How to Prepare for ISO 27001 Certification With AI

Most teams approach ISO 27001 backwards. They open Annex A, see 93 controls, and start implementing things — encryption here, a logging tool there — without ever defining what their ISMS protects or which risks justify the work. Then the auditor arrives, asks to see the risk treatment plan and the Statement of Applicability, and the project unravels.

This tutorial walks the process in the order an auditor expects, and shows where AI genuinely saves time versus where it can't help. The short version: AI is excellent at the analytical grunt work — drafting scope, mapping risks to controls, producing a gap list — and useless at the parts that require your judgment and real evidence. Use it for the former and you'll cut weeks off the preparation.

Step 1: Define the ISMS scope before anything else

The scope statement is the foundation, and clause 4.3 requires it. It declares what your Information Security Management System covers: which products, teams, locations, and systems are in, and what's deliberately out.

A scope that's too broad makes the project unmanageable. Too narrow, and the certificate won't satisfy the buyers who asked for it — a certificate scoped to "the marketing website" impresses nobody evaluating your SaaS platform. Write a scope that matches what your customers actually need assured, and document the boundaries clearly, including the interfaces and dependencies with anything outside the scope.

This is the first place AI helps. Given a description of what you do and what you consider in scope, a tool can draft a scope statement in the right shape and language, which you then refine. It's a starting draft, not a final word — but starting from a structured draft beats starting from a blank page.

Step 2: Run the risk assessment

This is the engine of the whole standard. Clause 6.1.2 requires you to identify risks to the confidentiality, integrity, and availability of information within your scope. In practice that means working through your assets — databases, source code, customer data, identity systems, laptops — and for each one asking what could go wrong, how likely it is, and how bad the impact would be.

The output is a risk register: each row pairing an asset with a threat and the vulnerability that threat would exploit, rated for likelihood and impact, and resolved into an overall risk level.

This is tedious to do from scratch and exactly the kind of structured reasoning AI does well. Feed it your asset inventory and it can produce a credible first-pass register — threats, vulnerabilities, ratings, and a suggested treatment for each. You'll edit it heavily, because only you know your real exposure, but you're editing a draft rather than inventing one.

Step 3: Decide on risk treatment

For every significant risk, you choose a treatment under clause 6.1.3. There are four options, and naming them correctly matters at audit:

• Mitigate — apply controls to reduce the risk. The most common choice.
• Accept — formally acknowledge and tolerate the risk, with sign-off.
• Transfer — shift the risk, typically via insurance or a contractual arrangement.
• Avoid — stop doing the activity that creates the risk.

Each "mitigate" decision points you toward one or more Annex A controls. This is where the risk assessment and the control catalog connect, and it's the logic an auditor follows backward: show me the risk, show me the treatment, show me the control.

Step 4: Build the Statement of Applicability

The Statement of Applicability (SoA), required by clause 6.1.3 d, is the document that ties everything together. It lists every Annex A control and records, for each, whether it applies, whether it's implemented, and the justification for that decision.

Working through 93 controls by hand is slow, and it's where many readiness efforts lose momentum. An AI tool that maps your assets and existing controls onto the four Annex A themes — Organizational, People, Physical, Technological — produces the applicability assessment that feeds the SoA in seconds. For more on the controls themselves and how the 2022 themes are structured, see ISO 27001:2022 Annex A controls explained.

Be honest in the status column. Marking a control "implemented" when the evidence isn't there doesn't fool a Stage 2 auditor; it just turns into a nonconformity. "Partial" and "missing" are fine answers — they become your remediation backlog.

Step 5: Close the gaps

Every partial or missing control is a remediation item. Turn the list into a backlog with an owner and a priority for each. Prioritize the audit blockers first: a missing risk treatment plan, no SoA, no internal audit process, and no management review will all stop a Stage 2 audit cold, regardless of how good your technical controls are.

This is the work AI cannot do for you. Implementing controls, gathering evidence, and running the management system are human, organizational tasks. What AI gives you is a clear, prioritized starting list so you spend your energy on the work rather than on figuring out what the work is.

Step 6: Run internal audits and a management review

Before the certification body shows up, the standard requires you to audit yourself (clause 9.2) and hold a management review (clause 9.3). These prove the ISMS is being actively managed, not just documented once and shelved. Skipping them is one of the most common reasons a first certification attempt fails — the technical controls are fine, but there's no evidence the management system is alive.

Step 7: The certification audit

Certification comes in two stages. Stage 1 is a documentation review: the auditor checks that your ISMS exists on paper — scope, policies, risk assessment, SoA, audit and review records. Stage 2 is the implementation audit, where they test whether the controls actually operate as documented. Pass both and you receive a certificate valid for three years, with annual surveillance audits to keep it.

Where AI fits in the timeline

Mapped to the steps above, AI compresses steps 1 through 4 — the analytical preparation — from weeks of consultant discovery into a first draft you refine. It does nothing for steps 5 through 7, which are about real implementation and audit. That's the right division of labor: let the tool handle the structured analysis, and spend your time on the judgment and the evidence.

The Xeviora ISO 27001 Audit Prep tool does exactly steps 1 through 4 in a single run for 10 credits. You give it your organization description, scope boundary, asset inventory, and existing controls; it returns a drafted ISMS scope, a risk register mapped to Annex A, a control applicability assessment, a readiness score, and a prioritized remediation plan. New accounts start with 10 free credits, so the first assessment costs nothing.

If you're still weighing whether ISO 27001 is the right framework versus SOC 2, read ISO 27001 vs SOC 2: which do you need before you commit the budget. Picking the framework your buyers actually ask for is the cheapest decision you'll make in this whole process — and the easiest one to get wrong.