Every train2secure course is designed to satisfy international and Australian cybersecurity training requirements — from NIST and ISO 27001 to the ASD Information Security Manual and Essential Eight.
See exactly which frameworks each course satisfies. Together, the full course library provides comprehensive coverage across all major international and Australian standards.
| Course | Dept | NIST | CIS | ISO | PCI | ISM | E8 | APRA | Privacy |
|---|---|---|---|---|---|---|---|---|---|
| IT Security Fundamentals | All Staff | — | |||||||
| Finance & Accounts Security | Finance | — | |||||||
| Management & Executive Cyber Leadership | Leadership | — | |||||||
| Human Resources Security | HR | — | — | — | |||||
| Customer Service & Front-Line Security | Front-Line | — | — | ||||||
| Sales & Marketing Data Protection | Sales | — | — | — | |||||
| IT Staff Advanced Security | IT | — |
Detailed mapping of how our courses satisfy each control and requirement within every framework.
National Institute of Standards and Technology — Cybersecurity Framework 2.0
The global gold standard for cybersecurity risk management. NIST CSF 2.0 PR.AT-01 requires general security awareness training for all personnel, while PR.AT-02 mandates role-specific training for individuals in specialised positions — including finance, leadership, and those with access to critical data.
| Control | Requirement | Covered |
|---|---|---|
| PR.AT-01 | General awareness training for all personnel | |
| PR.AT-02 | Role-specific training for specialised roles |
Center for Internet Security — Critical Security Controls v8.1, Control 14
CIS Control 14 defines nine sub-controls covering every aspect of security awareness — from social engineering recognition and authentication best practices to data handling, incident reporting, and role-specific skills training. Our courses map to all nine.
| Control | Requirement | Covered |
|---|---|---|
| 14.1 | Establish and maintain a security awareness programme | |
| 14.2 | Train workforce to recognise social engineering attacks | |
| 14.3 | Train on authentication best practices (MFA, passwords) | |
| 14.4 | Train on data handling, clean desk, and secure disposal | |
| 14.5 | Train on causes of unintentional data exposure | |
| 14.6 | Train to recognise and report security incidents | |
| 14.7 | Train to identify missing security updates | |
| 14.8 | Train on insecure networks and home office security | |
| 14.9 | Conduct role-specific security awareness training |
International Organisation for Standardisation — ISO/IEC 27001:2022, Annex A 6.3
The world's most widely adopted information security management standard. Annex A 6.3 requires ongoing awareness training at induction and during role changes, role-based education for managers, privileged users, and data handlers, plus documented evidence including quiz results and completion records.
| Control | Requirement | Covered |
|---|---|---|
| A.6.3 | Awareness, education, and training for all personnel | |
| A.6.1 | Screening and personnel security | |
| A.6.2 | Terms and conditions of employment |
Payment Card Industry Data Security Standard v4.0, Requirement 12.6
Mandatory for all organisations handling payment card data. Requirement 12.6 mandates a formal security awareness programme with training at hire and annually, phishing awareness, acceptable use policies, and annual programme reviews. Fully mandatory since March 31, 2025.
| Control | Requirement | Covered |
|---|---|---|
| 12.6.1 | Formal security awareness programme | |
| 12.6.2 | Review programme at least annually | |
| 12.6.3 | Training at hire and at least annually | |
| 12.6.3.1 | Phishing and social engineering awareness | |
| 12.6.3.2 | Acceptable use of end-user technologies |
Australian Signals Directorate — Information Security Manual (Personnel Security Guidelines)
Australia's authoritative cybersecurity framework. The ISM Personnel Security Guidelines require annual awareness training for all personnel, tailored training for privileged and high-risk users, BEC fraud awareness, and a maintained training register. A September 2025 update added mandatory social engineering training for personnel handling user accounts.
| Control | Requirement | Covered |
|---|---|---|
| ISM-0252 | Annual cyber security awareness training for all personnel | |
| ISM-1565 | Tailored privileged user training annually | |
| ISM-1746 | Social engineering training for account handlers (Sep 2025) | |
| ISM-0817 | BEC fraud awareness training | |
| ISM-0720 | Maintain a cyber security awareness training register |
ASD Essential Eight Maturity Model
Australia's prioritised mitigation strategies for cyber threats. While the Essential Eight are technical controls, effective implementation requires workforce understanding of MFA (strategy #6), application patching (#2), and operating system patching (#7). Our courses build the user awareness that underpins these controls. ML2-ML3 is the expected standard by 2026.
| Control | Requirement | Covered |
|---|---|---|
| E8-2 | Patch applications — user awareness of update importance | |
| E8-6 | Multi-factor authentication — user adoption and understanding | |
| E8-7 | Patch operating systems — reporting out-of-date software |
Australian Prudential Regulation Authority — Prudential Standard CPS 234
Mandatory for all APRA-regulated financial institutions including banks, credit unions, insurers, and superannuation funds. CPS 234 requires information security capability proportional to risk, which explicitly includes workforce training. Aligns with ISO 27001 and requires 72-hour incident reporting to APRA.
| Control | Requirement | Covered |
|---|---|---|
| CPS 234.14 | Information security capability (including training) | |
| CPS 234.28 | Incident notification to APRA within 72 hours |
Australian Privacy Act 1988 — Australian Privacy Principle 11
APP 11 requires organisations to take 'reasonable steps' to protect personal information. The OAIC guidance identifies staff training on data handling as a core component of meeting this obligation. Our Data Protection and HR Security courses directly address these requirements.
| Control | Requirement | Covered |
|---|---|---|
| APP 11 | Security of personal information — reasonable steps | |
| APP 1 | Open and transparent management of personal information |
Every training interaction is automatically logged and timestamped. When auditors, insurers, or regulators ask for proof of training, you have it instantly — no spreadsheets required.
Cyber insurance providers increasingly require documented security awareness training as a condition for coverage. train2secure provides the evidence they need.
Timestamped completion records, quiz scores, and per-user progress tracking that insurers can verify. Satisfies the training evidence requirements in most cyber insurance policies.
PDF certificates with unique verification codes issued upon course completion. Provide these directly to your insurer as proof of ongoing security awareness training across your organisation.
Training aligned with NIST, ISO 27001, CIS Controls, and ASD ISM demonstrates to insurers that your programme follows recognised best practices — reducing premiums and avoiding coverage gaps.
Sign up and start training your team in minutes. No sales calls, no demos — just pick a plan and go. Phishing simulations, video courses, and certificates from day one.
