🌐 ISO/IEC 27001 Compliance Toolkit

Evidence ISO 27001 Annex A Controls with
AI-Powered Incident Response Exercises

ISO/IEC 27001:2022 requires organisations to establish, operate, test, and continually improve an information security management system (ISMS). CyberICS provides 300+ ready-to-run ICS/OT tabletop scenarios in Multi-Language, AI-generated After Action Reports, and audit-ready compliance evidence — supporting your Annex A incident management and continuity controls and your Clause 9.1 monitoring obligations.

Annex A 5.24–5.26 — Incident management & response
ISO/IEC 27001:2022 — Annex A Controls
Annex A 5.29–5.30 — Continuity & ICT readiness
Clause 9.1 — Monitoring & performance evaluation
EN / FR / PT / ES / DE / IT — Multi-Language
Start Free — 14-Day Trial 📋 Take ISO 27001 Readiness Assessment → Talk to Our EU Compliance Team
Compliance Note: CyberICS's exercise scenarios and evidence artifacts support ISO/IEC 27001 Annex A incident management and continuity controls as part of a structured information security management system (ISMS). Formal ISO 27001 certification — including Stage 1 and Stage 2 audits — requires engagement with an accredited certification body and a documented ISMS covering all applicable Annex A controls.
Who ISO 27001 Applies To

Certified Organisations vs. Aligned Organisations

ISO/IEC 27001:2022 applies to any organisation seeking to establish, operate, and continually improve an information security management system. Both certified and ISMS-aligned organisations must implement Annex A controls — including documented incident management and continuity testing.

Certified Organisations

Higher Scrutiny, External Audit

Certified organisations are subject to external surveillance audits by an accredited certification body, recurring Stage 1 and Stage 2 assessments, and the requirement to demonstrate continual improvement and effectiveness of every applicable Annex A control across the certification cycle.

  • Energy (electricity, oil, gas, hydrogen)
  • Transport (air, rail, water, road)
  • Banking & financial market infrastructure
  • Health (hospitals, labs, pharma manufacturers)
  • Drinking water & wastewater
  • Digital infrastructure (IXPs, DNS, TLD, cloud, data centres)
  • ICT service management (managed services)
  • Public administration (central government)
  • Space (ground infrastructure operators)
Tabletop exercises directly evidence Annex A 5.24–5.26 incident management and Annex A 5.29–5.30 continuity testing controls for certified organisations.
Aligned Organisations

Internal Assurance, Same Controls

Organisations aligning to ISO 27001 without formal certification rely on internal audit and self-assessment, but must implement the same Annex A information security controls and risk treatment measures as certified organisations to claim meaningful conformance.

  • Postal & courier services
  • Waste management
  • Chemicals (manufacture, production, distribution)
  • Food (large-scale production & distribution)
  • Manufacturing (medical devices, electronics, machinery, motor vehicles)
  • Digital providers (online marketplaces, search engines, social platforms)
  • Research organisations
The same Annex A technical and organisational controls apply. Exercise documentation requirements are identical.
🌎

Multilingual Support for Global Teams

ISO/IEC 27001 is an international standard adopted by organisations across the world in many working languages. CyberICS delivers exercises, AI facilitation outputs, and After Action Reports in Multi-Language — enabling cross-border and multilingual teams to run exercises in their working language.

🇬🇧 English 🇫🇷 Français 🇵🇹 Português 🇪🇸 Español 🇩🇪 Deutsch 🇮🇹 Italiano
Annex A Mapping

ISO 27001 Annex A — Information Security Controls

Annex A defines the information security controls organisations select to treat identified risks. Tabletop exercises directly satisfy the incident management and continuity controls, and support evidence generation for several additional controls.

Annex A Controls Reference

Coverage: Core = exercise directly required  |  Supporting = exercise validates / documents  |  Partial = scenario content covers the risk domain

Control Control Name Control Summary CyberICS Capability Coverage
A.5.1 Policies for information security Information security policy and topic-specific policies defined, approved, and reviewed AI Facilitator Briefing surfaces policy gaps; AAR documents policy weaknesses identified during exercises; Gap Analysis flags absent policies Supporting
A.5.24–5.26 Information security incident management Planning, assessment, decision, and response procedures for information security incidents, including documented testing Live Session mode executes structured incident response exercises. AI AAR documents detection, containment, and recovery steps taken. Compliance evidence package provides audit-ready incident handling test record Core
A.5.29–5.30 Continuity & ICT readiness Information security during disruption and ICT readiness for business continuity — including documented testing Recovery-focused scenario variants test backup activation and DR procedures; Continuity management steps are recorded and reflected in the AAR; Compliance evidence package documents the continuity exercise Core
A.5.19–5.22 Supplier relationships security Security in supplier and ICT supply chain relationships, including monitoring and management of supplier services Supply chain attack scenarios exercise third-party compromise detection and vendor communication procedures; Gap Analysis flags supply chain vulnerabilities identified during exercise Partial
A.8.20–8.22 Network security Security of networks, network services, and segregation of networks supporting information systems Network-layer attack scenarios (lateral movement, OT/IT boundary crossing) exercise detection and response; AAR documents control gaps in network security posture Partial
A.6.3 Awareness, education & training Information security awareness, education, and training for personnel relevant to their role Exercise completion demonstrates active cybersecurity training activity; Facilitator Certification evidence of qualified facilitation; AI Coaching tips reinforce good practices during exercises Supporting
A.8.24 Use of cryptography Rules for the effective use of cryptography, including key management Scenarios referencing encrypted communication channels and data-at-rest protections exercise cryptography-adjacent procedures; limited direct coverage Partial
A.5.15–5.18 Access control & identity Access control policy, identity management, authentication information, and access rights Insider threat and privilege escalation scenarios exercise access control response procedures; AAR flags access management gaps identified during exercises Supporting
A.8.5 Secure authentication Secure authentication technologies and procedures, including multi-factor authentication where required Authentication bypass scenarios test detection of MFA circumvention; limited direct coverage of authentication policy enforcement Partial
Clause 9.1 Monitoring & performance evaluation Top management must monitor, measure, analyse, and evaluate the performance and effectiveness of the ISMS Executive-level scenario participants, AI AAR addressed to management, exercise history demonstrating consistent programme, Compliance Dashboard for board-level reporting Supporting
Platform Capabilities

How CyberICS Supports Your ISO 27001 Programme

Three core capabilities work together to deliver, document, and evidence your Annex A incident management and continuity controls.

🎲
A.5.24–5.26 · A.5.29–5.30

Structured Exercise Execution

Live Session mode provides a real-time, multi-participant exercise environment. All steps, responses, and host actions are timestamped — creating an auditable record of your incident management test.

  • Participant join record with timestamps
  • Step-by-step scenario walkthrough log
  • Session duration and completion metadata
  • Scored participant responses (optional)
📋
A.5.24–5.26 · Clause 9.1

AI-Generated After Action Report

Immediately after each exercise, CyberICS's AI generates a structured AAR documenting gaps, recommendations, and ISO 27001 Annex A control references — in the language your team worked in.

  • Structured gap analysis with severity ratings
  • ISO 27001 Annex A control references per gap
  • Corrective action recommendations
  • Multilingual output (EN/FR/PT/ES/DE/IT)
📄
All Applicable Annex A Controls

Compliance Evidence Package

The Compliance Dashboard generates per-framework ISO 27001 evidence packages — a 6-page audit PDF covering exercise log, Annex A controls coverage, gap analysis, remediation plan, and attestation.

  • Exercise date, scope, and participants record
  • ISO 27001 Annex A controls coverage map
  • Identified gaps and remediation timeline
  • Attestation page for certification audit files
Scenario Library

ISO 27001-Relevant Scenarios Across Critical Sectors

Six high-fidelity scenarios covering the most security-sensitive sectors — ready to run without customisation, with AI facilitator briefing included.

Healthcare & Hospitals
Certified Organisation
Hospital BMS Ransomware Attack

Ransomware propagates through a hospital's Building Management System, affecting HVAC, access control, and medical gas pressure monitoring. Tests Annex A 5.24–5.26 and 5.29–5.30 incident and continuity response.

A.5.24 A.5.29 A.5.19
Energy — Electricity
Certified Organisation
Power Grid Cascading Failure

A coordinated cyberattack targets multiple substations simultaneously, triggering cascading grid failures. Exercises Annex A 5.24–5.26 incident response and stakeholder communication procedures.

A.5.24 A.5.5 A.5.29
Water & Wastewater
Certified Organisation
Water Treatment SCADA Intrusion

An attacker gains access to a municipal water treatment SCADA system and begins altering chemical dosing setpoints. Tests detection, containment, and stakeholder notification procedures.

A.5.24 A.5.5 A.8.20
Banking & Finance
Certified Organisation
Banking SWIFT Network Disruption

A sophisticated threat actor compromises SWIFT messaging infrastructure, threatening transaction integrity and regulatory notification timelines. Exercises ISO 27001 and DORA dual obligations and incident response.

A.5.24 DORA A.5.5
Transport & Logistics
Aligned Organisation
Port Logistics Platform Disruption

Ransomware strikes a port's logistics management platform, halting container tracking and creating cross-border supply chain disruption. Tests Annex A 5.24–5.30 and supplier-relationship controls.

A.5.24 A.5.19 A.5.29
Multi-Sector
All Organisations
Cross-Border Supply Chain Attack

A trusted software vendor used across multiple organisations is compromised, requiring coordinated cross-border response. Tests Annex A 5.19–5.22 supplier-relationship controls and incident notification flows.

A.5.19 A.5.5 A.5.24

Plus 59 additional scenarios across Pharma, Chemical, Manufacturing, Oil & Gas, and more. Browse the full library →

Evidence Artifacts

Audit-Ready Documentation for Certification Bodies

Every CyberICS exercise generates four categories of compliance evidence supporting ISO 27001 Annex A demonstration requirements and certification audit reporting.

📋
After Action Report (AAR)

AI-generated PDF with gap analysis, corrective actions, and ISO 27001 Annex A references. Available in EN, FR, PT, ES, DE, IT within minutes of exercise completion.

A.5.24–5.26 · A.5.29–5.30
📈
ISO 27001 Evidence Package

6-page per-framework audit PDF: exercise log, Annex A controls map, gap analysis, remediation timeline, and attestation page for certification audit files.

All Applicable Annex A Controls
🕑
Session Activity Transcript

Timestamped record of all participant responses and exercise activity demonstrating real team engagement — relevant to Clause 9.1 monitoring and performance evaluation evidence.

Clause 9.1 Monitoring
🔗
Gap Remediation Tracking

Identified exercise gaps are automatically pushed to ServiceNow or Jira as remediation tickets — creating a documented corrective action trail for Annex A implementation evidence.

Clause 10 Improvement

Explore the Full Regulatory Toolkit Library

CyberICS exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.

Ready to Exercise Your ISO 27001 Incident Response Plans?

Start with a free 14-day trial in your working language — no credit card required. Or speak with our compliance team about building a structured ISO 27001 exercise programme.

Also explore: NIST CSF 2.0 Toolkit  ·  IEC 62443 Toolkit  ·  NERC CIP Toolkit