3 KiB
Original post by Khansa Rahim: https://www.linkedin.com/posts/khansarahim_18000-thats-what-an-iso-27001-consultant-share-7466710362285993984-5Pnj
💸 £18,000. That's what an ISO 27001 consultant quoted me to copy-paste templates and disappear once the certificate was on the wall. So I rebuilt the role as 6 AI agents. It cost me almost nothing. Here's the team I built on Claude: ISMS Manager to locks down scope, context and leadership. Risk Manager to turn a blank spreadsheet into a scored risk register. Compliance Analyst to map your controls across all 93 and keeps SoA live. Internal Auditor to run the 100 questions a Stage 2 auditor asks. DPO to draft 72-hour breach notification before the clock beats you. CISO to orchestrates the entire ISMS. Keeps all 5 in sync. What it replaces: → The invoice that lands before any real work does → The deal you lost because a questionnaire wanted a cert you didn't have → The 9am "where's our SoA?" now a live doc 11 SMBs certified this way. Fintech, healthtech and B2B SaaS, most under 60 people. Quick gut check before you scroll: which ISO 27001 control gives your team the most grief - access control, risk treatment, or evidence? 💬 Comment COMPLIANCE and I'll send the full system: agent prompts, the Annex A control map, and the Stage 2 simulator. Every month you wait is another month of deals gated behind a cert you don't have. Know a founder or CISO bleeding cash on a slow engagement? 🔄 Repost this it'll save them more than anything in their feed today. (Connect first so I can DM you.)
My comment:
As an auditor, I would ask the leadership of the client organization the following questions:
- How did you decide on the scope? What are your business reasons for that choice? How does that choice affect the interests of your stakeholders?
- How did you come to the risk scores on the spreadsheet? May I see the evidence of the risk analyses process you conducted? Who were involved and who signed off?
- I see you have made choices in the application of your 93 controls, in terms of business processes and information assets. How did you come to the decisions? How did you tie it to the risk analyses?
- That’s a very nice breach notification you got there! Would be a shame if a breach happened and you had no actual process implemented and resources assigned once it happens ...
- Can I speak to the CISO? … oh, he’s busy orchestrating and syncing agents? But in your role description it says she’s a person and is managing real people?
You can't know the reasoning behing the algorithm. You are creating a paper reality that has no relationship to what is actually going on in your organization.
Don't get me wrong: you can automate part of the ISMS. Like evidence collection for the implementation of technical controls, process completeness, drafting policies based on real, specific to the organization, variables. But the essence is of risk management, controlling actual organizational processes, aantoonbaarheid, and accountability.