Using AI to Strengthen ISO 27001 Compliance

Louise Clayton

Louise Clayton

Photo-65

Preparing for our ISO 27001:2022 recertification, and a transition from the 2013 standard, was no small task. As a custom software company handling sensitive client data, we hold ourselves to high standards around security and compliance. But this year, we approached the challenge differently.

We built and deployed a custom AI Copilot agent to help us get there faster, smarter, and with greater confidence.

Why we built our own AI Copilot agent

While Microsoft Copilot tools are rapidly advancing, our needs were quite specific:

  • Understand our unique ISMS structure
  • Perform a detailed gap analysis against the updated 2022 standard
  • Automate repetitive registers and logs (e.g. change requests, risk assessments)
  • Reduce manual effort while improving consistency

We created our own agent using Azure OpenAI, trained on our documentation formats, terminology and control structure. It was lightweight, secure, and fast to implement. And it worked brilliantly.

What it helped us do

Using the AI agent, we were able to:

  • Rapidly compare ISO 27001:2022 clauses with our existing controls
  • Identify areas requiring new evidence or adjustments
  • Generate initial register entries (such as risks from change requests), saving manual data entry
  • Focus human effort where it mattered, interpreting outputs, improving policies, and sense-checking gaps

We estimate that it saved us over 65 hours of manual work across the team, a significant chunk of the 240 hours or so we dedicated in total.

The result?

We passed our 3-year reaccreditation without a single minor non-conformance. That’s a first for us, and a meaningful signal that the mix of AI and human oversight paid off.

What we learned

AI can’t replace governance, context or judgement, especially in a standard as nuanced as ISO 27001. But when trained appropriately, it can dramatically accelerate the process and free up time to focus on higher-value work.

By building an agent tailored to our workflows, we got the best of both worlds: the efficiency of automation, with the rigour of human review.

What’s next?

We’re now exploring how similar agents can support our clients, whether in regulated sectors or internal compliance. From document reviews to policy mapping, the potential is growing fast.

At Talk Think Do, we’re committed to exploring AI responsibly, not just as a trend, but as a tool for better outcomes.

Table of Contents

    Get access to our monthly
    roundup of news and insights

    You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

    See our Latest Insights

    Implementing RAG AI Search on On-Premise Files with our AI Search Accelerator

    As demand for AI‑powered tools like Microsoft Copilot grows, many organisations are asking the same question: “How can we harness the power of generative AI without moving our sensitive data to the cloud?” In this guide, we’ll explain why Retrieval‑Augmented Generation (RAG) is so effective for on‑premise data and walk through a practical approach using…

    Learn More

    Who Owns AI-Written Code? What CTOs, Developers, and Procurement Teams Need to Know

    Generative AI is transforming how software is written. Tools like GitHub Copilot, Claude, Cursor, and OpenAI Codex are now capable of suggesting full functions, refactoring legacy modules, and scaffolding new features, in seconds. But as this machine-authored code finds its way into production, a critical question arises:Who owns it and who’s responsible if something goes…

    Learn More

    When Open Source Goes Closed: Commercialisation, AI, and the Future of Software Dependence

    Open source software has been a cornerstone of modern development for two decades. It’s fast to adopt, battle-tested by communities, and, most importantly, free. But lately, “free” has started to come with fine print. From infrastructure tools to developer libraries, many open source projects are turning commercial. For developers, software buyers, and architects alike, this…

    Learn More

    Legacy systems are costing your business growth.

    Get your free guide to adopting cloud software to drive business growth.

    Download Your eBook