Skip to content
Login to the app
  • There are no suggestions because the search field is empty.

How CyberPilot Can Help You With ISO 27001

CyberPilot can help you meet several of the requirements laid out in ISO 27001.

Summary

ISO 27001 provides a framework for establishing and maintaining an Information Security Management System (ISMS).  

As part of this framework, organizations must ensure that employees are competent, aware of their responsibilities, and that awareness activities are documented and monitored over time. 

CyberPilot can help you meet the parts of ISO 27001 that relate to training, awareness, and documentation. 

 

Contents

In this article, we cover: 

 

ISO 27001 overview 

ISO 27001 is an international standard for managing information security risks. 

It’s built around the concept of an Information Security Management System (ISMS) which is a structured framework that helps organizations protect their information through defined processes, clear responsibilities, and continuous improvement. 

Under ISO 27001, organizations are expected to: 

  • Identify and assess information security risks
  • Implement appropriate safeguards based on those risks 
  • Assign clear roles and responsibilities
  • Monitor whether controls are working as intended
  • Continuously improve their security practices 

 

Training and awareness requirements under ISO 27001 

Human behavior plays a significant role in security incidents.  

ISO 27001 requires organizations to ensure that employees are competent, aware of their responsibilities, and able to support the organization’s information security objectives in practice.  

In addition, organizations must be able to document awareness activities, monitor their effectiveness over time, and provide evidence during audits and management reviews. 

CyberPilot can help support these areas through awareness training, documented activities, and measurable reporting. 

 

How CyberPilot can help meet relevant ISO 27001 requirements 

ISO 27001 clause  What does it require? How to do this with CyberPilot?
6.1 Risk Assessment & Treatment  Identify and address information security risks  Conduct a risk analysis to identify your organization’s key risk areas 

Select training topics that reflect these findings (e.g., phishing, remote work, data handling). 
7.2 Competence  Ensure employees have the necessary competence based on their role  Enroll employees in ongoing awareness training so they build practical knowledge about recognizing threats, protecting information, and acting responsibly in daily work.  
7.3 Awareness  Ensure employees understand policies and responsibilities  Add your internal policies and guidelines to the app and include them in training plans so employees receive and acknowledge them.  
7.5 Documented Information  Maintain documented evidence of compliance  Use training records, enrollment history, and completion data in the User Summary and Awareness Analytics reports as documented evidence that awareness activities have been assigned and carried out. 
9.1 Monitoring & Measurement  Monitor the effectiveness of controls  Monitor progress to ensure awareness activities are being carried out as intended. 
9.2 Internal Audit  Provide objective evidence during audits  Use the reports, documented enrollments, and completion data as evidence during internal and external audits. 
9.3 Management Review  Enable management to review ISMS performance  Use training data and reports as input to management review discussions. 

 

Note: Training completion or quiz results do not in themselves prove full knowledge or behavioral change. However, they provide documented evidence that employees have received relevant awareness activities. 

 

 

How to get started with awareness training under ISO 27001 

Below is a step-by-step approach to working with the aspects of ISO 27001 related to training and awareness.

 

Step 1: Start with your risk assessment 

Conduct and review a risk analysis and identify human-related risks. 

Select awareness training topics that address these risks – e.g., phishing, remote work, or data handling. 

💡 Want to get started quickly?

Skip ahead to Step 2 and start with our recommended training plan - it covers the most common human-related risk areas and gives you a solid baseline to build on. You can always come back and refine your topic selection once you've completed your risk assessment. 

 

Step 2: Build baseline competence 

Enroll all employees in ongoing awareness training to build a foundation of knowledge. 

The goal is to build practical knowledge so employees can recognize threats, handle information responsibly, and act securely in daily work. 

Use our recommended training plan to structure a baseline that applies across the whole organization, and build from there. 

 

Step 3: Assign relevant awareness training by role  

Once baseline training is in place, identify which roles or groups need additional or more targeted content based on their responsibilities and risk exposure. E.g., IT staff, management, or employees handling sensitive data. 

Assign content that reflects their specific context, going beyond the general baseline. 

You can accomplish this in CyberPilot by creating specific training plans for specific groups within your organization. 

  1. First, identify which key roles in your organization might need particular training.   
  2. Now, make sure employees in these roles are set up in Groups or Branches on the CyberPilot App. Read this guide for how to set up Groups and Branches.  
    1. E.g., you could create Groups called “Management”, “IT staff” or “Employees with company issued phones”.   
  3. Next, go to the Training Planner and set up training plans for each of these groups with relevant content.  
    1. See our recommended training plans below if you want some inspiration about what content to use. 

recommended training plans

 

Note: If a user is subject to multiple training plans, they will receive the training from both.   

This can, e.g., happen if you have a training plan for all users and another for IT staff. Members of IT staff will then get enrolled to the trainings in both.   

This can be a good thing. For example you can use the group-specific training as a supplement to a training plan which always sends out the newly released CyberPilot trainings. 

 

Step 4: Clarify responsibilities and policies 

Make sure employees understand their role in protecting information. 

Add your internal policies and guidelines to the CyberPilot app and include them in your training plan. This ensures employees receive, read, and acknowledge them as part of their awareness activities. 

Read here to learn how to add your own content to the CyberPilot app. 

 

Step 5: Monitor effectiveness over time 

Regularly review training engagement and completion trends using the Dashboard and Awareness Analytics

Focus on development over time and look for patterns that may indicate gaps. For example: 

  • Roles or departments with consistently low completion

  • Topics where quiz results suggest knowledge gaps

  • Users who have not completed assigned training 

     


Follow up on deviations and adjust your training plan accordingly.

 

Step 6: Document and retain evidence 

Use training records, enrollment history, and completion data as documented evidence that awareness activities have been assigned and carried out.  

Use this documentation as input to: 

 

  • Internal audits

  • Management review discussions

  • Continuous improvement efforts 

For guidance on exporting user data and awareness reports, see this article.