Skip to main content

Navigation

Catalogue

Security Awareness Privacy & Compliance AI & LLM Security Real-World Incidents
Application Security Soon
API Security Soon
Cloud Security Soon

Features

Interactive 3D Training SCORM Cloud LMS Human Risk Score Risk-Based Automation All features

Simulations

Phishing Simulations Smishing Simulations
Vishing Simulations Soon

Company

Partners About Us Blog Data Sheet PDF

Legal

Security & Compliance Privacy Policy Terms of Service
English Українська
Book a Demo

Map Security Training to Every Framework

Each guide covers the control references auditors check, the audit failure modes that trigger findings, and the exercise sequences that satisfy them.

Stacked framework cards (PCI DSS, NIS2, EU AI Act, GDPR, HIPAA, ISO 27001, SOC 2) each with a green check, next to a rotating auditor seal

SOC 2

The AICPA attestation that names security awareness training as a Common Criterion and demands per-employee evidence across the audit period.

Read the guide

ISO 27001

The international ISMS standard that names security awareness as Annex A control 6.3 and binds awareness, competence, and per-employee evidence into the certification cycle.

Read the guide

HIPAA

The US healthcare privacy and security framework that makes workforce security awareness training a named Administrative Safeguard under §164.308(a)(5).

Read the guide

GDPR

The EU data protection regulation that names employee training as a DPO duty under Article 39 and an organisational security measure under Article 32.

Read the guide

PCI DSS

The Payment Card Industry Data Security Standard that governs every organization storing, processing, or transmitting cardholder data.

Read the guide

NIS2

The EU cybersecurity directive that mandates cyber hygiene and security awareness training for essential and important entities, with personal liability for management bodies.

Read the guide

EU AI Act

The EU regulation that makes AI literacy training a legal duty for every provider and deployer of AI systems, with penalties up to €35M or 7% of global turnover.

Read the guide

How we sequence framework coverage

The framework library is sequenced by the empirical buyer record, not by alphabetical order. SOC 2 leads because it is the dominant trust-attestation in the SaaS buying motion. ISO 27001 follows because it is the international ISMS standard certified to in 70+ countries and is contractually demanded by enterprise customers. HIPAA, PCI DSS, and GDPR sit beside each other because they are the three regulator-enforced regimes that already produce named penalties year over year, with documented training-failure findings.

NIS2 and the EU AI Act are newer but legally binding for in-scope entities across the European Union. NIS2 entered force October 2024 with personal liability for management bodies under Article 20 and a mandatory cyber-hygiene-and-training control under Article 21(2)(g). The EU AI Act AI literacy requirement under Article 4 took effect February 2025, applies to providers and deployers regardless of risk tier, and carries the regulation’s general penalty regime. We surface both because the controls are written, the deadlines are real, and most enterprises do not yet have a documented training program tied to either.

Each pillar follows the same structure: definition and scope, framework-specific training requirements with control references (e.g. SOC 2 CC1.4, HIPAA §164.308(a)(5), PCI DSS 12.6.3, NIS2 Art. 21(2)(g), EU AI Act Art. 4), audit failure modes drawn from named enforcement actions, the eight defensive controls that satisfy the framework, the role-based exercise sequence from the 100+ exercise catalogue that drills the human side, and a primary-source citation list. Auditors can cite the same primary sources the page does.

Frequently Asked Questions

What GRC and security leaders ask about compliance training.

Which compliance framework should we tackle first?

For most enterprises, SOC 2 comes first because it is the trust attestation customers ask for during procurement. ISO 27001 follows when contracts demand a certified ISMS or when expansion into international markets requires it. HIPAA is non-negotiable for any organization touching protected health information; PCI DSS for card data; GDPR for any data of EU residents. NIS2 and the EU AI Act apply by sector and AI use respectively, with personal liability for the management body in NIS2.

Does the same training satisfy multiple frameworks?

Yes, when the program is mapped correctly. The same phishing exercise satisfies SOC 2 CC1.4, ISO 27001 A.6.3, HIPAA §164.308(a)(5), PCI DSS 12.6.3, NIS2 Art. 21(2)(g), and the GDPR Article 39 awareness duty in one assignment. The mapping is what makes one program double-count across multiple audits, which is the only way mid-market security teams keep up with overlapping obligations.

What evidence do auditors actually want to see?

Three artifacts on every audit. (1) The training program document: scope, content list, refresh cadence, role-based assignment logic. (2) Per-employee completion records with timestamps, exportable to PDF or CSV. (3) Evidence that the content matches the framework’s named requirements (the mapping table). RansomLeak ships all three out of the box, with exports formatted for SOC 2, ISO 27001, HIPAA, PCI DSS, NIS2, and EU AI Act audits.

How often does compliance training need to be refreshed?

Most frameworks specify "annually" as the floor, but every modern auditor expects ongoing reinforcement. SOC 2 and ISO 27001 auditors look for evidence of a continuous program (monthly micro-exercises beat one annual hour). NIS2 explicitly requires regular cyber-hygiene refreshers. The EU AI Act AI literacy obligation is ongoing as systems change. RansomLeak ships fresh content monthly so the cadence holds without repeating material.

How are these framework pillars different from the /compliance-mapping/ matrix?

The matrix is a single-page cross-reference: 13 frameworks, one table each, mapping requirement areas to courses and exercises. It is a quick reference for a buyer comparing scope. The framework pillars below go deeper on seven of those: definition, audit failure modes, named enforcement actions, control-by-control coverage, FAQs, and primary sources. Use the matrix to compare; use the pillar to defend the program in front of an auditor.

See RansomLeak in Action

Try the free exercises or book a demo to see analytics, SCORM export, SSO, and custom content in your environment.

Request Demo Try Free Exercises