Control: The organisation requires the developer of the information system, system component, or information system service to provide [Assignment: organisation-defined training] on the correct use and operation of the implemented security functions, controls, and/or mechanisms.
Developer-Provided Training Supplemental Guidance:
This control applies to external and internal (in-house) developers. Training of personnel is an essential element to ensure the effectiveness of security controls implemented within organisational information systems. Training options include, for example, classroom-style training, web-based/computer-based training, and hands-on training. Organisations can also request sufficient training materials from developers to conduct in-house training or offer self- training to organisational personnel. Organisations determine the type of training necessary and may require different types of training for different security functions, controls, or mechanisms.