Overview
Build and validate a shared organization profile for ISO 27001 certification. Captures organizational facts — industry, locations, departments, key roles, technology stack, regulatory obligations, and suppliers — that feed into every downstream ISMS activity: scope definition, risk assessment, Statement of Applicability, and policy generation.
The profile becomes a single source of truth that other ISO 27001 skills reference. When you set up the organization profile first, subsequent skills can automatically tailor their output — for example, the policy generator uses the tech stack to customize access control procedures, and the risk assessment uses the regulatory context to identify compliance-related threats.
For a step-by-step walkthrough of how this skill fits into the full ISMS flow, see the ISO 27001 ISMS workspace tutorial .
What It Covers
- Organization facts — legal name, industry, size, locations, departments
- Key ISMS roles — top management sponsor, information security responsible, risk owner
- Technology stack — systems classified by type (IaaS, SaaS, on-premise, security) with data residency and purpose
- Regulatory obligations — applicable regulations (GDPR, LGPD, HIPAA, PCI DSS, etc.)
- Suppliers — key third-party relationships with tier classification
Example Conversation
You: We need to create an organization profile for our ISO 27001 certification. We’re a fintech startup with about 80 employees.
Agent: I’ll help you build the organization profile. Let me walk through each section. First, the basics:
- What is the legal name of the organization?
- What specific financial services do you provide? (payments, lending, insurance, etc.)
- Where are your offices located?
- How is the company structured — what departments or teams exist?
You: Acme Payments Ltd. We’re a payment processing platform. HQ in London, engineering team in Lisbon. Departments: Engineering, Product, Operations, Finance, Legal & Compliance, People.
Agent: Good. Now the key ISMS roles — ISO 27001 requires these to be named:
- Top management sponsor — who in the C-suite sponsors the ISMS? (typically CEO or CTO)
- Information security responsible — who manages day-to-day security? (CISO, Head of Security, or IT Manager)
- Risk owner — who is accountable for accepting risks? (can be same as above or a separate role)
You: CEO sponsors it, our Head of Engineering is acting CISO, and the CTO is risk owner.
Agent: Now let me capture your technology stack. Please list the key systems, platforms, and tools you use — I’ll classify each one. Examples: AWS, GitHub, Slack, Stripe, etc.
You: AWS (eu-west-1), PostgreSQL on RDS, GitHub, Slack, Google Workspace, Datadog, Okta for SSO, Stripe for payments infrastructure.
Agent: I’ll run the
technology_stack_normalizeron these entries…
System Type Data Residency Purpose Flags AWS IaaS eu-west-1 Cloud infrastructure — PostgreSQL (RDS) Database eu-west-1 Primary data store — GitHub SaaS — Source code management Missing data residency Slack SaaS — Internal communication Missing data residency Google Workspace SaaS — Email and productivity Missing data residency Datadog SaaS — Monitoring and observability Missing data residency Okta Security — Identity and SSO Missing data residency Stripe SaaS — Payment processing Missing data residency I’ve flagged 6 SaaS/security services missing data residency information. For ISO 27001 scope definition and data flow mapping, you’ll need to confirm where each provider stores your data. Can you check your contracts or admin consoles for the data residency of these services?
You: All our SaaS tools are EU region. GitHub is US-hosted but we only have code there, no customer data.
Agent: Noted — I’ll update the profile. Now let me run the
profile_completeness_checker…Result: 5/6 sections complete. Missing: Regulations — you mentioned fintech but haven’t specified which regulations apply. For a UK-based payment processor, likely candidates are: UK GDPR, PCI DSS (if handling card data), FCA regulations, PSD2.
You: UK GDPR, PCI DSS, and FCA requirements.
Agent: Profile is now complete. All 6 sections validated, 3 required roles assigned. The profile JSON is saved and ready to be referenced by the gap assessment, risk assessment, and policy generator skills.
Sample Output Excerpt
The skill produces a structured JSON organization profile. Here’s a representative excerpt showing the technology and regulatory sections.
{
"organization": {
"name": "Acme Payments Ltd",
"industry": "Financial Services — Payment Processing",
"size": "80 employees",
"description": "Payment processing platform for merchants"
},
"locations": [
{ "name": "London HQ", "type": "headquarters", "country": "United Kingdom" },
{ "name": "Lisbon Engineering", "type": "office", "country": "Portugal" }
],
"departments": [
"Engineering", "Product", "Operations", "Finance", "Legal & Compliance", "People"
],
"key_roles": {
"top_management_sponsor": "Jane Smith, CEO",
"information_security_responsible": "Tom Chen, Head of Engineering (acting CISO)",
"risk_owner": "Maria Garcia, CTO"
},
"technology": [
{ "name": "AWS", "type": "IaaS", "data_residency": "eu-west-1", "purpose": "Cloud infrastructure" },
{ "name": "PostgreSQL (RDS)", "type": "Database", "data_residency": "eu-west-1", "purpose": "Primary data store" },
{ "name": "Okta", "type": "Security", "data_residency": "EU", "purpose": "Identity and SSO" },
{ "name": "Stripe", "type": "SaaS", "data_residency": "EU", "purpose": "Payment processing" }
],
"regulations": ["UK GDPR", "PCI DSS", "FCA"],
"suppliers": [
{ "name": "AWS", "tier": "critical", "services": "Cloud infrastructure" },
{ "name": "Stripe", "tier": "critical", "services": "Payment processing" },
{ "name": "Okta", "tier": "important", "services": "Identity management" }
]
}
Extension Tools
technology_stack_normalizer
Classifies technology entries against a knowledge base of common systems (AWS, Azure, GCP, Slack, Okta, GitHub, etc.):
| Check | What It Does |
|---|---|
| Type classification | Maps each system to a category: IaaS, SaaS, on-premise, security, database |
| Data residency | Flags cloud and SaaS providers that are missing data residency information |
| Purpose | Flags entries without a documented purpose |
| Known systems | Recognizes ~22 common systems and auto-classifies them |
profile_completeness_checker
Validates the organization profile for all required sections:
| Section | Required Fields | Severity |
|---|---|---|
| Organization | Name, industry, size | ERROR if missing |
| Locations | At least one location | ERROR if missing |
| Departments | At least one department | ERROR if missing |
| Key roles | top_management_sponsor, information_security_responsible, risk_owner | ERROR if any missing |
| Technology | At least one system entry | WARNING if empty |
| Regulations | Named regulations (rejects vague entries like “data protection laws”) | WARNING if missing |
Getting Started
Start by activating the ISO 27001 Organization Profile skill. The agent will guide you through each section in order: organization basics, locations, departments, key roles, technology stack, regulations, and suppliers.
Have this information ready:
- Your company’s legal name, industry, and headcount
- Office and data center locations
- Department or team structure
- Names and titles for the three required ISMS roles
- A list of your key technology systems, platforms, and SaaS tools
- Applicable regulations (GDPR, PCI DSS, HIPAA, etc.)
- Key suppliers and third-party service providers
The completed profile feeds directly into other ISO 27001 skills — gap assessment, risk assessment, SoA, and policy generation — so getting it right here saves significant rework later.