ISO 27001 ISMS Workspace: From Scoping to Certification Readiness in 21 Steps

You: CloudSync Solutions is a B2B SaaS company based in São Paulo, 45 employees. We run on GCP, use GitHub, Google Workspace, Okta for IAM, Stripe for payments, and SendGrid for email. Maria Santos is CISO, João Silva is CTO. We handle customer project data and are subject to LGPD.

Agent: I’ve drafted the organization profile. Let me run the tech stack classifier and the profile completeness checker.

The tech stack classifier categorized 8 entries: GCP as IaaS, GitHub as SaaS (DevOps), Google Workspace as SaaS (Productivity), Okta as SaaS (Security/IAM). One flag — AWS CloudFront is listed without region specification.

Profile completeness: PASS (92%). Minor gap: revenue band is estimated — consider confirming with finance.

I’ve also updated the project dashboard to mark the Organization Profile as complete.

You: Define the ISMS scope for CloudSync Solutions. Our SaaS platform and supporting infrastructure should be in scope. Marketing and HR systems are out of scope.

Agent: I’ve drafted the scope statement based on your organization profile. Let me run the scope boundary and exclusion checks.

Scope boundary integrity: PASS. The scope covers the SaaS platform, GCP infrastructure, customer data processing, and all supporting IT services. Boundaries are clearly defined by organizational unit, location (São Paulo HQ + GCP regions), and technology.

Exclusion justification check: WARNING. Two exclusions need stronger justification. “Marketing systems” is accepted — no customer data processed. But “HR systems” needs clarification: HR holds employee PII subject to LGPD, and Clause 4.3 requires justifying why HR data handling doesn’t affect ISMS objectives. I’ve flagged this for your review and suggested adding a sentence explaining that HR data is governed under a separate LGPD compliance program.

You: Build the asset inventory based on our organization profile and scope.

Agent: I’ve identified 18 information assets within the ISMS scope and classified them by type. Let me validate labeling and ownership.

Asset labeling consistency: PASS. All 18 assets follow the naming convention (type prefix + sequential ID). Classification levels (Confidential, Internal, Public) are assigned consistently — customer project data and API keys are Confidential, internal documentation is Internal.

Owner accountability check: WARNING. Two assets have team-level owners (“Engineering Team”) instead of named individuals. ISO 27001 Clause A.5.9 requires identifiable owners. I’ve flagged AST-011 (CI/CD Pipeline) and AST-014 (Monitoring Dashboard) for reassignment to specific individuals.

You: Based on the organization profile and scope, assess our information security risks.

Agent: I’ve identified 7 risks and built the risk register with likelihood × impact scoring. Let me run the validation suite.

The methodology checker confirmed all 11 Clause 6.1.2 requirements are met — scales, matrix, and acceptance threshold of 12 are properly defined.

Each of the 7 risk entries passed completeness validation: asset, threat, vulnerability, consequence, L×I scores, owner, and treatment decision are all present.

The duplicate detector found no overlapping risks — all 7 address distinct threat scenarios.

The asset-risk coverage validator cross-checked the asset inventory: 5 of 6 Confidential assets have corresponding risk entries. However, AST-008 (API Keys vault) is classified Confidential but has no risk entry — I’ve added R-08 covering unauthorized key extraction with a score of 4×5=20 (Treat, controls A.5.17, A.8.24).

The risk-to-control mapper verified that all 8 treated risks link to specific Annex A controls. And the residual risk checker confirmed all post-treatment scores fall below the acceptance threshold of 12.

You: Generate the Statement of Applicability based on our risk assessment. Include implementation status tracking.

Agent: I’ve mapped all 93 Annex A controls against the risk register and organization profile. Let me run the SoA validation suite.

Control inclusion suggestions: 78 controls marked as applicable, 15 excluded. The tool flagged 2 controls you might want to reconsider: A.7.4 (Physical security monitoring) — marked as excluded, but your GCP infrastructure includes a physical office with server room access. And A.5.23 (Information security for cloud services) — this should be applicable given your GCP dependency.

Justification audit: PASS. All 15 exclusions have documented justifications referencing specific scope boundaries or organizational context. The audit also flagged 12 controls with evidence but implementation status still “Not Started” — consider updating as you implement.

SoA-to-risk consistency: PASS. Every treated risk in the risk register maps to at least one applicable SoA control, and no applicable control lacks a corresponding risk or business requirement.

Implementation status summary: Not Started: 34, Planned: 28, Implemented: 14, Verified: 2. The consistency checker now tracks this so you can see at a glance how far along your implementation is.

Policy evidence check: The consistency checker also scanned your policy directory. 3 included controls reference evidence files that don’t exist yet — A.5.24 cites “Incident-Management-Procedure.md” but that file hasn’t been generated. I’ve noted this as a reminder for the Policy Generator step.

You: Assess the current state of our ISMS against ISO 27001 requirements.

Agent: I’ve scanned the workspace for mandatory artifacts and rated each clause area for maturity. Here’s what I found.

The mandatory artifact scan produced a traceable checklist — the ISMS scope statement and risk register are present, but the Information Security Policy, Statement of Applicability, and Internal Audit results are still missing.

For clause maturity, I rated Clause 6 (Planning) at level 3 (“Defined”) based on the existing risk methodology and register, while Clause 9 (Performance Evaluation) is at level 0 (“Nonexistent”) since no monitoring, audit, or management review has been performed yet.

Based on audit risk, here’s the remediation priority:

1. Immediate — Information Security Policy (Clause 5.2), scope exclusion justifications
2. Short-term — Statement of Applicability, Risk Treatment Plan, Security Objectives
3. Medium-term — Operational procedures (access control, incident management, supplier security)
4. Audit readiness — Internal audit, management review, CAPA process

You: Generate the Information Security Policy for CloudSync Solutions.

Agent: I’ve drafted POL-001 based on your organization profile and risk context. Let me validate the document metadata and mandatory topic coverage.

Document metadata check: PASS. Document ID POL-001 has version, owner (Maria Santos), approval (João Silva), effective date, next review date, and classification (Internal) — all present.

Mandatory topic checker: PASS. All required sections are covered — management commitment (5.1), purpose (5.2), roles and responsibilities (5.3), risk management (6.1), compliance requirements, and review schedule.

After generating all 16 policies, I ran the treatment-to-policy traceability check. It cross-referenced 8 “Treat” decisions in the risk treatment plan against the generated policies. 7 of 8 have complete chains — the policy implementing each control exists. One gap: R-06 (API vulnerabilities, controls A.8.25-A.8.26) maps to a Secure Development Procedure, but that hasn’t been generated yet since software development procedures are optional for your scope. I recommend adding it given your SaaS platform is the primary asset.

You: Define physical security controls for our São Paulo office.

Agent: Based on the organization profile, your office has a single location with a server room and open-plan workspace. I’ve drafted the physical security perimeter document with controls for three zones: building entry, office floor, and server room. Let me validate.

Tailgating prevention check: PASS. Controls include badge-only entry at building reception, a visitor sign-in log with escort requirement, and a mantrap entry for the server room with dual-authentication (badge + PIN).

I’ve also cross-referenced these controls with the SoA — A.7.1 (Physical security perimeters), A.7.2 (Physical entry), and A.7.4 (Physical security monitoring) are all addressed.

I’ve also validated off-site security controls (A.7.9) — device encryption, VPN requirements, and MDM enrollment are all addressed for your remote workforce.

You: Create the supplier security policy based on our tech stack and risk assessment.

Agent: I’ve classified your 8 suppliers into three tiers based on data access and criticality. Let me validate the policy.

Tier classification:

• Tier 1 (Critical): GCP (IaaS — hosts all customer data), Okta (IAM — controls authentication)
• Tier 2 (Important): GitHub (source code), Stripe (payment processing), Google Workspace (internal comms)
• Tier 3 (Standard): SendGrid (email delivery), CloudFront (CDN), monitoring tools

Tier-based clause generation: PASS. Tier 1 suppliers require annual SOC 2 Type II reports, right-to-audit clauses, incident notification within 24 hours, and data residency guarantees. Tier 2 suppliers require SOC 2 or ISO 27001 evidence and 48-hour incident notification. Tier 3 suppliers require basic security questionnaires.

Right-to-audit enforcement: PASS. All Tier 1 and Tier 2 supplier clauses include contractual right-to-audit provisions per A.5.19 and A.5.21.

You: Build the legal requirements register for CloudSync Solutions.

Agent: Based on the organization profile, I’ve identified 12 legal and contractual obligations. Let me validate the register.

The regulatory coverage analyzer found obligations across three categories: statutory (LGPD data protection, Marco Civil da Internet), regulatory (BACEN cybersecurity requirements from financial-sector clients), and contractual (DPA clauses in enterprise contracts, SLA commitments). All 12 entries have mapped Annex A controls.

Legal requirement completeness check: PASS. Each obligation has a source reference, applicability justification, responsible owner, review frequency, and mapped controls. One advisory: the LGPD entry references “consent-based processing” but the organization profile indicates legitimate interest as the primary legal basis — consider aligning these.

You: Create NDA templates and a tracking register for CloudSync Solutions.

Agent: I’ve drafted NDA templates for three personnel categories: employees, contractors, and third-party partners. Each template is tailored to CloudSync’s context — referencing the LGPD obligations, Confidential asset classifications from the asset inventory, and specific data handling scenarios from the SaaS platform. Let me validate.

NDA clause validator: PASS. All three templates include the 9 mandatory clauses — definition of confidential information, obligations of receiving party, permitted disclosures, term and survival period, return/destruction of information, breach remedies, governing law, jurisdiction, and severability.

NDA register completeness check: WARNING. The tracking register covers 42 of 45 personnel. Three recent contractor onboardings (started in February 2026) do not yet have signed NDAs on record. I’ve flagged these for immediate follow-up with HR.

You: Create HR security documentation for CloudSync Solutions. We need screening procedures for new engineering hires, employment contract security clauses, and a complete exit procedure for when employees leave — including access revocation across all our systems.

Agent: I’ve drafted 4 HR security documents based on the organization profile. Let me run the validation tools.

HR clause completeness checker: PASS. The employment security clauses template includes all 5 required elements — NDA/confidentiality reference, acceptable use policy, IP assignment clause, disciplinary consequences for security violations, and post-termination obligations. It also references LGPD data protection obligations and asset return requirements.

Exit procedure coverage validator: PASS. The termination/exit security procedure covers access revocation for all 4 systems identified in the organization profile — Okta (SSO), GCP (infrastructure), GitHub (source code), and Google Workspace (email/docs). The procedure includes asset return checklist, knowledge transfer plan, NDA reminder, and exit interview. One advisory: consider adding a post-departure monitoring period for privileged account holders.

You: Build the privacy program for CloudSync Solutions. We’re subject to LGPD and have EU enterprise clients under GDPR. Create the full set — privacy policy, ROPA, DPIA template, data subject rights procedure, and breach notification procedure.

Agent: I’ve drafted 5 privacy program documents based on the organization profile and legal requirements register. Let me validate.

ROPA completeness checker: PASS. All 5 processing activities (customer data storage, user authentication, payment processing, email communications, analytics) have complete entries — purpose, legal basis, data categories, recipients, retention period, and international transfer status documented for each.

Legal basis validator: PASS with 1 advisory. 4 of 5 processing activities use legitimate interest or contractual necessity as legal basis. The analytics processing uses consent — the tool flagged this for DPIA consideration since consent-based processing of personal data may require a Data Protection Impact Assessment under both GDPR Article 35 and LGPD Article 38.

Breach notification timeline enforcer: PASS. The breach notification procedure includes both LGPD’s “reasonable time” requirement with ANPD notification and GDPR’s 72-hour supervisory authority notification for EU data subjects. Severity classification matrix, containment steps, and post-breach review are all documented.

You: Create operating procedures for the controls that need them.

Agent: I ran the SOP coverage analyzer against the Statement of Applicability. Of the 78 applicable controls, 24 require documented operating procedures. 10 are already covered by existing policies. I’ll create the remaining 14 SOPs. Let me start with the highest-priority ones.

I’ve drafted SOP-001 (Access Provisioning and Deprovisioning), SOP-002 (Incident Response Execution), and SOP-003 (Backup and Restoration). Running validation on each…

SOP completeness checker: SOP-001 PASS — includes purpose, scope, roles, step-by-step procedure, escalation criteria, and related controls (A.5.15, A.5.18). SOP-002 PASS — covers all incident severity levels with decision trees. SOP-003 WARNING — restoration steps reference “GCP Console procedure” without specifying exact navigation paths. I’ve expanded the steps with specific GCP commands and console paths. Re-check: PASS.

The SOP index now tracks all 24 required procedures with completion status and last-reviewed dates.

You: Document our secure architecture principles based on CloudSync’s tech stack.

Agent: I’ve drafted a secure architecture principles catalog tailored to CloudSync’s GCP-based SaaS platform. The catalog covers 10 categories: network segmentation, authentication and access control, data protection at rest and in transit, secure API design, logging and monitoring, secrets management, container security, infrastructure as code, resilience, and supply chain integrity. Let me validate.

Architecture principles coverage check: PASS. All 10 categories have documented principles with implementation guidance specific to your stack — for example, network segmentation references GCP VPC design with private service access, and secrets management references the existing Okta + GCP Secret Manager integration from the organization profile.

Each principle is cross-referenced to applicable Annex A controls and the relevant policies generated in Step 7.

You: Set up the monitoring and evaluation framework for our ISMS.

Agent: I’ve built the IS Objectives Register per Clause 6.2 with 6 measurable security objectives, each linked to specific ISMS policies and risk treatment decisions. Let me validate.

Objectives completeness checker: PASS. All 6 objectives have defined metrics, targets, measurement methods, timeframes, and responsible owners. Example: “Reduce mean time to patch critical vulnerabilities to under 72 hours by Q3 2026” — metric: MTTP, target: <72h, source: GitHub security alerts, owner: João Silva.

I’ve also generated 8 KPIs aligned to the ISMS objectives. Let me validate the CAPA tracking.

KPI generation: PASS. Each KPI has a defined metric, target, measurement frequency, data source, and responsible owner. Examples: “Percentage of access reviews completed on schedule” (target: 100%, quarterly, source: Okta audit logs, owner: Maria Santos).

CAPA completeness: WARNING. Two of the three audit findings (Finding 01 and Finding 02) have complete CAPA records — root cause, corrective action, owner, due date, and effectiveness criteria. Finding 03 (backup verification) has root cause and corrective action defined but is missing effectiveness verification criteria. I’ve flagged it for completion.

Audit NC-CAPA reconciliation: The reconciler cross-checked the internal audit report against the CAPA log. All 3 audit NCs (NC-001 through NC-003) have matching CAPA entries. It also checked the monitoring report’s failed controls — the access review metric (72% completion vs. 100% target) was correctly linked to CAPA-001. No orphaned findings.

Corrective action tracking: PASS. All CAPAs have assigned owners and due dates within 90 days of the finding date.

You: Create the business continuity plan for CloudSync Solutions.

Agent: I’ve performed a Business Impact Analysis based on the asset inventory and organization profile. The BIA identified 5 critical business processes: SaaS platform availability, customer data processing, payment processing (Stripe), authentication services (Okta), and internal communications (Google Workspace). Let me build the BCP and validate.

I’ve drafted the BCP with recovery procedures for each critical process, plus a separate Disaster Recovery Plan for the GCP infrastructure. Running validation…

BCP RTO/RPO validator: PASS. All 5 critical processes have defined RTO and RPO targets consistent with contractual SLAs. SaaS platform: RTO 4 hours, RPO 1 hour. Payment processing: RTO 2 hours, RPO 0 (real-time replication via Stripe). One advisory: the DR plan references multi-region failover but the organization profile only lists a single GCP region — consider documenting the planned secondary region.

Exercise record checker: WARNING. The exercise log template is complete but no exercises have been conducted yet. I’ve created a schedule for the first tabletop exercise (Q2 2026) and a full DR test (Q3 2026), both with defined success criteria and participant lists.

You: Create the internal audit report for our ISMS.

Agent: I’ve drafted the audit plan for March 20–24, 2026 with Carlos Mendes from the Quality Team as lead auditor. Let me run the impartiality check.

Impartiality validation: PASS. Carlos Mendes has no ISMS operational, management, or design responsibilities — independence confirmed.

I’ve completed the audit checklist against all clauses and Annex A controls. Three findings identified:

Finding 01 (Access Review Evidence, A.5.15): Minor Non-conformity. The Access Control Policy requires quarterly reviews, but no Q1 2026 records exist. Root cause: transition to Okta was completed but review workflows weren’t yet scheduled.

Finding 02 (Incident Management Procedure, A.5.24): Minor Non-conformity. PROC-003 is in draft and missing SaaS-specific incident response steps.

Finding 03 (Backup Verification, A.8.13): Major Non-conformity. GCP backups exist but no restoration test logs found. The assumption that managed services handle integrity without manual verification is insufficient.

You: Compile the management review input pack.

Agent: I’ve compiled the input pack with traceable references to all workspace artifacts. The mandatory input checker confirmed all 10 required Clause 9.3 inputs are covered.

I also validated that every action item in the review has an assigned owner, due date, and acceptance criteria — all checks passed.

You: Run the traceability dashboard to check overall ISMS consistency.

Agent: I’ve scanned the workspace and checked all 11 traceability links. Here are the results.

Implementation Progress:

• Plan phase (Clause 4-6): 6/6 documents complete
• Do phase (Clause 7-8): 16 policies, SOPs, legal register, NDAs, BCP, and architecture principles found
• Check phase (Clause 9): 2/2 documents complete
• Act phase (Clause 10): 3/3 documents complete

Traceability Links: 9 of 11 links are fully consistent. 2 warnings found:

1. SoA → Policies: 3 included controls cite evidence files that were modified after the SoA was last updated — the SoA may need a refresh to reflect current policy content.
2. Risk Treatment → Policies: R-06 (API vulnerabilities) has treatment “Treat” with controls A.8.25-A.8.26, but the implementing Secure Development Procedure doesn’t exist yet.

Audit readiness: 91% — address 2 warnings before Stage 1.

Agent: I’ve completed the risk register with 8 entries. Running the validation suite…

The asset-risk coverage validator found a gap: AST-008 (API Keys vault, classified Confidential) appears in the asset inventory but has no corresponding risk entry in the register. This is an auditor red flag — a Confidential asset without a risk assessment suggests incomplete analysis.

I’ve added risk R-08: “Unauthorized extraction of API keys from secrets vault” (Likelihood: 4, Impact: 5, Score: 20, Treatment: Treat, Controls: A.5.17, A.8.24).

Now running the SoA consistency checker with the updated risk register…

The checker confirmed that A.5.17 (Authentication information) and A.8.24 (Use of cryptography) are both marked as applicable in the SoA — consistent with the new risk entry. However, it flagged that A.8.24’s implementation evidence field says “[TBD]” — a placeholder that needs to be replaced with an actual policy reference.

I’ve updated A.8.24’s evidence to reference “Cryptographic-Controls-Section” in the Information Security Policy. Re-running the check… PASS.