A phishing simulation is a controlled test where fake phishing emails are intentionally sent to an organization. The goal is to measure employee vigilance and uncover weaknesses in security awareness. Employees who fall for the simulated attack receive an immediate learning module. Over multiple simulation rounds, you can track progress and target follow-up training. Phishing simulations are a common tool for meeting the awareness requirements of ISO 27001 Clause 7.3. Communicate transparently in advance that simulations will take place (without revealing exact timing) to maintain workforce trust.