Training Aligned with Leading Standards

Training Built to Meet the Standards That Matter

Every train2secure course is designed to satisfy international and Australian cybersecurity training requirements — from NIST and ISO 27001 to the ASD Information Security Manual and Essential Eight.

Course-to-Standard Compliance Matrix

See exactly which frameworks each course satisfies. Together, the full course library provides comprehensive coverage across all major international and Australian standards.

CourseDeptNISTCISISOPCIISME8APRAPrivacy
IT Security FundamentalsAll Staff
Finance & Accounts SecurityFinance
Management & Executive Cyber LeadershipLeadership
Human Resources SecurityHR
Customer Service & Front-Line SecurityFront-Line
Sales & Marketing Data ProtectionSales
IT Staff Advanced SecurityIT

Framework-by-Framework Breakdown

Detailed mapping of how our courses satisfy each control and requirement within every framework.

NIST CSF 2.0

National Institute of Standards and Technology — Cybersecurity Framework 2.0

International (US origin)Official source

The global gold standard for cybersecurity risk management. NIST CSF 2.0 PR.AT-01 requires general security awareness training for all personnel, while PR.AT-02 mandates role-specific training for individuals in specialised positions — including finance, leadership, and those with access to critical data.

ControlRequirementCovered
PR.AT-01General awareness training for all personnel
PR.AT-02Role-specific training for specialised roles

CIS Controls v8.1

Center for Internet Security — Critical Security Controls v8.1, Control 14

InternationalOfficial source

CIS Control 14 defines nine sub-controls covering every aspect of security awareness — from social engineering recognition and authentication best practices to data handling, incident reporting, and role-specific skills training. Our courses map to all nine.

ControlRequirementCovered
14.1Establish and maintain a security awareness programme
14.2Train workforce to recognise social engineering attacks
14.3Train on authentication best practices (MFA, passwords)
14.4Train on data handling, clean desk, and secure disposal
14.5Train on causes of unintentional data exposure
14.6Train to recognise and report security incidents
14.7Train to identify missing security updates
14.8Train on insecure networks and home office security
14.9Conduct role-specific security awareness training

ISO 27001:2022

International Organisation for Standardisation — ISO/IEC 27001:2022, Annex A 6.3

InternationalOfficial source

The world's most widely adopted information security management standard. Annex A 6.3 requires ongoing awareness training at induction and during role changes, role-based education for managers, privileged users, and data handlers, plus documented evidence including quiz results and completion records.

ControlRequirementCovered
A.6.3Awareness, education, and training for all personnel
A.6.1Screening and personnel security
A.6.2Terms and conditions of employment

PCI DSS 4.0

Payment Card Industry Data Security Standard v4.0, Requirement 12.6

InternationalOfficial source

Mandatory for all organisations handling payment card data. Requirement 12.6 mandates a formal security awareness programme with training at hire and annually, phishing awareness, acceptable use policies, and annual programme reviews. Fully mandatory since March 31, 2025.

ControlRequirementCovered
12.6.1Formal security awareness programme
12.6.2Review programme at least annually
12.6.3Training at hire and at least annually
12.6.3.1Phishing and social engineering awareness
12.6.3.2Acceptable use of end-user technologies

ASD ISM

Australian Signals Directorate — Information Security Manual (Personnel Security Guidelines)

Australia's authoritative cybersecurity framework. The ISM Personnel Security Guidelines require annual awareness training for all personnel, tailored training for privileged and high-risk users, BEC fraud awareness, and a maintained training register. A September 2025 update added mandatory social engineering training for personnel handling user accounts.

ControlRequirementCovered
ISM-0252Annual cyber security awareness training for all personnel
ISM-1565Tailored privileged user training annually
ISM-1746Social engineering training for account handlers (Sep 2025)
ISM-0817BEC fraud awareness training
ISM-0720Maintain a cyber security awareness training register

Essential Eight

ASD Essential Eight Maturity Model

Australia's prioritised mitigation strategies for cyber threats. While the Essential Eight are technical controls, effective implementation requires workforce understanding of MFA (strategy #6), application patching (#2), and operating system patching (#7). Our courses build the user awareness that underpins these controls. ML2-ML3 is the expected standard by 2026.

ControlRequirementCovered
E8-2Patch applications — user awareness of update importance
E8-6Multi-factor authentication — user adoption and understanding
E8-7Patch operating systems — reporting out-of-date software

APRA CPS 234

Australian Prudential Regulation Authority — Prudential Standard CPS 234

Australia (Financial Services)Official source

Mandatory for all APRA-regulated financial institutions including banks, credit unions, insurers, and superannuation funds. CPS 234 requires information security capability proportional to risk, which explicitly includes workforce training. Aligns with ISO 27001 and requires 72-hour incident reporting to APRA.

ControlRequirementCovered
CPS 234.14Information security capability (including training)
CPS 234.28Incident notification to APRA within 72 hours

Privacy Act 1988

Australian Privacy Act 1988 — Australian Privacy Principle 11

APP 11 requires organisations to take 'reasonable steps' to protect personal information. The OAIC guidance identifies staff training on data handling as a core component of meeting this obligation. Our Data Protection and HR Security courses directly address these requirements.

ControlRequirementCovered
APP 11Security of personal information — reasonable steps
APP 1Open and transparent management of personal information
Audit-Ready by Default

Built-In Compliance
Documentation

Every training interaction is automatically logged and timestamped. When auditors, insurers, or regulators ask for proof of training, you have it instantly — no spreadsheets required.

Training Register
Automatic log of who completed what training and when — satisfies ASD ISM-0720
Quiz Score Records
Individual scores with pass/fail status for every module — satisfies ISO 27001 A.6.3 evidence requirements
PDF Certificates
Downloadable certificates with unique verification codes for each completed course
Company Admin Reports
Department-level completion rates and compliance status — ready for board reporting

Meet Your Cyber Insurance Requirements

Cyber insurance providers increasingly require documented security awareness training as a condition for coverage. train2secure provides the evidence they need.

Documented Training Records

Timestamped completion records, quiz scores, and per-user progress tracking that insurers can verify. Satisfies the training evidence requirements in most cyber insurance policies.

Verifiable Certificates

PDF certificates with unique verification codes issued upon course completion. Provide these directly to your insurer as proof of ongoing security awareness training across your organisation.

Standards-Aligned Content

Training aligned with NIST, ISO 27001, CIS Controls, and ASD ISM demonstrates to insurers that your programme follows recognised best practices — reducing premiums and avoiding coverage gaps.

Ready to Reduce Your Human Cyber Risk?

Sign up and start training your team in minutes. No sales calls, no demos — just pick a plan and go. Phishing simulations, video courses, and certificates from day one.

train2secure analytics dashboard showing training completion stats and user progress