AISEC

by CipherFort Security

Sign inGet started
ISO 27001 Guide

ISO 27001 Guide

ISO 27001 work goes better when you treat it as an operating system for risk, control ownership, and evidence freshness. This guide shows how AISEC fits into that approach. AISEC also covers SOC 2 and GDPR in the same workspace, so cross-framework programmes can run without switching tools.

Scope and ownership firstPolicies, risks, and evidence linked togetherStatement of Applicability export in one clickAudit-ready habits over last-minute clean-up

5

Recommended program phases

93

Annex A controls to assess

1

Source of truth for your ISMS story

Phase 1

Define scope and governance

Before you generate documents or upload artefacts, decide what is in scope, who signs off on policies, and how exceptions are approved.

Scope decisions

Define business units, systems, suppliers, and data boundaries that your ISMS will actually cover.

  • Avoid claiming coverage you cannot evidence
  • Document major dependencies and outsourced services
  • Use the product overview to align stakeholders early

Ownership model

Assign named owners for policy, risk, evidence, and monitoring so the platform mirrors your real governance model.

  • One accountable owner per workflow
  • Clear reviewer and approver roles
  • Escalation path for partial or delayed controls

Phase 2

Build the operating record

Auditors care whether your ISMS is lived, not whether your templates look polished. AISEC helps by keeping the moving parts connected.

Policies

Start with core policies, then tailor generated drafts to your organisation rather than accepting generic wording wholesale.

Risk register

Maintain a risk register with treatment logic that connects back to controls and operating decisions.

Evidence

Collect recurring artefacts continuously so control claims are backed by current, reviewable material.

Phase 3 to 5

Prepare for formal assurance

The later stages are about readiness discipline: SoA quality, internal audit preparedness, management review, and corrective actions.

  • Use control implementation states honestly; partial is better than fictional completion.
  • Treat the Statement of Applicability as an argument you can defend, not a checklist you auto-fill.
  • Review evidence freshness and policy approvals before internal audit, not during it.
  • Feed monitoring alerts and recurring issues back into risk treatment and management review discussions.
  • Keep records of exceptions, decisions, and remediation so external auditors can see improvement over time.

Related

Keep exploring

Docs hub

Features page

Product overview

Legal and trust resources

Want the supporting implementation detail?

Move into the docs hub for operating guidance, or open the API reference if your implementation includes service integrations and automation.