The reliance on information systems in daily operations in organizations made these systems and the security thereof a vital asset that must be protected. Traditionally, technical solutions were thought to be the critical factor in achieving security requirements. However, this has changed with research advancements into information security, suggesting that users are the root cause of the majority of information security incidents. It is widely accepted that an integral part of the methodology of securing information systems is end-user Information Security Awareness Train-ing (ISAT). The goal of ISAT is described to be a change in user behavior. As a result, research into the area has been steadily improving the ways ISAT is carried out. Yet, information security incidents are still on the rise with no indication of slowing down. Previous research has mainly examined users’ experience in relation to ISAT with very little focus on the organizational per-spective. In this study, the organizational perspective on the preferences and expectations of ISAT is examined by inviting all Nordic municipalities to participate in an online survey. The survey consisted of two parts; the first part focused on the current state of ISAT in Nordic municipalities. The second part examined the ideal design of ISAT according to participants. The results obtained from the survey revealed that the participating Nordic municipalities are well aware of recent developments in ISAT. Furthermore, their preferences and expectations of ISAT and what they consider an ideal design of ISAT conform to what is suggested in the literature—with some ex-ceptions. However, there seems to be a gap between knowing about recent developments and having a desired ideal design that conforms to the literature on one side, and actually applying these in production on the other side.