Free Training & Career Tips... Subscribe to Get Weekly Career Tips
By Subscribing You are Agreeing to Terms and Conditions
Security awareness training for employees is only a real control when you can prove it happened — by name, by date, with a passed test on file. BOTI builds a custom cybersecurity awareness course around your own IT and data-handling rules, hosts it on a Learning Management System (LMS), runs recurring assessments, and keeps a dated, per-employee record of who completed and passed. The training is the control, the test is the evidence, and the record is your risk mitigation — and because most breaches begin with a person clicking or misplacing data, this is one of the most defensible POPIA controls you can put in place.
This guide is for the person who must demonstrate that staff handle information safely: the information officer, compliance officer, risk manager, internal auditor, IT/security lead or HR/L&D manager — not for individual learners or job-seekers.
The control problem this training solves
In most South African breach post-mortems the cause is human, not technical: an employee opens a convincing invoice attachment, reuses one password, or emails a client list to the wrong recipient. POPIA (the Protection of Personal Information Act) expects reasonable organisational measures to safeguard personal information — and “organisational” means the people, not just the firewall. Most organisations already have an acceptable-use policy; what they cannot do is prove it was understood. When the Information Regulator, an auditor, your board or your cyber-insurer asks you to show information-security awareness, the questions are blunt — who was trained (by name), when were they last assessed and did they pass, and how did you re-train everyone when a new threat emerged? A circulated PDF or a signed attendance sheet answers none of those. You need to convert “be careful online” into recorded, repeatable, provable competence — exactly the gap a custom course on an LMS closes.
The spine: assign, test, record, prove
Everything BOTI builds for security awareness training for employees runs on one loop that explains the whole offer.
| Step | What happens | Why it matters |
|---|---|---|
| 1. Assign | The cybersecurity awareness course is pushed to the right staff through the LMS | Coverage is deliberate and tracked, never assumed |
| 2. Test | Employees sit a scored assessment, then re-sit it on a set cycle (e.g. quarterly or annually) | You verify competence, not just attendance |
| 3. Record | The LMS logs who completed and passed, with the date, per employee | You hold dated, audit-ready evidence |
| 4. Prove | You export that record for the Information Regulator, an auditor, the board, a cyber-insurer or a B-BBEE verifier | Risk is mitigated because the control is demonstrable |
That loop is the engine behind compliance eLearning for internal controls, and it is the difference between genuine online security awareness training for employees and an all-staff email nobody opened.
What a BOTI cybersecurity awareness course covers
The course is custom, so the syllabus reflects your systems and IT policy rather than a generic chapter. A typical course covers:
- Phishing and social engineering — suspicious emails, fake supplier invoices, vishing calls and “urgent” payment requests, plus your own report-it procedure.
- Passwords, access and safe data handling — strong credentials, MFA, why shared logins destroy your audit trail, and how your staff store, share, transfer and dispose of personal information under POPIA.
- Devices, remote work and incident response — screen locking, public Wi-Fi, BYOD and removable-media rules, plus spotting a possible breach and following your reporting path quickly.
- A scored assessment with a pass mark you set, plus recurring re-tests as the threat landscape shifts — and a certificate of completion for each employee who passes, with the dated record held by your business.
The same LMS hosts related programmes such as POPIA training for employees, FICA and AML training online, code of conduct and ethics training and records management training — all built on the identical course-test-record pattern.
“Free” and “accredited” cyber courses: what they do and don’t do
Risk owners often start by searching for free online cyber security awareness training for employees, cyber security training online with certificate, accredited cyber security courses in south africa or accredited cyber security courses online. Three different things are worth separating:
- Free awareness modules are fine as a general introduction, but they teach generic content, not your IT policy — and a free certificate emailed to one learner is not a dated, per-employee pass record across your staff list. If the provider shuts down, your evidence goes with it.
- Accredited cyber security courses (online or classroom) are formal qualifications that build an individual’s IT-security career — valuable, but they do not prove your workforce is aware. If you need that route, BOTI separately offers QCTO/SETA-accredited qualifications.
- Custom workplace awareness training — what most risk and compliance buyers actually need — is a practical course built on your rules, delivered on an LMS, with recurring testing and a defensible record.
The moment you must prove competence on your process, neither free content nor an individual accreditation does the job.
How testing and records give you audit-ready proof
This is where eLearning beats the classroom. A workshop leaves you a register; the LMS keeps a living record. Through recurring compliance testing and records every assignment captures who (the named employee), what (the course and version, proving staff were trained on the current threats and policy), when (the completion and each re-test date) and the result (score and pass/fail). So when the Information Regulator, an auditor, the board, your cyber-insurer or a client running vendor due diligence asks “show me your people are trained on information security,” you export the record instead of reaching for a policy. The test is the evidence; the record is the risk mitigation. See how this slots into your framework in how an LMS strengthens internal controls and risk, and why the recorded model outperforms a once-off session in eLearning vs classroom for compliance.
SA legal and process context (general guidance)
Treat the following as general guidance, not legal advice — confirm the specifics with your own specialist:
- POPIA (Protection of Personal Information Act) expects reasonable organisational measures to protect personal information; a recorded course plus a scored test help demonstrate those steps were taken — which is why cyber awareness aligns so tightly with POPIA training for employees.
- The 2025 corporate information security (CIS) awareness compliance training trend. Frameworks and cyber-insurer questionnaires increasingly expect ongoing, evidenced awareness rather than a single annual session — a recurring LMS record is built for exactly that.
- King IV governance expects the board to oversee an information-aware culture, and per-employee records are concrete evidence for that oversight.
- B-BBEE skills development is measured against 6% of the leviable amount (distinct from the SDL levy of 1% of payroll); structured training can contribute to your scorecard — confirm what qualifies with your B-BBEE consultant.
The same engine works for purely internal rules: if you have your own acceptable-use policy or breach-reporting SOP, we turn it into a course, a test and a record exactly as we would a regulation.
Delivery, pricing and what you receive
We scope your IT policy, build the custom course, host it on the LMS, assign it to your staff list, and set the recurring re-test schedule. Staff complete it on any device, at any branch; you get a live dashboard and exportable records, scaling across sites without travel or venue hire. See the build side in custom eLearning course development and the online training platform for employees overview. Pricing is quote-based, depending on how many courses and learners you need and your LMS setup.
To be precise about what you receive: this is a practical, custom-built online course. Staff who pass receive a BOTI certificate of completion, and your business gets a dated training record for each employee — workplace compliance training, your audit-ready proof of competence, and not an accredited qualification. BOTI is an accredited training provider (Services SETA 12582, MICT SETA, QCTO Quality Partner), and where you need a formal credential we also offer separate QCTO/SETA-accredited qualifications (see also SETA vs QCTO). But the awareness course here is a custom skills programme with a completion certificate and an audit record — what most risk and compliance buyers actually need.
Ready to make security awareness training your control? Request a quote or book a 15-minute callback via our booking page — tell us your IT policy and staff numbers, and we will scope a custom course, test and record for your team. Prefer to talk first? Contact BOTI.
FAQ
Is there free online cyber security awareness training for employees in South Africa? Free modules exist and can be a useful general introduction, but they rarely cover your own IT policy and incident-reporting steps, and they don’t give you a dated, per-employee pass record you can defend to a regulator, auditor or cyber-insurer. For audit-ready proof you need a custom course with recurring testing and recorded results.
Can I get cyber security training online with a certificate for my whole team? Yes. Delivery is via the LMS, so branches, remote staff and shift workers sit the same recurring assessment and appear in one exportable register. Each employee who passes receives a BOTI certificate of completion, your business holds the dated record, and pricing is quote-based for your headcount.
Does this satisfy the 2025 corporate information security (CIS) awareness compliance training expectation? Frameworks, auditors and cyber-insurers increasingly expect ongoing, evidenced awareness rather than a once-off session. A BOTI course on the LMS re-tests staff on the cycle you set and keeps a dated, per-employee record each time, so you can always show current competence — and because threats evolve, most organisations re-test quarterly or annually. This is general guidance; confirm your obligations with your compliance specialist.
Can you turn our own IT and data-handling policy into a course, not just generic content? Yes. We turn any rule, policy, regulation or internal process — including your own acceptable-use policy, password rules and breach-reporting steps — into a course, a recurring test and a per-employee record. If you can write the procedure down, we can make it trainable, testable and provable.