What is the difference between a scan and a penetration test?
A vulnerability scan checks systems automatically against known technical weaknesses – fast, cost-effective, and well suited as a regular routine check. It shows where patches are missing, configurations are insecure, or known CVEs exist. A penetration test goes significantly deeper: security experts actively attempt to exploit gaps and simulate attack paths – as a real attacker would. The result is more meaningful but also more resource-intensive and should be deployed selectively, for example before certification, after major changes, or where risk is elevated. Compaas often recommends a tiered approach: regular scans as a baseline, penetration tests where risk justifies the depth.
How often should phishing simulations be run?
We generally recommend two to four campaigns per year – depending on industry, risk profile, and the maturity of your staff. One-off simulations only show a snapshot; repeated campaigns reveal trends and keep security awareness present. Compaas analyses click rates, reporting behaviour, and fraud indicators and adapts difficulty, scenarios, and follow-up training accordingly. After a notable campaign, targeted training follows for affected groups – not blanket briefings for everyone. This measurably improves awareness instead of merely producing an audit checkbox.
Is the training platform GDPR-compliant?
Yes. Compaas configures training platforms in a privacy-compliant way: data processing agreements with the provider, minimal data collection, defined retention periods, and access restrictions. Training records – who completed which module and when – are documented so they serve as evidence in internal audits and certification. Compaas ensures training content matches your compliance requirements and is updated regularly. Where needed, tailored content is added, for example on industry-specific risks or your organisation's internal policies.
Who are phishing simulations suitable for?
Phishing simulations are suitable for any organisation where staff receive emails and click links or attachments – which is practically everywhere. They are especially valuable when ISO 27001, customer requirements, or internal policies demand demonstrable awareness measures. Compaas adapts scenarios to your industry: from generic IT support fraud to CEO fraud and industry-specific lures. Simulations are not a tool to catch people out but to make realistic risks tangible and train selectively. Results are aggregated and handled confidentially – the goal is improvement, not sanctioning individuals.
When is a penetration test sensible and when is a scan enough?
A scan is enough when you want to regularly verify technical baseline security – missing updates, open ports, default configurations. A penetration test makes sense when you need to know whether an attacker could actually penetrate your systems or exfiltrate data – for example before ISO 27001 certification, after a system change, for exposed web applications, or when scans repeatedly show critical findings. Compaas advises on appropriate scope: from focused testing of individual applications to broader assessments. This way you invest in depth where risk justifies it without unnecessary cost for standard monitoring.
Which systems and infrastructure can be tested?
Compaas typically tests networks, servers, web applications, cloud services, VPN access, and selected endpoint configurations – aligned to your IT landscape. Before each test, Compaas defines scope, objectives, and exclusions together with you so production systems are not unintentionally affected. Hybrid environments with on-premise and cloud can also be included. Results are prioritised: critical findings with remediation guidance, medium risks with implementation suggestions, and accepted residual risks with justification. On request, Compaas supports remediation and verifies closed findings.
How are training results documented for audits?
Compaas documents participation rates, completion rates, and timestamps per employee and training module – exportable for internal audits and certification evidence. Reports show which mandatory trainings are complete, where catch-up is needed, and how rates develop over time. For ISO 27001 and comparable standards, demonstrable awareness is a recurring audit topic; Compaas ensures your documentation is not hastily assembled just before the audit. Regular reports to IT leadership or the information security officer make progress visible and enable targeted follow-up.
How do technical measures integrate into existing ISMS processes?
Technical services are not an isolated IT project but part of your information security management system. Compaas links scan results, penetration test reports, and training evidence to your risk assessment, action plans, and continual improvement. Findings are classified as risks or nonconformities, measures prioritised, and progress tracked. This creates a closed loop: identify, assess, treat, verify – as ISO 27001 requires. Whether Compaas simultaneously supports your ISMS or works with your internal ISO: technical results flow structured into your compliance documentation.
