Compliance Simulator · Case 1 of 3

NordChem's First Line of Defence

A hands-on, gamified case study — build an ISMS from scratch and achieve ISO 27001 compliance using Cyberday.

🏭 Finnish Chemical Industry

🎭 You play the CISO

ISO/IEC 27001:2022

⏱ ~120 min · 8 Tasks · 800 XP

Before you start — Create your Cyberday account

This module uses a live Cyberday workspace embedded on the right side of your screen. The signup page cannot be embedded, so you need to create your account in a separate tab first. Once signed in there, the embedded panel in this module will work automatically.

Click the button below — it opens app.cyberday.ai in a new tab.
Choose "Sign up" and register with your email.
Complete the email verification and finish the short signup form.
Leave that tab signed in, then return here.

Create Cyberday account ↗ Already have an account? Just sign in at app.cyberday.ai in another tab, then open the panel here.

Part 1

Your Scenario

It is Monday, 9 January 2026. You have just started your new role as Chief Information Security Officer (CISO) at NordChem Oy, a mid-sized Finnish specialty chemicals company headquartered in Oulu.

NordChem Oy — Company Profile

Industry: Specialty chemicals (NACE C20)

Founded: 1997, Oulu, Finland

Employees: ~210 (FTE)

Revenue: ~€38 M (2024)

Key IT systems: SAP ERP, SCADA/OT, MS 365, web portal

Regulatory context: REACH, Finnish Act on Information Management, ISO 27001 customer requirement

Jarkko Virtanen IT Manager

"Welcome aboard. I should be honest with you — your predecessor left behind almost no documentation. There is no formal information security policy, no risk register, and no clear ownership of IT assets. Our ERP, process control network, and customer portal all sit on the same flat network segment."

Jarkko Virtanen IT Manager

"Oh, and last autumn a phishing attack compromised two employee accounts. It was never properly documented or reported to senior management. I flagged it at the time but... well, you can see the situation."

Later that week — CEO's Office

Maria Lindqvist CEO

"Thank you for coming in. I received something from our largest customer this morning that I need you to look at urgently."

From: Thomas Braun <t.braun@schneider-automotive.de>
To: Maria Lindqvist <m.lindqvist@nordchem.fi>
Date: 6 January 2026, 09:14 CET

RE: Supplier Qualification — Information Security Requirements

Dear Ms Lindqvist,

As part of our updated supplier qualification process, we require all Tier 1 suppliers to demonstrate ISO/IEC 27001 certification or provide evidence of an active Information Security Management System (ISMS) by the next contract renewal date.

Our records show NordChem's current contract is up for renewal on 30 June 2026. The contract value is €2.1 million annually. Without evidence of ISO 27001 compliance, we will unfortunately not be able to proceed with the renewal.

Please let us know your plans at your earliest convenience.

Best regards,
Thomas Braun
Head of Supplier Quality, Schneider Automotive GmbH

Maria Lindqvist CEO

"This is our largest contract. I need you to present a concrete action plan to the board within two weeks. Can you make this happen?"

How do you respond to the CEO?

"I'll assess where we stand this week and present a phased plan to the board."

Strong approach. Starting with an honest assessment before committing to timelines shows professional maturity. This is exactly the PDCA mindset — Plan before you Do.

"We'll get ISO 27001 certified before the deadline, no problem."

Confidence is good, but full certification typically takes 6–12 months. Over-promising creates risk. A better approach: commit to demonstrating an active ISMS by June, with formal certification as a follow-up goal.

"Can we ask Schneider for an extension while we figure this out?"

Buying time can work, but it signals unpreparedness. Stronger to come back with a concrete plan first — then request an extension if needed, showing the plan as evidence of commitment.

Your mission begins

Learning Objectives

Understand what an ISMS is, who uses it, and why it matters for organisations

Explain ISO 27001:2022 structure, requirements, and the role of ISO 27002

Navigate Cyberday's dashboard, themes, frameworks, and task hierarchy

Complete the onboarding checklist and activate ISO 27001 framework

Draft an ISMS and configure the Information Security Policy report

Understand and work with documentation: assets, records, and stakeholders

Create personnel security guidelines and understand the Guidebook

Build a prioritised action plan and assign task owners

Generate a Statement of Applicability (SoA) and present it to the board

Formulate a certification roadmap for executive presentation

How this works: This case study is designed to run in a split-screen layout — keep this panel on the left and Cyberday open on the right. Complete each task in order. Answer verification questions to earn XP. You need 500 XP (of 800) to pass.

Part 2

ISMS Fundamentals — Learn Before You Build

Before diving into the platform, you spend some time reviewing the fundamentals. These concepts will guide every decision you make over the coming weeks.

What is an ISMS?

An Information Security Management System (ISMS) is a structured set of policies, processes, and controls that an organisation uses to manage information security risks systematically. Think of it as the "operating system" for how your company protects its data, systems, and people.

An ISMS is not a one-off project or a single document. It is a living system that follows the Plan–Do–Check–Act (PDCA) continuous improvement cycle. This means you plan your security measures, implement them, monitor their effectiveness, and continuously refine them.

Who uses an ISMS?

Any organisation that handles sensitive information — customer data, trade secrets, employee records, financial systems — benefits from an ISMS. In practice, the ISMS is managed by a security team or CISO, but it involves everyone in the organisation: from the CEO who approves the security policy, to the warehouse worker who follows physical security rules, to the developer who follows secure coding practices.

Typical roles in an ISMS include a management sponsor (CEO/board), the ISMS owner (CISO or security manager), theme/area owners (IT lead, HR lead, facilities), and all employees who follow guidelines.

How is an ISMS used in practice?

In daily operations, an ISMS translates into concrete activities: documenting your IT assets and who owns them, assessing risks to your information, creating security policies and distributing them to staff, handling incidents through a structured process, reviewing and improving your security posture regularly, and demonstrating compliance to auditors and customers.

ISO/IEC 27001:2022 — The Standard

ISO 27001 is the international standard that defines requirements for establishing, implementing, maintaining, and continually improving an ISMS. It is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

The 2022 revision has two main parts:

Clauses 4–10 (Mandatory requirements): These 23 requirements cover the management system itself — context of the organisation, leadership commitment, planning, support, operation, performance evaluation, and improvement. Every organisation seeking certification must meet all of these.

Annex A (Security controls): 93 controls covering specific security topics like access control, cryptography, physical security, and incident management. These are grouped into 4 themes: Organisational (37), People (8), Physical (14), and Technological (34). Together with the clauses, Cyberday tracks 116 requirements total.

The role of ISO 27002

While ISO 27001 tells you what controls to implement, ISO 27002 is the companion standard that tells you how to implement them. It provides detailed implementation guidance for each of the 93 Annex A controls. When you're working in Cyberday and see a task linked to an Annex A control, the implementation guidance you'll find is based on ISO 27002. Think of 27001 as the "requirements checklist" and 27002 as the "implementation cookbook."

Key Terms Reference

Term	Meaning
ISMS	Information Security Management System — the full set of policies, processes and controls
PDCA	Plan–Do–Check–Act: the continuous improvement cycle underpinning ISO 27001
Compliance score	In Cyberday: percentage showing how many framework requirements are addressed by implemented tasks
Assurance value	In Cyberday: measures how much evidence exists to prove your compliance score is accurate
Control / Requirement	A measure that modifies or manages a risk — a policy, process, or technical safeguard
Risk treatment	The decision to accept, mitigate, transfer, or avoid a risk
Statement of Applicability	Document listing which requirements apply and their implementation status — required by clause 6.1.3
Theme	Cyberday's topic-based groupings (e.g., Technical cyber security, Risk management) that organise tasks
Task	The main content type in Cyberday — a specific action linked to one or more framework requirements
Documentation	Assets, records, and stakeholders that need systematic tracking (e.g., data systems, risks, incidents)
Guideline	Security rules distributed to employees for acceptance via the Guidebook view

Cyberday's Platform Structure

Cyberday (app.cyberday.ai) is a cloud-based ISMS platform. Its hierarchy works like this: you activate frameworks (e.g., ISO 27001), which generate tasks — the main content type. Tasks are organised into themes (permanent topic-based categories like "Technical cyber security" or "Risk management and leadership"). Each task links to one or more framework requirements.

Tasks have supporting content that serves as implementation evidence: documentation (assets, records, stakeholders), guidelines (rules distributed to employees), and reports (auto-generated documents like compliance reports). Together, these elements build your compliance score and assurance value.

Navigation overview: The top bar has three views: Guidebook (employee view), Taskbook (your personal tasks), and Organisation dashboard (admin view). The left sidebar gives access to Dashboard, Get started, Frameworks, Themes, Reporting, and content types like All tasks, All documentation, and All guidelines.

Knowledge check

What does the Plan–Do–Check–Act cycle represent in the context of an ISMS?

A four-phase project with a fixed end date

A continuous improvement cycle for managing information security

The four Annex A control categories in ISO 27001

A risk assessment methodology used only during audits

Knowledge check

What is the relationship between ISO 27001 and ISO 27002?

They are two names for the same standard

ISO 27002 replaces ISO 27001 and is the newer version

ISO 27001 defines what controls to implement; ISO 27002 provides guidance on how

ISO 27001 is for large enterprises; ISO 27002 is for SMEs

Knowledge check

In Cyberday, what is the main content type that you work with to address framework requirements?

Reports

Themes

Tasks

Frameworks

Knowledge check

Put the following Cyberday elements in order from highest level (broadest) to most specific:

⋮⋮ Task (e.g., "Publish information security policy")

⋮⋮ Framework (e.g., ISO 27001)

⋮⋮ Supporting content (documentation, guidelines, reports)

⋮⋮ Theme (e.g., "Risk management and leadership")

Task 1 · 15 minutes

Set Up NordChem & Complete Onboarding

Monday morning — Your desk

You sit down at your new desk and open your laptop. Time to get started. You've heard about Cyberday — a cloud-based ISMS platform that can help you build an information security management system from scratch. You decide to set up NordChem's account and see what you're working with.

Jarkko Virtanen IT Manager

"I've set up a trial account for you at app.cyberday.ai. The credentials are in your inbox. Let me know if you need anything — I've been wanting someone to take the lead on this for a long time."

Set Up NordChem & Complete Onboarding

⏱ 15 min

✓ Complete

Objective Create the NordChem Oy organisation in Cyberday, select ISO 27001 as your target framework during onboarding, and understand the Getting Started checklist structure.

Go to app.cyberday.ai and sign in with the credentials provided by your instructor.
If you are creating a fresh trial account, click Start free trial and register with your email.
Follow the setup wizard to create your organisation. Name it NordChem Oy and choose the industry that best fits a chemicals manufacturer.
The industry profile helps Cyberday tailor its recommendations — this is part of profiling your organisation for relevant framework coverage.
After you have created your organization, you will be taken to the "Get Started" onboarding. Choose and activate your first framework: ISO 27001:2022 3: Full.
Selecting the framework tells Cyberday which requirements to track and generates the initial ISMS structure.
Now you have created a ISMS baseline and chosen the first framework. You can come back to the onboarding flow from the left navigation at any point. Let's move on to first tasks.

Platform check

Look at the Get started checklist. What is the exact name of the third step?

Knowledge check

The first onboarding step asks you to "profile your organization." Why does Cyberday do this before showing compliance tasks?

To calculate your invoice amount based on company size

To tailor recommendations to your industry, size, and risk context — matching ISO clause 4.1 (understanding the organisation)

It's a mandatory legal requirement in the EU before using any compliance tool

To automatically generate your ISO 27001 certificate

Knowledge check

Why must you select a framework (step 2) before you can "Draft your ISMS" (step 3)?

Cyberday needs to know which requirements to generate tasks and content for

It's just a UI limitation — the steps could be done in any order

The framework must be purchased separately before drafting

You need ISO certification before starting any ISMS work

Key Takeaways

Every ISMS starts with understanding your organisation's context — size, industry, and risks shape your controls
Selecting a framework before drafting ensures Cyberday generates relevant tasks and requirements
The onboarding checklist gives you a clear path from setup to your first compliance baseline

Task 2 · 12 minutes

Explore the ISO 27001 Framework & Themes

Monday afternoon

With NordChem's organisation set up in Cyberday, your next step is to explore the Frameworks page — confirming ISO 27001:2022 is active, understanding how Cyberday organises requirements into Themes, and learning about multi-framework support.

You CISO

"Jarkko, I've got ISO 27001 activated from onboarding. Now I want to understand how Cyberday actually structures the work — themes, tasks, compliance levels. Can you walk me through it?"

Jarkko Virtanen IT Manager

"Sure. Head to the Frameworks page first — you'll see the framework card with compliance levels and a goal score. Then check out the THEMES section in the sidebar. Those are Cyberday's own practical categories, not the Annex A structure. They group related tasks together so day-to-day work is easier."

Explore the ISO 27001 Framework & Themes

⏱ 12 min

✓ Complete

Objective Explore the Frameworks page to confirm ISO 27001:2022 is active, understand how Cyberday organises requirements into Themes, and learn about multi-framework support.

Close the onboarding from the bottom and in the left sidebar, click Frameworks. You'll see "Edit frameworks" and list of active frameworks.
Cyberday supports many frameworks (ISO 27001, NIS2, ISO 9001, etc.) that can be active simultaneously.
Click "Edit frameworks" and verify ISO 27001:2022 is active (toggled ON from your onboarding). Explore the framework card — it shows compliance levels and a goal score.
Don't activate NIS2 or other frameworks yet — those may be covered in future case studies.
Now look at the left sidebar under the THEMES heading. These are Cyberday's own practical topic-based categories — not the ISO 27001 Annex A categories. Click Show more themes to see the full list.
Themes like "Risk management and leadership", "System management", "Incident management" group related tasks for easier day-to-day work.
Click on any theme to see tasks inside it. Notice each task shows a status, a link to the underlying ISO requirement, and an assurance value. Take note of your starting Compliance score: 0% — this is your baseline.
Browse the "Edit frameworks" list. Notice that Cyberday supports multi-framework compliance: many tasks connect to requirements across multiple frameworks, so work done for ISO 27001 can also count towards NIS2 or other standards.
This "smart mapping" means you don't have to redo work when you activate a new framework later.

🖥 Platform check Framework card

On the ISO 27001:2022 framework card, how many compliance levels are shown?

2 levels

3 levels

4 levels

5 levels

🖥 Platform check Themes

What is the first theme listed under the THEMES section in Cyberday's left sidebar?

📘 Knowledge Multi-framework

Why is Cyberday's multi-framework task mapping valuable for organisations?

It lets you skip frameworks you don't need

Work done for one standard (e.g., ISO 27001) automatically counts towards overlapping requirements in other standards, reducing duplicate effort

It means you only need to implement one framework

It guarantees certification in all activated frameworks simultaneously

Key Takeaways

ISO 27001:2022 organises 93 controls into themes that map directly to Cyberday's navigation
Multi-framework mapping means one task can satisfy multiple standards, reducing duplicate work
Compliance levels help you set realistic targets and track progress over time

Task 3 · 20 minutes

Draft Your ISMS & Configure the Security Policy Report

Tuesday — Day 2

Maria Lindqvist CEO

"Quick update — the board meeting has been moved to next Friday. I'll need your action plan by then. How are things going?"

You CISO

"Good progress, Maria. I've activated ISO 27001 in Cyberday and explored the framework structure. Today I'm going to draft our ISMS and set up the Information Security Policy report — the most fundamental document an auditor will ask for."

Cyberday's "Draft your ISMS" step generates an initial ISMS structure based on your organisation profile and the active framework. But a generic template will fail an audit — you need to customise it for NordChem's specific context, assign the right roles, and understand the report workflow.

⚠️ Important terminology: In Cyberday, requirements are the rules from the framework (e.g., ISO 27001 clause 5.2). Tasks are the practical actions you implement to meet those requirements. Don't confuse them — a requirement can have multiple tasks, and a task can serve multiple requirements.

Draft Your ISMS & Configure the Security Policy Report

⏱ 20 min

✓ Complete

Objective Use Cyberday's "Draft your ISMS" onboarding step to generate NordChem's initial ISMS structure, then locate and configure the Information Security Policy report and the ISMS Description and Scope report.

Go to Get started in the sidebar. Click the "Draft your ISMS" button on the third onboarding step.
Cyberday generates a draft ISMS based on your org profile and active framework — pre-filling policies and tasks with best-practice templates.
Once drafting completes, navigate to Reporting in the sidebar. Find the "ISMS description and scope" report under "Document" header. Generate the report and open it. Look at the report and see how you can define ISMS scope.
The scope defines the boundary of your ISMS — what's included and what's not. Auditors check this carefully.
Now find the "Information security policy — report publishing, informing and maintenance" task. Navigate via the Risk management and leadership theme in the sidebar, or search in All tasks.
This task addresses ISO 27001 requirement 5.1 "Policies for information security."
Open the linked report. Before you can assign an owner, you must first activate the report. Then set yourself (CISO) as the Owner. This can be done from top left under "Select owner". Then select "Assign user" and pick yourself.
Setting an owner ensures someone is accountable for keeping the report up to date and reviewing it regularly.
As you can see the policy is auto-generated, but these need to be customized to your company's context. At this stage we can leave this as a template, but before you move on set a review cycle for the policy. This can be done from the top right clicking the three dots. Choose "Enable review". For this policy let's choose Yearly.
Regular reviews ensure policies stay relevant as the organisation evolves. ISO 27001 expects policies to be reviewed at planned intervals.

📝 Why customise? Cyberday auto-generates drafts using best practices, but a generic template will fail an audit. The auditor needs to see that NordChem has thought about its own context — its industry-specific risks, regulatory environment, and operational scope.

📘 Knowledge Scope location

Where should you update NordChem's ISMS scope (mentioning 210 employees, OT/IT systems)?

In the task description field of any task

In the "ISMS description and scope" report under Reporting

In the Frameworks page settings

In the organisation profile during onboarding only

🖥 Platform check Correct terminology

In Cyberday, what is the correct term for the person who approves/signs off on a report? (Not "Approver")

📘 Knowledge Report workflow

Before you can assign a Reviewer to a report in Cyberday, what must you do first?

Complete all tasks linked to the report

Activate the report

Get CEO email approval

Reach 50% compliance score

🎭 Scenario Audit risk

What is the main risk of publishing Cyberday's auto-generated policy without customising it for NordChem?

The policy will expire after 30 days

Auditors will flag it as generic and not organisation-specific, potentially failing the audit

Cyberday will deactivate the framework

Other employees won't be able to see it

Key Takeaways

The ISMS description and scope report defines what your security system covers — this is what auditors check first
Auto-generated policies save time, but must be customised to reflect your actual operations
Setting report owners and review cycles creates accountability and keeps documentation current

Task 4 · 12 minutes

Explore the Compliance Report & Requirement Structure

Wednesday — Day 3

Now that you've drafted your ISMS, let's see how Cyberday tracks your compliance progress. The compliance report is one of the most important views — it shows every requirement, which tasks address it, and the overall compliance score.

You CISO

"Jarkko, the ISMS draft is done and the security policy is configured. Now I need to understand the full compliance picture — how many requirements we're tracking, how they're structured, and what the SoA looks like."

Jarkko Virtanen IT Manager

"Good thinking. The compliance report is where everything comes together. You'll see the full and condensed views — the condensed one is basically your Statement of Applicability. Schneider's auditor will want to see that first."

Explore the Compliance Report & Requirement Structure

⏱ 12 min

✓ Complete

Objective Navigate to the ISO 27001 compliance report, understand the difference between the Full Compliance view and the Condensed SoA view, and explore how requirements link to tasks.

In the left sidebar, go to Reporting. Find and open the ISO 27001 compliance report.
It opens in "Full compliance view" by default, showing the overall score and requirement breakdown by theme.
Explore the Full compliance view. Note how requirements are grouped by categories (matching Cyberday's theme structure). Click on any requirement to see which tasks are linked to it.
Remember: requirements are from the framework; tasks are your implementation actions. A requirement may have multiple tasks.
At the top of the report, click the "Condensed SoA view" button. This switches to a table showing: ID, Requirement name, Status, Tasks, Applicability, Description, Assurance.
The SoA (Statement of Applicability) is required by ISO 27001 clause 6.1.3 — it's one of the first documents an auditor requests.
Scroll through the SoA table. Notice it starts with mandatory clauses (requirements 4.1 to 10.2) followed by Annex A controls grouped by category: 5 (Governance), 6 (People), 7 (Physical), 8 (Technological).
The Annex A categories (Organisational, People, Physical, Technological) are ISO's own groupings — different from Cyberday's practical Themes.

📘 Knowledge ISO structure

The 93 Annex A controls in ISO 27001:2022 are grouped into how many categories?

4 categories (Organisational, People, Physical, Technological)

7 categories matching Cyberday themes

14 categories (one per Annex A domain)

2 categories (mandatory and optional)

🖥 Platform check Requirement count

How many total requirements does Cyberday track for ISO 27001:2022? (Clauses + Annex A combined)

93 (Annex A controls only)

116 (23 clauses + 93 Annex A controls)

150 (including additional Cyberday-specific requirements)

210 (one per employee)

📘 Knowledge Requirements vs Tasks

Drag each item to the correct order: first all Requirements (from the standard), then all Tasks (Cyberday implementation actions):

⠿ Publish information security policy report (Task)

⠿ 5.1 Policies for information security (Requirement)

⠿ Assign owner and enable review cycle (Task)

⠿ 6.1.3 Information security risk treatment (Requirement)

🎭 Scenario SoA purpose

The German customer asks to see evidence of NordChem's security posture before certification is complete. Which document can you share now to build trust?

The organisation profile page

A screenshot of the dashboard

The Statement of Applicability (SoA) — showing all 116 requirements have been assessed

The employee guidebook

Key Takeaways

The Statement of Applicability (SoA) is a mandatory ISO 27001 document linking every Annex A control to your ISMS
Requirements connect to tasks — understanding this link shows how daily work translates to compliance evidence
The Full vs Condensed SoA views serve different audiences: internal teams vs external auditors

Task 5 · 15 minutes

Explore the Taskbook & Plan Your First Actions

Wednesday afternoon

With your ISMS drafted and the compliance report explored, it's time to understand how day-to-day work is organised. Cyberday's "What's Next" roadmap splits ISMS implementation into three phases to prevent you from getting overwhelmed.

Maria Lindqvist CEO

"The board will want to see specifics — not just 'we'll implement ISO 27001.' They need to know: what are we doing first, who is responsible, and when will each step be done?"

You CISO

"I'll use the Taskbook to build our action plan. Cyberday has a three-phase roadmap that keeps us focused — foundation first, then systematic management, then continuous improvement. Let me map out Phase 1 priorities."

Cyberday's Three-Phase ISMS Roadmap
Phase 1 — Building your ISMS foundation: Establish ISMS team & assign roles, improve compliance score to initial level, create & assign your asset inventory
Phase 2 — Running systematic information security management: Start risk management, create personnel security guidelines, create partner inventory, build key reports, improve assurance to intermediate
Phase 3 — Building continuous ISMS improvement: Handle incidents, conduct management review, perform internal audit, publish Trust Center, start vendor assessments

Explore the Taskbook & Plan Your First Actions

⏱ 15 min

✓ Complete

Objective Use the Taskbook and All Tasks views to understand task statuses, learn about task prioritisation, and identify the first actions NordChem should focus on in Phase 1 of the ISMS roadmap.

Click Taskbook in the top navigation. This is your personal view — "My cyber security responsibilities" — showing only tasks assigned to your account.
For the full organisation view, use "All tasks" in the sidebar.
Notice the task status categories: Needs attention (highest priority — blocking compliance), Pending, Active, and Done.
"Needs attention" tasks are blocking your compliance progress — start with these.
Go back to the dashboard from the top and navigate to All tasks (sidebar). Browse the full task list. Look for foundational tasks from the Risk management and leadership theme — these are the building blocks other tasks depend on.
Key Phase 1 foundations: ISMS policy, roles and responsibilities, asset inventory. These must come before risk treatment.
Identify 10 priority tasks for the first 8 weeks (Phase 1). Consider assigning owners — at least 3 tasks should go to other team members (IT Manager, HR Lead, Operations Lead). Set realistic due dates.
Phase 1 focus: team setup, initial compliance, asset inventory. Don't jump ahead to risk management or incident handling yet.

⚠️ Prioritisation principle: Don't try to do everything at once! The roadmap phases exist to prevent people from diving too fast into challenging topics before completing the basics. If you diligently work through tasks without phasing, you can get stuck perfecting documentation or start working too early on risk management.

🖥 Platform check Personal task view

What is the subtitle shown on the Taskbook page that describes its purpose?

📘 Knowledge Task priority order

Put these Cyberday task statuses in order from most urgent to least urgent:

⠿ Active

⠿ Needs attention

⠿ Done

⠿ Pending

📘 Knowledge Phase 1 priorities

According to the three-phase roadmap, which activities belong to Phase 1 (Foundation)?

Start risk management, create partner inventory, build key reports

Establish ISMS team & assign roles, improve compliance score to initial level, create asset inventory

Perform internal audit, publish Trust Center, handle incidents

All of the above — everything should start simultaneously

🎭 Scenario Task delegation

Why is it important to assign at least some tasks to people other than the CISO?

To reduce the CISO's salary

Because ISO 27001 requires that security is everyone's responsibility, and different people have the expertise and authority for different areas

Because Cyberday limits the number of tasks per user

It's not important — the CISO should own everything

Key Takeaways

Task statuses (Needs attention, Pending, Active, Done) create a natural priority queue for your compliance work
Phase 1 focuses on governance foundations — roles, policies, and asset inventory come before technical controls
Distributing task ownership across the organisation prevents CISO bottleneck and builds shared accountability

Task 6 — Build NordChem's Asset Inventory & Documentation

With the taskbook explored and a clear three-phase roadmap in hand, it's time to start building NordChem's documentation foundation. Documentation in Cyberday refers to any security-related items that need systematic tracking. There are three main types: assets (data systems, physical assets, people), records (risks, incidents, audits, non-conformities), and stakeholders (system providers, data processors, partners).

I've been managing our systems informally — SAP ERP, the SCADA network, Microsoft 365, and the Customer Portal. But there's no central register. When the auditor asks "what systems do you have and who owns them?" — we'd be scrambling.

That's exactly what we'll fix now. Cyberday has documentation lists pre-linked to tasks. When we add our assets, the tasks that require asset evidence get stronger assurance automatically.

Build NordChem's Asset Inventory & Documentation

¤ 15 min

Objective: Understand Cyberday's documentation system (assets, records, stakeholders), create NordChem's initial asset inventory, and learn how documentation links to tasks as supporting evidence. This is a key Phase 1 activity.

In the left sidebar under CONTENT TYPES, click All documentation. Browse the different documentation lists available.
You'll see lists grouped by type — asset lists (data systems, physical assets, etc.) and record lists (risks, incidents, etc.).
Open the Data systems under the Asset documentation list. Add NordChem's key systems: SAP ERP, SCADA/OT network, Microsoft 365, and Customer Portal. Cyberday has a pre-made library, but add these from the bottom of the list and manually add these key systems. For each, set an owner and fill in basic details.
Asset owners are the people responsible for the system — e.g., the IT Manager might own SAP ERP, the Operations Lead owns SCADA.
Now from the left navigation navigate to theme System management that involves asset documentation. Open the theme and open Documentation under the theme. Notice how it's pre-linked to the data systems documentation table.
This link is the key — the documentation serves as evidence that the task has been implemented. Adding assets here increases the task's assurance value.
Browse the Risk documentation list. This is where NordChem's risk register will live. Note that it's currently empty — risk management belongs to Phase 2, so leave this for later.
The roadmap phases recommend building the foundation first (team, compliance, assets) before diving into risk management.

Assurance value explained: While compliance score shows how many requirements you've addressed, assurance value shows how much evidence you have to prove it. Adding documentation, assigning owners, writing process descriptions, and enabling periodic reviews all increase assurance. Together, compliance score and assurance value paint the full picture of your ISMS maturity.

Knowledge

What are the three main types of documentation in Cyberday?

Policies, procedures, and reports

Assets, records, and stakeholders

Tasks, themes, and frameworks

Guidelines, controls, and evidence

Knowledge

What does assurance value measure in Cyberday?

The number of frameworks activated

How many employees have read guidelines

How much evidence exists to prove your compliance score is accurate

The financial investment in security tools

Scenario

At NordChem, who would be the most appropriate asset owner for the SCADA/OT network?

The CEO

The CISO (you)

The Operations/Production Lead who manages the manufacturing systems

The HR department

Knowledge

Put these ISMS activities in the correct order from Phase 1 (Foundation) to Phase 3 (Continuous Improvement):

⠇ Conduct internal audit and management review

⠇ Establish ISMS team, assign roles, create asset inventory

⠇ Publish Trust Center and start vendor assessments

⠇ Start risk management, create personnel guidelines, build key reports

Key Takeaways

An asset inventory is the foundation of risk management — you cannot protect what you have not documented
Assurance value measures evidence completeness, not just whether a task checkbox is ticked
Linking data systems to themes creates traceability from assets to the controls that protect them

Task 7 — Create Personnel Security Guidelines

Guidelines are security rules distributed to all employees (or specific organisational units) for acceptance. They form the Guidebook — the employee-facing view where staff read and acknowledge security policies. Many personnel-related tasks are pre-linked to guidelines as their main assurance, because admins can't implement these alone — they need employees to follow secure practices.

That phishing attack still worries me. Two accounts compromised and we never even documented it. How do we make sure every one of our 210 employees knows how to spot a phishing email?

We'll activate security guidelines in Cyberday and push them to the Guidebook. Every employee will need to read and accept them. We can track acceptance rates — if only 50 of 210 have acknowledged, that's a gap the auditor will notice.

The Guidebook sounds like exactly what we need. Staff see their personal security responsibilities in one simple view — not the full ISMS complexity.

Create Personnel Security Guidelines

¤ 12 min

Objective: Understand how Cyberday's Guidelines and Guidebook work, activate security guidelines for NordChem employees, and see how personnel-related tasks use guidelines as their main assurance. Guidelines bridge Phase 1 (foundation) and Phase 2 (systematic management).

Switch to the Guidebook view using the top navigation bar. This is what NordChem's 210 employees will see — their personal security responsibilities and guidelines to accept.
The Guidebook is the "employee experience" of the ISMS. It's designed to be simple and clear, not overwhelming.
Switch back to the Organisation dashboard (top nav). In the sidebar, under themes click Email and phishing. Then click "Guidelines" and browse the available guidelines.
Cyberday provides pre-made guideline examples that you can activate, or you can create custom ones.
Activate at least two guidelines relevant to NordChem: one on phishing/email security theme (critical given the recent incident!) and one on mobile device use theme.
Remember the phishing attack that compromised two employee accounts? Guidelines are how you prevent recurrence by training all staff.

NordChem context: Given the phishing incident that was never documented, activating phishing awareness guidelines is especially urgent. You'll want to track acceptance rates — if only 50 of 210 employees have acknowledged the guideline, that's a gap the auditor will notice.

Platform check

Which top navigation view do employees use to read and accept security guidelines?

Taskbook

Organisation dashboard

Guidebook

Reporting

Knowledge

Why are many personnel-related tasks pre-linked to guidelines rather than documentation?

Because guidelines are cheaper to produce than documentation

Because admins can't fully implement personnel security alone — employees need to be instructed and accept the rules

Because ISO 27001 doesn't require personnel documentation

Because documentation is only for IT systems

Scenario

NordChem's phishing incident compromised two accounts but was never documented. Which two actions address this gap? (Select the best answer)

Create a phishing awareness guideline AND document the incident in the risk/incident records

Fire the affected employees AND block all external email

Increase the compliance score AND publish the Trust Center

Add more Annex A controls AND reset all passwords

Platform check

Name the three views available in Cyberday's top navigation bar:

Key Takeaways

Guidelines are employee-facing documents that create auditable proof of security awareness
Activating guidelines in relevant themes (phishing, mobile) directly addresses your organisation's real risks
Personnel controls often require the least technical effort but deliver the highest risk reduction

Task 8 — Generate the SoA & Map Your Certification Roadmap

This is the culmination of your work. The CEO asked for a concrete plan within two weeks. You've now set up the ISMS, drafted policies, explored tasks, created documentation, and activated guidelines. Time to pull it all together with the Statement of Applicability and a clear phase plan.

The German customer's deadline is approaching. I need something I can show them — proof that we're serious about ISO 27001. What do we have?

We have exactly what they need: a Statement of Applicability covering all 116 requirements, with honest status tracking. Plus a three-phase roadmap showing our path to certification. It's not about being certified yet — it's about demonstrating a credible, structured approach.

And the best part — in Phase 3, we can publish a Trust Center. That's a public-facing compliance portal where the German customer can see our security posture in real time.

Generate the SoA & Map Your Certification Roadmap

¤ 18 min

Objective — Final Task: Return to the compliance report's SoA view, analyse NordChem's current position, and map your work against the three-phase roadmap to create a credible certification plan.

Return to the ISO 27001 compliance report. Click the "Update data" button on the left. Switch to the Condensed SoA view. Note the document title shown at the top.
This is the document the auditor will ask for first. It lists every requirement and its status.
Review the SoA table. Locate requirement 5.1 (Policies for information security). Check its current status — has it changed from your initial work?
If you completed Task 3 properly, this should show some progress compared to the initial "Applicable & Not implemented" status.
Review your overall compliance score on the dashboard. Compare it to the 0% baseline from Task 2. Even small progress demonstrates that the ISMS is actively being built.
The score won't be high yet — that's expected. What matters is demonstrating a structured approach and active progress.
Map your 2-week plan against the three-phase roadmap. In your first 2 weeks you should aim to complete Phase 1 goals: team & roles established, initial compliance score, asset inventory created. The phases below will test your understanding of what belongs where.

Certification timeline reality: ISO 27001 certification typically takes 6–12 months. Your 2-week plan isn't about getting certified — it's about demonstrating to the CEO and customer that NordChem has a credible, structured approach to certification. The SoA is your proof: all 116 requirements assessed, implementation actively underway, and a clear roadmap through the three phases.

Trust Center preview: In Phase 3, NordChem can publish a Trust Center — a public-facing compliance portal where customers and auditors can see your security posture. This is a powerful way to build trust with the German customer while certification is underway.

SoA Verification

After clicking "Condensed SoA view", what document title is shown at the top?

SoA Verification

What is the default status text for requirements in a brand new ISMS before any work is done?

Scenario

A colleague suggests marking unfinished requirements as "Implemented" in the SoA before sharing with the German customer. What's wrong with this?

Nothing — it's a common practice to show ambition

It misrepresents NordChem's actual security posture, will fail an audit, damages trust, and could have legal consequences

Cyberday won't allow status changes without evidence

The auditor won't check individual requirement statuses

Knowledge

Map these NordChem activities to the correct roadmap phase order (Phase 1 first → Phase 3 last):

⠇ Perform an internal audit of the ISMS

⠇ Publish NordChem's Trust Center for the German customer

⠇ Assign CISO role and establish the ISMS team

⠇ Start vendor security questionnaires with suppliers

⠇ Create NordChem's first personnel security guidelines

🏆

Case Study Complete!

You've built NordChem's ISMS foundation — from understanding ISMS concepts to generating a real Statement of Applicability and mapping a three-phase certification roadmap. The CEO now has a credible plan for the German customer.

Total XP

Tasks Completed

Checks Passed

Time Spent

View All Certificates

What's next?

Continue Learning

Basics of ISMS

GDPR · ~75 min · 5 tasks

→

Put it into practice

Start building your ISMS in Cyberday

Continue where you left off in the real app

→

Key Takeaways

The SoA is your primary certification evidence — auditors verify every claim against actual controls
A phased roadmap (Foundation, Systematic Management, Continuous Improvement) makes certification achievable
Honest status reporting builds credibility — marking incomplete controls as "Implemented" risks disqualifying your audit