A CTF (Capture The Flag) is a security competition where participants solve hands-on IT security challenges — such as finding vulnerabilities in web applications, reverse-engineering binaries, or cracking cryptography puzzles. Formats include Jeopardy (individual challenges) and Attack-Defense (attacking and defending live systems).
In an ISMS context, CTFs provide a practice-oriented complement to the awareness program under ISO 27001 Annex A control A.6.3 (Awareness, Education and Training). For IT security teams, CTFs are an effective training tool that develops technical skills under realistic conditions. Internal CTFs can serve as team-building exercises while simultaneously revealing skill gaps. Platforms such as Hack The Box, TryHackMe, and OverTheWire offer permanent practice environments.