richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/marketing/posts/ZZP/You can't automate ISO 27001 compliance.md

2 KiB
Raw Blame History

You can't automate ISO 27001 compliance

Some vendors promise ISO 27001 certification at next to nothing, through the use of AI. Cheap, fast, and effortless. If it sounds too good to be true, it probably is.

It's true that AI tools can genuinely help with parts of an ISO 27001 implementation, reducing the repetitive work in documenting the ISMS, like drafting policies, issue tracking, document classification, and mapping controls. AI is great at producing documents. But a certification audit is more than a document review. It is designed to probe whether your ISMS reflects what actually happens in your organization.

These are some examples of questions to expect when you present essential documents to the certification auditor:

On the Scope Statement — How did you decide on this scope? What are your business reasons for that choice, and how does it affect your stakeholders?

On the Risk Register — How did you arrive at these risk scores? What method did you use for conducting the risk analysis? Who were involved, and who signed off?

On the Statement of Applicability — You have made choices in applying the 93 controls. How did you tie those choices to your risk analysis? To which information assets did you apply them specifically?

On your Incident Response Plan — Are the resources it mentions actually available if a breach happens? How and when did you last test these procedures? What were the findings and how did these contribute to the improvement of the plan?

On Policies and Procedures — Do the persons mentioned in these documents understand their responsibilities, and are they mandated to act on them? Can I speak with them?

The thing is, ISO 27001 isn't really about documents. It's about the reality they reflect. Your ISMS should be about responsibilities, creating awareness, making decisions and accounting for it the things that actually produce better information security.

Curious whether others are seeing this pattern: AI-assisted compliance that falls apart in an audit.

#ISO27001 #informationsecurity #compliance #ISMS