits – and shows backlogs instantly.
  • Everyday obstacles: What makes secure behaviour hard? The open question, clustered via AI topic analysis, uncovers the usability problems of your security measures.

Related survey templates

Browse all survey templates →

Frequently asked questions

Why anonymous – don't we want to attribute risks?
Because otherwise you measure socially desirable answers instead of reality. The survey complements technical controls (e.g. phishing simulations), it does not replace them. Anonymous honesty about unreported incidents is worth more than named window-dressing – only analyse departments with five or more responses.
Does the survey satisfy NIS2 or ISO 27001 requirements?
Both frameworks require training and awareness measures – and evaluating their effectiveness is explicitly part of an ISMS (in ISO 27001 via the awareness controls and effectiveness measurement). This survey is a recognised building block of such a measurement; the concrete mapping is for your CISO or advisors.
Doesn't the phishing scenario give away the right answer?
Some respondents will spot the desired answer – that is fine: what is measured is whether the correct reporting path is known at all. Anyone choosing the wrong action even in a quiz would do so under pressure too. For behavioural measurement under real conditions, combine the survey with simulated phishing campaigns.

Start with this template

Load the template into DataLion, adapt it to your brand and start collecting responses — GDPR-compliant, in minutes.