Overview
LowerPlane’s training module helps you build and maintain a security awareness program that satisfies compliance requirements across ISO 27001, SOC 2, HIPAA, and PCI-DSS. Create training courses, assign them to employees or groups, track completion rates, and run phishing simulation campaigns to test employee readiness.Training Courses
Training courses are the building blocks of your security awareness program. Each course contains educational content that employees must complete.Course Properties
| Field | Description |
|---|---|
| Title | Name of the training course |
| Description | Summary of what the course covers |
| Type | Category of training (see types below) |
| Duration | Estimated completion time in minutes |
| Pass Score | Minimum score required to pass (percentage) |
| Mandatory | Whether the course is required for all assigned employees |
| Frequency | How often the course must be retaken: once, monthly, quarterly, or annually |
| Content URL | Link to the training content (video, document, or external LMS) |
| Status | Active, Draft, Archived, or Scheduled |
Course Types
Security Awareness
General security hygiene: password management, social engineering, data handling, and incident reporting.
Compliance
Framework-specific training: HIPAA privacy rules, GDPR data subject rights, PCI-DSS cardholder data handling.
Technical
Technical security training: secure coding practices, infrastructure security, vulnerability management.
Phishing Simulation
Simulated phishing exercises that test employee ability to identify and report suspicious emails.
Policy Review
Required reading and acknowledgment of organizational security policies.
Custom
Organization-specific training content created for your particular needs.
Creating a Course
Configure Content
Set the content URL, duration, pass score, and frequency. Mark the course as mandatory if all assigned employees must complete it.
Training Assignments
Assignments link courses to employees. When you assign a course, each targeted employee receives a training task with a due date.Assigning Training
You can assign courses to:- Individual employees — select specific people from the directory
- Groups — assign to an entire security group, and all members receive the assignment
- All employees — assign to the entire organization
Assignment Statuses
| Status | Description |
|---|---|
| Not Started | The employee has not yet begun the course |
| In Progress | The employee has started but not completed the course |
| Completed | The employee has finished the course and met the pass score |
| Overdue | The course deadline has passed without completion |
| Failed | The employee completed the course but did not meet the pass score |
Completion Tracking
The training module provides detailed completion metrics:| Metric | Description |
|---|---|
| Total Enrolled | Number of employees assigned to the course |
| Completed | Number of employees who have finished the course |
| In Progress | Number of employees currently working on the course |
| Overdue | Number of employees past their deadline |
| Pass Rate | Percentage of completions that met the pass score |
Course Detail View
Click on a course to see the full detail page, which includes:- Course metadata and configuration
- Assignment list with individual completion status
- Completion statistics and trends
- Options to send reminders to overdue employees
Phishing Simulation Campaigns
Phishing campaigns test your employees’ ability to identify and report suspicious emails. These campaigns provide measurable data on your organization’s susceptibility to social engineering attacks.Creating a Phishing Campaign
Create Campaign
Click Create Campaign and configure:
| Field | Description |
|---|---|
| Name | Campaign name for internal reference |
| Description | Purpose and goals of the campaign |
| Email Template | The phishing email template to use |
| Template Type | Category of phishing attempt |
| Difficulty | Easy, Medium, or Hard |
| Target Type | Who receives the simulated phishing email |
| Target Groups | Specific groups to target |
| Launch Date | When to send the phishing emails |
| End Date | When the campaign concludes |
Campaign Statuses
| Status | Description |
|---|---|
| Draft | Campaign created but not yet scheduled |
| Scheduled | Campaign is set to launch at a future date |
| Active | Phishing emails have been sent and the campaign is collecting results |
| Completed | Campaign has ended and results are finalized |
| Paused | Campaign temporarily stopped |
Campaign Metrics
Phishing campaigns track key indicators:- Emails Sent — total simulated phishing emails delivered
- Emails Opened — how many employees opened the email
- Links Clicked — how many employees clicked the phishing link
- Credentials Submitted — how many employees entered credentials on the fake page
- Reported — how many employees correctly reported the email as suspicious
Compliance Mapping
Training programs satisfy controls across frameworks:| Framework | Control | Requirement |
|---|---|---|
| ISO 27001 | A.7.2.2 | Information security awareness, education, and training |
| SOC 2 | CC1.4 | Security awareness training |
| HIPAA | 164.308(a)(5) | Security awareness and training program |
| PCI-DSS | 12.6 | Security awareness program |
| GDPR | Article 39 | Data protection awareness |
Reminders and Notifications
- Assignment notifications — employees receive an email when a new training course is assigned
- Overdue reminders — send reminder emails to employees who have passed their training deadline
- Campaign notifications — managers are notified when phishing campaign results are available
Best Practices
- Make security awareness training mandatory for all employees, with annual recertification
- Use phishing simulations quarterly to maintain awareness and measure improvement
- Tailor training to roles — technical staff need different content than non-technical employees
- Track completion rates as a KPI and report them to leadership
- Follow up on phishing failures with targeted training for employees who clicked or submitted credentials
- Refresh content annually to address new threats and attack techniques