Most compliance training metrics are probably wrong (OCEG 2025 survey)

Completion rates and quizzes look tidy, but they rarely prove risk reduction. Here is what the OCEG 2025 survey found and how SaaS companies can build ISO 27001-aligned training that actually changes behavior.

Compliance training has an odd superpower: it can make an organization feel safer without making it be safer.

If your dashboard says "100% completed" and your audit evidence folder is full of certificates, it can look like control. Until something goes wrong. Then you discover that "everyone completed training" is not the same as "people made better decisions".

The 2025 OCEG survey on compliance and ethics training is a useful reality check. It is based on 347 qualified responses from professionals involved in training design, delivery, or oversight (responses collected in August to September 2025, report published December 2025). The headline is uncomfortably simple: most organizations measure training activity far more than training impact.

That gap matters for any SaaS company building an ISO 27001-aligned security program. ISO 27001 is about running an Information Security Management System (ISMS) that consistently produces effective controls, not about producing documents that look comforting. Training is one of the classic places where "evidence exists" and "control is effective" quietly drift apart.

The signals that should make you slightly uneasy

You can find all the numbers and more findings in the official OCEG 2025 Compliance & Ethics Training Survey Report.

OCEG's data shows how organizations typically evaluate training effectiveness:

• Many rely on employee feedback or satisfaction surveys.
• A similar share use quizzes or knowledge assessments.
• Many also track completion rates and certifications.

Those are all activity-leaning signals. They can be useful, but they mostly answer: "Did people attend, and did they like it?"

Impact signals are much less common:

• Far fewer track behavioral metrics like policy violations, disciplinary actions, or incident rates.
• A small minority report having no formal effectiveness assessment.

Compliance theater vs principled performance

OCEG uses the term "Principled Performance" as a way to talk about reliably achieving objectives, addressing uncertainty, and acting with integrity. In plain SaaS language: not just having rules, but having reality match the rules.

Compliance theater happens when we confuse proof of training with proof of control.

Completion rates are attractive because they are clean. They also behave nicely in spreadsheets, in board decks, and in audit evidence folders. But they are not strongly correlated with outcomes that actually matter, like fewer incidents, fewer repeated mistakes, clearer escalation, and faster recovery.

This is particularly relevant for ISO 27001 because auditors often start by asking, "Do you train people and do you maintain evidence?" and then continue to the more interesting question: "How do you know it works?"

In ISO 27001:2022 terms, the first question aligns with Clauses 7.2-7.5 and Annex A control 6.3. The effectiveness question maps to Clauses 9.1 and 10.1/10.2.

If you cannot answer the second question, the first one is just paperwork with good posture.

Why SaaS companies fall into this trap

SaaS teams operate in constant trade-offs: ship features, support customers, fix reliability issues, manage cloud costs, and close deals. Training is always competing for attention.

The survey shows this pressure very clearly:

• Competing priorities and time constraints are the primary engagement challenge.
• Training perceived as boring or irrelevant is another major drag.

Time is not a "training problem". It is a product and culture problem.

If training feels detached from daily work, it will always lose. If training makes daily work safer and easier, people start to treat it like a tool instead of a tax.

A practical playbook for ISO 27001-aligned training that reduces risk

This is the part that matters. If you are a founder or a SaaS leader, you do not need "more training". You need training that changes decisions in the moments where risk shows up.

1) Start with the decisions you want people to make

Do not start with a course outline. Start with the moments that create risk.

Examples across a typical SaaS organization:

• Engineering and Product: handling secrets, reviewing access, secure coding expectations, production change approvals, incident handovers.
• Support: identity verification, account recovery, data minimization, escalation when something feels suspicious.
• Sales and Customer Success: handling security questionnaires honestly, not improvising promises, knowing when to pull in security, handling customer data in tools.
• Leadership and Managers: approving risk exceptions, funding remediation, reinforcing expectations without turning security into bureaucracy.

Write these as short scenarios: "When X happens, we want people to do Y, because Z risk."

This makes training measurable by design, because you defined the behavioral target upfront.

2) Replace "training metrics" with "risk signals that training should influence"

Activity metrics are easy. Outcome metrics take discipline. The survey shows most organizations are still stuck on activity, so if you do this well you are already ahead.

Pick a handful of signals that matter for your SaaS company, for example:

• Trends in recurring incident types (even minor ones)
• Access mistakes (over-privileged roles, shared accounts, stale access)
• Policy exceptions (how many, why, who approves, and whether they expire)
• Security review rework (repeated classes of issues in PR reviews)
• Near-miss reporting and escalation quality (a healthy culture often reports more early on)

You do not need perfect causality. You need a credible feedback loop: "We saw X, we trained or enabled Y, then X reduced or changed shape."

That is the ISO 27001 spirit: measure, learn, improve.

3) Design for time constraints with microlearning and in-workflow guidance

If time constraints are the main engagement barrier, the solution is not "tell people to care more". The solution is to reduce friction and increase relevance.

Practical approaches that work well in SaaS environments:

• Micro modules (5 to 8 minutes) tied to real tasks
• Short role-based scenarios instead of generic annual lectures
• Checklists embedded in workflows (PR templates, onboarding tasks, runbooks)
• Just-in-time guidance (for example: a short support playbook for account recovery, not a 40-minute course)

Training should feel like guardrails on a road you already drive, not like a detour to a different continent. One easy win is embedding lightweight checklists in the workflows people already use, so control happens in the moment without a heavyweight program or constant reminders. Small just-in-time (JIT) guidance and procedures, especially when improved after incidents, help prevent the same issues from happening again.

4) Stop pretending one-size-fits-all works

OCEG found that nearly a third still use the same training approach for all employees, regardless of role, location, or risk level.

That is not just inefficient. It can be risky. The biggest security failures in SaaS companies are rarely caused by "everyone". They are caused by a few high-leverage roles making a few high-impact mistakes.

The scalable approach is modular:

• A small shared foundation (what is sensitive, how to escalate, what "good" looks like)
• Role modules for high-risk moments (engineering, support, sales, leadership)

This also makes audits easier, because you can justify why different groups get different training, based on risk.

5) Treat training as a cross-functional product

Another survey finding: training ownership is spread across many specialties.

Selected distribution from the survey:

• The largest share is compliance and ethics professionals.
• Risk management is the next biggest owner group.
• Operational management follows.
• Smaller shares sit with education and training specialists, legal, and HR.
• A meaningful remainder sits with other specialized roles (audit, QA, regulatory affairs, technical roles).

For SaaS companies, this is actually good news. It means the best training programs are not built in a silo. They are built like products: with input from the people who know the risks, the workflows, and how adults learn.

If you want training that changes behavior, involve the teams who own those behaviors.

6) Be cautious, but not paralyzed, about AI in training

AI is attractive for scaling content and personalization. OCEG also shows why many organizations are hesitant:

• Nearly half express substantial concerns about AI integration in compliance training.
• Many are not currently using AI in their training programs.
• About a quarter cite employee distrust of AI-driven tools as a significant concern.

A SaaS-friendly middle path is "AI as an assistant, not an author" (similar to our "AI as a junior intern" framing in the Security risks of AI Code Vibing post):

• Use AI to draft scenarios, quizzes, and role-based variants.
• Keep a named human owner who reviews and approves content.
• Avoid feeding sensitive internal incidents into generic tools.
• Track versions and changes, so you can explain updates during audits.

That balances speed with trust and control.

How to make this ISO 27001-friendly without turning it into bureaucracy

If you are aligning with ISO 27001, your goal is not to impress an auditor with a completion dashboard.

Your goal is to show:

1. You identified relevant risks.
2. You trained and enabled people where those risks show up.
3. You measured outcomes that relate to those risks.
4. You improved based on what the outcomes told you.

That is an ISMS behaving like a system.

One-page checklist: reduce "training theater" and increase real control

Use this as a quick internal review. The goal is not perfection. The goal is momentum and measurability.

Scope and ownership

☐ We can explain which risks training is meant to reduce (in plain language).
☐ We know which roles face the highest leverage risk moments.
☐ There is a named owner for the training program (and it is not "everyone").
☐ Training content has input from engineering, support, and go-to-market, not only compliance.

Content and relevance

☐ Training scenarios reflect our real workflows and tools.
☐ We maintain a small shared baseline, plus role-based modules where risk is highest.
☐ Managers and leaders get explicit guidance on their responsibilities, not only the same content as everyone else.

Delivery

☐ Training is designed for time constraints (micro modules, workflow guidance, short scenarios).
☐ New joiners get onboarding content before they get access to high-risk systems.
☐ We have a cadence for refreshers when processes or risks change.

Measurement

☐ We track completion, but we do not treat it as proof of effectiveness.
☐ We track at least 2 to 5 outcome signals (incidents, access mistakes, exceptions, recurring review issues, escalation patterns).
☐ We can point to at least one improvement made because metrics told us something was not working.

Governance and improvement

☐ Training updates have a lightweight change process (owner, review, publish).
☐ We periodically review whether training still matches the product, the threats, and the company structure.
☐ We can explain, in one page, how training ties back to risk management and continuous improvement.

If you can tick most of these boxes, your training program is not theater. It is part of a real control system.

Want help building this in a SaaS-native way?

If you want training and awareness to be ISO 27001-aligned and genuinely useful for engineering, support, and go-to-market teams, we can help. See what a Virtual CISO for SaaS companies could support you with training and awareness.

Sources

OCEG, "2025 Compliance & Ethics Training Survey Report" (published December 2025). Download and context: OCEG report page.