New content, folders reorganized

marketing/posts/ZZP/AuditLens CISO agents.md

@@ -0,0 +1,24 @@
+Original post by Khansa Rahim: https://www.linkedin.com/posts/khansarahim_18000-thats-what-an-iso-27001-consultant-share-7466710362285993984-5Pnj
+
+💸 £18,000. That's what an ISO 27001 consultant quoted me to copy-paste templates and disappear once the certificate was on the wall. So I rebuilt the role as 6 AI agents. It cost me almost nothing. Here's the team I built on Claude: ISMS Manager to locks down scope, context and leadership. Risk Manager to turn a blank spreadsheet into a scored risk register. Compliance Analyst to map your controls across all 93 and keeps SoA live. Internal Auditor to run the 100 questions a Stage 2 auditor asks. DPO to draft 72-hour breach notification before the clock beats you. CISO to orchestrates the entire ISMS. Keeps all 5 in sync. What it replaces: → The invoice that lands before any real work does → The deal you lost because a questionnaire wanted a cert you didn't have → The 9am "where's our SoA?" now a live doc 11 SMBs certified this way. Fintech, healthtech and B2B SaaS, most under 60 people. Quick gut check before you scroll: which ISO 27001 control gives your team the most grief - access control, risk treatment, or evidence? 💬 Comment COMPLIANCE and I'll send the full system: agent prompts, the Annex A control map, and the Stage 2 simulator. Every month you wait is another month of deals gated behind a cert you don't have. Know a founder or CISO bleeding cash on a slow engagement? 🔄 Repost this it'll save them more than anything in their feed today. (Connect first so I can DM you.)
+
+![](AuditLens-agents-diagram.jpeg)
+
+
+---
+
+My comment:
+
+As an auditor, I would ask the leadership of the client organization the following questions:
+ 
+1) How did you decide on the scope? What are your business reasons for that choice? How does that choice affect the interests of your stakeholders?
+2) How did you come to the risk scores on the spreadsheet? May I see the evidence of the risk analyses process you conducted? Who were involved and who signed off?
+3) I see you have made choices in the application of your 93 controls, in terms of business processes and information assets. How did you come to the decisions? How did you tie it to the risk analyses?
+4) That’s a very nice breach notification you got there! Would be a shame if a breach happened and you had no actual process implemented and resources assigned once it happens ...
+5) Can I speak to the CISO? … oh, he’s busy orchestrating and syncing agents? But in your role description it says she’s a person and is managing real people?
+
+You can't know the reasoning behing the algorithm.
+You are creating a paper reality that has no relationship to what is actually going on in your organization.
+
+Don't get me wrong: you can automate part of the ISMS. Like evidence collection for the implementation of technical controls, process completeness, drafting policies based on real, specific to the organization, variables.
+But the essence is of risk management, controlling actual organizational processes, aantoonbaarheid, and accountability.

marketing/posts/ZZP/You can't automate ISO 27001 compliance.md

@@ -0,0 +1,23 @@
+**You can't automate ISO 27001 compliance**
+
+Some vendors promise ISO 27001 certification at next to nothing, through the use of AI. Cheap, fast, and effortless. If it sounds too good to be true, it probably is.
+
+It's true that AI tools can genuinely help with parts of an ISO 27001 implementation, reducing the repetitive work in documenting the ISMS, like drafting policies, issue tracking, document classification, and mapping controls. AI is great at producing documents. But a certification audit is more than a document review. It is designed to probe whether your ISMS reflects what actually happens in your organization.
+
+These are some examples of questions to expect when you present essential documents to the certification auditor:
+
+On the Scope Statement — How did you decide on this scope? What are your business reasons for that choice, and how does it affect your stakeholders?
+
+On the Risk Register — How did you arrive at these risk scores? What method did you use for conducting the risk analysis? Who were involved, and who signed off?
+
+On the Statement of Applicability — You have made choices in applying the 93 controls. How did you tie those choices to your risk analysis? To which information assets did you apply them specifically?
+
+On your Incident Response Plan — Are the resources it mentions actually available if a breach happens? How and when did you last test these procedures? What were the findings and how did these contribute to the improvement of the plan?
+
+On Policies and Procedures — Do the persons mentioned in these documents understand their responsibilities, and are they mandated to act on them? Can I speak with them?
+
+The thing is, ISO 27001 isn't really about documents. It's about the reality they reflect. Your ISMS should be about responsibilities, creating awareness, making decisions and accounting for it – the things that actually produce better information security.
+
+Curious whether others are seeing this pattern: AI-assisted compliance that falls apart in an audit.
+
+\#ISO27001 \#informationsecurity \#compliance \#ISMS