ISO/IEC 27001:2022 requires organisations to establish, operate, test, and continually improve an information security management system (ISMS). CyberICS provides 300+ ready-to-run ICS/OT tabletop scenarios in Multi-Language, AI-generated After Action Reports, and audit-ready compliance evidence — supporting your Annex A incident management and continuity controls and your Clause 9.1 monitoring obligations.
ISO/IEC 27001:2022 applies to any organisation seeking to establish, operate, and continually improve an information security management system. Both certified and ISMS-aligned organisations must implement Annex A controls — including documented incident management and continuity testing.
Certified organisations are subject to external surveillance audits by an accredited certification body, recurring Stage 1 and Stage 2 assessments, and the requirement to demonstrate continual improvement and effectiveness of every applicable Annex A control across the certification cycle.
Organisations aligning to ISO 27001 without formal certification rely on internal audit and self-assessment, but must implement the same Annex A information security controls and risk treatment measures as certified organisations to claim meaningful conformance.
ISO/IEC 27001 is an international standard adopted by organisations across the world in many working languages. CyberICS delivers exercises, AI facilitation outputs, and After Action Reports in Multi-Language — enabling cross-border and multilingual teams to run exercises in their working language.
Annex A defines the information security controls organisations select to treat identified risks. Tabletop exercises directly satisfy the incident management and continuity controls, and support evidence generation for several additional controls.
| Control | Control Name | Control Summary | CyberICS Capability | Coverage |
|---|---|---|---|---|
| A.5.1 | Policies for information security | Information security policy and topic-specific policies defined, approved, and reviewed | AI Facilitator Briefing surfaces policy gaps; AAR documents policy weaknesses identified during exercises; Gap Analysis flags absent policies | Supporting |
| A.5.24–5.26 | Information security incident management | Planning, assessment, decision, and response procedures for information security incidents, including documented testing | Live Session mode executes structured incident response exercises. AI AAR documents detection, containment, and recovery steps taken. Compliance evidence package provides audit-ready incident handling test record | Core |
| A.5.29–5.30 | Continuity & ICT readiness | Information security during disruption and ICT readiness for business continuity — including documented testing | Recovery-focused scenario variants test backup activation and DR procedures; Continuity management steps are recorded and reflected in the AAR; Compliance evidence package documents the continuity exercise | Core |
| A.5.19–5.22 | Supplier relationships security | Security in supplier and ICT supply chain relationships, including monitoring and management of supplier services | Supply chain attack scenarios exercise third-party compromise detection and vendor communication procedures; Gap Analysis flags supply chain vulnerabilities identified during exercise | Partial |
| A.8.20–8.22 | Network security | Security of networks, network services, and segregation of networks supporting information systems | Network-layer attack scenarios (lateral movement, OT/IT boundary crossing) exercise detection and response; AAR documents control gaps in network security posture | Partial |
| A.6.3 | Awareness, education & training | Information security awareness, education, and training for personnel relevant to their role | Exercise completion demonstrates active cybersecurity training activity; Facilitator Certification evidence of qualified facilitation; AI Coaching tips reinforce good practices during exercises | Supporting |
| A.8.24 | Use of cryptography | Rules for the effective use of cryptography, including key management | Scenarios referencing encrypted communication channels and data-at-rest protections exercise cryptography-adjacent procedures; limited direct coverage | Partial |
| A.5.15–5.18 | Access control & identity | Access control policy, identity management, authentication information, and access rights | Insider threat and privilege escalation scenarios exercise access control response procedures; AAR flags access management gaps identified during exercises | Supporting |
| A.8.5 | Secure authentication | Secure authentication technologies and procedures, including multi-factor authentication where required | Authentication bypass scenarios test detection of MFA circumvention; limited direct coverage of authentication policy enforcement | Partial |
| Clause 9.1 | Monitoring & performance evaluation | Top management must monitor, measure, analyse, and evaluate the performance and effectiveness of the ISMS | Executive-level scenario participants, AI AAR addressed to management, exercise history demonstrating consistent programme, Compliance Dashboard for board-level reporting | Supporting |
Three core capabilities work together to deliver, document, and evidence your Annex A incident management and continuity controls.
Live Session mode provides a real-time, multi-participant exercise environment. All steps, responses, and host actions are timestamped — creating an auditable record of your incident management test.
Immediately after each exercise, CyberICS's AI generates a structured AAR documenting gaps, recommendations, and ISO 27001 Annex A control references — in the language your team worked in.
The Compliance Dashboard generates per-framework ISO 27001 evidence packages — a 6-page audit PDF covering exercise log, Annex A controls coverage, gap analysis, remediation plan, and attestation.
Six high-fidelity scenarios covering the most security-sensitive sectors — ready to run without customisation, with AI facilitator briefing included.
Ransomware propagates through a hospital's Building Management System, affecting HVAC, access control, and medical gas pressure monitoring. Tests Annex A 5.24–5.26 and 5.29–5.30 incident and continuity response.
A coordinated cyberattack targets multiple substations simultaneously, triggering cascading grid failures. Exercises Annex A 5.24–5.26 incident response and stakeholder communication procedures.
An attacker gains access to a municipal water treatment SCADA system and begins altering chemical dosing setpoints. Tests detection, containment, and stakeholder notification procedures.
A sophisticated threat actor compromises SWIFT messaging infrastructure, threatening transaction integrity and regulatory notification timelines. Exercises ISO 27001 and DORA dual obligations and incident response.
Ransomware strikes a port's logistics management platform, halting container tracking and creating cross-border supply chain disruption. Tests Annex A 5.24–5.30 and supplier-relationship controls.
A trusted software vendor used across multiple organisations is compromised, requiring coordinated cross-border response. Tests Annex A 5.19–5.22 supplier-relationship controls and incident notification flows.
Plus 59 additional scenarios across Pharma, Chemical, Manufacturing, Oil & Gas, and more. Browse the full library →
Every CyberICS exercise generates four categories of compliance evidence supporting ISO 27001 Annex A demonstration requirements and certification audit reporting.
AI-generated PDF with gap analysis, corrective actions, and ISO 27001 Annex A references. Available in EN, FR, PT, ES, DE, IT within minutes of exercise completion.
6-page per-framework audit PDF: exercise log, Annex A controls map, gap analysis, remediation timeline, and attestation page for certification audit files.
Timestamped record of all participant responses and exercise activity demonstrating real team engagement — relevant to Clause 9.1 monitoring and performance evaluation evidence.
Identified exercise gaps are automatically pushed to ServiceNow or Jira as remediation tickets — creating a documented corrective action trail for Annex A implementation evidence.
CyberICS exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.
Start with a free 14-day trial in your working language — no credit card required. Or speak with our compliance team about building a structured ISO 27001 exercise programme.
Also explore: NIST CSF 2.0 Toolkit · IEC 62443 Toolkit · NERC CIP Toolkit