Frequently asked questions Awareness Training

Cybersecurity Awareness Training educates personnel about cyber security risks, safe online behaviour, and their role in protecting the organisation’s information and systems. It aims to reduce human error, raise awareness, and strengthen overall organisational resilience.

Awareness Training equips employees with the knowledge and skills to recognise threats and act responsibly, helping prevent security incidents and supporting compliance with legal and regulatory requirements.

All personnel, regardless of their role, should ideally participate. While for IT and OT staff more technical knowledge is relevant, everyone in the organisation can encounter cyber security risks, making broad participation essential.

On the website of the CCV, a 2-minute video (Dutch) explains what certification is and how it works:

With a CCV certification mark, a company demonstrates that the delivered products and/or services meet the standard. This is assessed by a certification body, which has an agreement with the CCV. By opting for a CCV certification mark, you choose quality and transparency.

The CCV is the owner and publisher of the Awareness Training scheme. It acts as independent scheme manager. The CCV has brought together the interests of different stakeholders, amongst which both clients and service providers.

Potential customers for awareness training are responsible for their selection of a service provider, including research into the background of service providers that entails. To help with that selection, all certified service providers are listed on the CCV website.

The client enters into an agreement with a certified Awareness Training service provider. The costs for conducting an Awareness Training vary depending on the training format, duration, target audience, and the selected service provider. Therefore, to get insight into the costs of Awareness Training, you need to request a quote from a cyber security service provider that offers Awareness Training. Find service providers working under the certification mark.

Yes, if the service provider no longer meets the requirements of the certification scheme, the service provider’s certificate can be suspended or revoked. Suspensions are published. If a certificate is revoked, the service provider will no longer be mentioned on the CCV website.

In the event of a suspension or revocation, the service provider is no longer permitted to refer to its certified status in any communications. If the service provider continues to solicit customers using a claimed certified status, this constitutes fraud. The certification body is responsible for supervising this. The CCV will take action against service providers that are not clients of a certification body but wrongly use a certification mark.

The service provider’s listing on the CCV website will be updated from ‘certified’ to ‘suspended’. However, the service provider is not obligated to proactively inform its existing customers about a suspension. In the case of a suspension, the identified issues can be remedied. In the case of revocation, the service provider must take further action to meet the requirements again. In such cases, the listing may be temporarily or permanently removed from the CCV website.

The Awareness Training Certification Scheme is amongst others based on a minimum requirement for personnel of a certificate of conduct (‘Verklaring Omtrent Gedrag’/VOG) no older than 3 years. If a client deems a more rigorous screening of the service provider/employee necessary, this can be agreed upon and arranged when issuing the assignment. In most cases, a VOG no older than 3 years will suffice.

Agreements regarding the processing of personal data, anonymisation, and retention periods are documented in the service provider’s terms and conditions and, where applicable, additionally in the contract between the service provider and the customer.

A cyber security service provider must meet the requirements of the CCV Certification Scheme for Awareness Training. This means that quality standards are set for the delivery of the training, as well as for the organisation itself. For example, trainers must hold the required qualifications, a complaints procedure must be in place, and other organisational requirements must be met.

An important point is that the requirements are not only implemented, but that you can also demonstrate that you work according to the quality standards on a day-to-day basis. For example, through a quality management system. This will be verified during the audit at your organisation.

To become certified for the CCV quality mark for Awareness Training, your organisation goes through the following steps:

• Assess whether your organisation meets the quality requirements specified in the CCV Certification Scheme Cyber Security Awareness Training.
• Chose your scope: Level 1 (separately delivered training only) or Level 2 (including integrated courses).
• Approach a certification body that applies the certification scheme to your organisation. Enter into an agreement with the certification body of your choice; DigiTrust or Kiwa.
• The certification body verifies whether your organisation complies with the requirements in the CCV certification scheme for Awareness Training by conducting an audit.
• If any deficiencies are identified during the audit, you address these within your organisation and report back to the certification body.
• Upon successful completion of the audit, you receive the Awareness Training certificate from the certification body.
• From that moment on, you may provide Awareness Training under the CCV Certification Mark.
• Your organisation will be listed on the CCV website as an Awareness Training service provider working under certification.
• Annually, the certification body conducts an assessment to ensure that your organisation continues to meet the quality requirements of the cerfication scheme.

No, this is not legally mandatory. By choosing to work under certification, the provider demonstrates that he follows the set criteria, and that he put his organisation and services under periodic external oversight.

The CCV does not enter directly into an agreement with the cyber security service provider. Instead, the service provider enters into an agreement with a certification body (CI). Therefore, the CCV has no role in the fees charged by the certification bodies to service providers. For more information about certification costs, you can request a quote from one of the certification bodies: DigiTrust or Kiwa.

Your company will be listed as a certified professional in the CCV database. Customers can find certified cyber security service providers through this search tool. In addition, you may indicate in your own marketing and communications that you offer Awareness Training under the CCV certification mark.

Certification is carried out by certification bodies that meet the requirements of the certification scheme and have entered into a licensing agreement with the CCV for the Awareness Training Quality Mark. Currently, these are DigiTrust and Kiwa.

All certification bodies conduct their audits in accordance with the requirements of the CCV Awareness Training Certification Scheme. The CCV holds oversight over this. Within that framework, each certification body has its own approach to certifying organisations. This individual approach may result in differences in service, scheduling, or costs.

This will be included in the terms of delivery or service contract between the service provider and the customer. These terms can stipulate that any outsourcing is always to be agreed with the customer in advance, and that it can only take place with the customer’s explicit consent. Please note that the certification scheme also limits the extent to which outsourcing can occur.

No. A certification body must be able to carry out a thorough quality assessment. This involves, for example, having appropriate access to information. The service provider must include in its general terms and conditions that personnel from the certification body may be present for the purpose of supervising quality oversight. For credible oversight, random attendance at Awareness Training must also be facilitated.  

Specific parts of the oversight by the certification body can be done remotely, if this is agreed between the certification body and the service provider, and in line with the certification body’s quality management system and with the criteria in the accreditation norm as referred to in the certification scheme.  

This depends on several factors. First, your organisation must be ready for certification by being able to clearly demonstrate, in writing, that it meets the stated requirements. Examples include maintaining documentation on Awareness Training activities, documenting the qualifications and experience of your personnel, and having a quality management system in place. You must provide the certification body with information in preparation for the audit. This includes recent extracts from the Chamber of Commerce, an organisational chart, and details of your quality management system. The availability of personnel, both within your organisation and at the certification body, also affects the scheduling. The duration further depends on the size of your organisation, the number of Awareness Training sessions delivered, and the sampling required for the assessment. 

Certification marks represent reliability and professionalism. Your company stands out positively in a cyber security market that is often difficult for customers to assess. Customers can see immediately see that your Awareness Training meets an independent quality mark and can use this as a selection criterion. 

There are no requirements regarding the size of your organisation. What matters is the quality of the Awareness Training you provide, and that you can demonstrate that you have a quality management system in place to deliver this quality consistently.

The certification body conducts an annual audit at the service provider’s premises to assess the extent to which the service provider continues to meet the certification requirements.

Certification bodies authorised to conduct certify Awareness Training under the scheme must be accredited by the Dutch Accreditation Council (RvA) for NEN-EN-ISO/IEC 17021 and for the ISO 27000 series.

A certification body interested in implementing a certification scheme can contact the CCV at cybersecurity@hetccv.nl. A pre-license agreement is concluded, after which the certification body implements the scheme in it’s quality system. The CCV then carries out a license audit. If this audit is successfully completed, the certification body enters into a license agreement with the CCV. The costs for a license are specified in the fee schedule.

A certification body enters into a license agreement with the CCV and pays an annual license fee for applying the certification scheme. In addition, the CCV receives income through surcharges via the certification body for the certified status of service providers and for Awareness Training provided under the certification mark (based on what is actually delivered to clients). These revenues are used, among other things, to manage and maintain the scheme.

The fees for the certification body are also published annually in the CCV fee schedule .