Phishing Training Compliance Comparison: SOC 2, HIPAA, PCI DSS, NIST CSF, ISO 27001, GDPR, NIS2
Most compliance buyers shopping a phishing simulation platform are not satisfying one framework - they are satisfying two or three at once. SOC 2 and HIPAA. PCI DSS and NIST CSF. ISO 27001 and NIS2. The frameworks all want similar things at the substance level (continuous testing, remediation, documentation, executive reporting), but they differ in clause language, audit posture and how they expect evidence to be presented.
The table below maps the thirteen frameworks most often referenced in phishing-simulation procurement to the specific clause that drives the requirement, the expected cadence, the documentation auditors look for and the related deep-read from this blog. Each linked post unpacks the framework in detail.
| Framework | Driving clause | Expected cadence | Audit posture |
|---|---|---|---|
| SOC 2 | AICPA Trust Services Criteria CC1.4 (commitment to competence) and CC2.2 (internal communications, training) | Continuous, with annual policy review | Auditor wants narrative description in your TSC mapping plus campaign evidence covering the audit period |
| HIPAA | §164.308(a)(5) Security Awareness and Training (administrative safeguard) | Continuous; OCR weights frequency favorably | Documentation must hold up under HHS OCR audit; weight on remediation evidence after a click |
| PCI DSS 4.0 | Requirement 12.6 (security awareness program) | Continuous (4.0 explicitly moved past annual) | QSA examines program evidence as part of annual ROC; 4.0 raises the bar on continuous testing |
| NIST CSF 2.0 | PR.AT (Awareness and Training), PR.PS (People), DE.CM (Continuous Monitoring) | Continuous monitoring is the explicit posture | Voluntary framework but used as audit reference for federal contractors and supply chain |
| ISO 27001 | Annex A.6.3 (Information Security Awareness, Education, Training) | Continuous; certification auditors expect documented program | Stage-2 audit checks evidence; ad-hoc training fails the "fit for purpose" test |
| GDPR | Article 32 (appropriate technical and organisational measures) | Not specified; interpreted as fit-for-purpose | EU data protection authorities (CNIL, AEPD, ICO, etc.) read "appropriate" against the breach context |
| NIS2 | Article 21 (basic cyber hygiene practices and cybersecurity training) | Continuous; explicit in directive | Member-state authorities enforce; broader scope than GDPR (covers more entity types) |
| FedRAMP / federal civilian | NIST 800-53 AT family (AT-2 awareness training, AT-3 role-based training, AT-4 records, AT-5 contacts) | Annual minimum; continuous strongly preferred for moderate/high baselines | 3PAO assessment; evidence packet aligned to control families; reusable across CMMC if both frameworks in scope |
| CMMC (DoD) | AT.L2-3.2.1 (basic awareness), AT.L2-3.2.2 (role-based), AT.L2-3.2.3 (insider threat) - inheriting NIST 800-171 | Annual minimum; continuous monthly is the operational standard for defensible posture | C3PAO third-party assessment (the operative change from self-attested NIST 800-171); evidence indexed by AT control number |
| FFIEC (banking) | Information Security booklet - Security Awareness and Training Programs section; CAT maturity ladder (Baseline -> Innovative) | Annual training minimum; monthly phishing simulation is the operational standard examiners increasingly expect | Federal banking examiners (OCC, FDIC, NCUA, Federal Reserve) and state regulators; YOY trend analysis weighted as maturity indicator |
| HITRUST (healthcare procurement) | CSF Control 02.e (Information Security Awareness, Education and Training); Implementation Levels 1-3; e1/i1/r2 assessment paths | Annual minimum (Level 1); continuous training with phishing tests (Level 2); measurable behavior change (Level 3 / r2 cert) | Accredited HITRUST Validated Assessor (CCSFP); MyCSF five-tier evidence model (Policy / Process / Implemented / Measured / Managed) |
| NYDFS Part 500 (NY finserv) | 23 NYCRR 500 Section 500.14(a)(3) (cybersecurity awareness training, including for phishing attacks - 2023 Second Amendment) | Annual minimum; continuous reinforcement is the operational standard post-2023 amendment | NYDFS examiners; April-15 annual Notice of Compliance certification via Cybersecurity Portal; calendar-year aligned evidence |
| HHS 405(d) HICP (healthcare voluntary) | Health Industry Cybersecurity Practices framework; phishing named as Threat Vector #1; Volume 1 (small) and Volume 2 (medium and large) recommended practices | Volume 1: annual training + quarterly tests minimum. Volume 2: continuous monthly with auto-assigned remediation | Voluntary framework; documented adoption produces HIPAA enforcement-discount alignment with OCR under 2021 HITECH Amendment recognized-practices factor |
What's the same across all thirteen frameworks
Despite different clause language, the substance of what auditors want from a phishing program is remarkably consistent across all thirteen:
- A written security awareness policy approved by management, with version history
- Continuous campaign cadence - quarterly is the floor, monthly is the standard for mature programs
- Auto-assigned remediation training for users who fail simulations (manual remediation is increasingly seen as a finding)
- Documented click-through-rate trend - the trend matters more than any single number
- Executive reporting on program performance, ideally to a board or risk committee
- One-click export of program evidence for audit response
If your phishing simulation platform produces those six pieces cleanly, you are substantively satisfying all thirteen frameworks - even though the audit packet you turn in for SOC 2 looks different from the one you turn in for HIPAA.
What's different - and where the friction shows up
The differences mostly show up in evidence presentation, not program substance:
- SOC 2 wants a narrative description embedded in your TSC mapping. The auditor reads the description, then samples campaigns from the audit period to verify.
- HIPAA wants documentation that maps directly to the §164.308(a)(5) administrative safeguard, with strong weight on what happens after a user fails (remediation evidence is heavily scrutinized in OCR audits).
- PCI DSS 4.0 wants a written information security policy that references the program, plus campaign-level evidence. The 4.0 update explicitly raised the bar on continuous testing, so annual-only programs fail.
- NIST CSF is voluntary, but used heavily as a reference framework - federal contractors, supply chain and many SOC-2-mature programs cross-walk to CSF for governance maturity.
- ISO 27001 certification auditors want documented program evidence in stage-2 audit; ad-hoc training fails the "fit for purpose" test.
- GDPR Article 32 is interpreted contextually - what is "appropriate" depends on the breach context. Phishing-driven breach reports get extra scrutiny on training adequacy.
- NIS2 is now in force across EU member states; in-scope entities (critical and important) must demonstrate cyber hygiene training. Scope is substantially broader than NIS1.
If you are running into renewal or audit season
The single highest-leverage move for any of these frameworks: switch from annual to continuous and document the trend line. A program that ran 12 monthly campaigns over the past year, with auto-assigned remediation and a documented click-rate trending downward, will satisfy all thirteen frameworks substantively - even when the audit-packet formatting differs.
Pair this with the cyber-insurer renewal walkthrough if your renewal hits the same season as your audit. The carriers ask many of the same questions.
Want to see what continuous looks like in practice? Start a free trial up to 25 users - no credit card. Or contact us directly if you want to walk through how the program would map to your specific compliance stack.
This post is informational and does not constitute legal, compliance or audit advice. Consult your auditor, QSA or compliance counsel for specific guidance on your situation.