ISO 27001, Backed by Real Controls
ISO 27001 is a genuinely seeded framework in Fintra’s control library. Map Annex A controls, manage policies, and tie evidence to governed actions instead of maintaining a spreadsheet ISMS.
Illustrative product view
A genuinely seeded framework
ISO 27001 is one of the frameworks Fintra actually seeds in its control library alongside SOC 2, NIST CSF, HIPAA, PCI DSS, GDPR, and CCPA - roughly ninety canonical controls in total. That means you start from a real control set with the routers to run it (/controls, /control-tests, /frameworks, /policies, /evidence), not an empty template you have to build out yourself.
What ISO 27001 automation covers
| Element | Router | What it does |
|---|---|---|
| Controls | /controls, /canonical-controls | The seeded control set to map Annex A against |
| Control tests | /control-tests | Evidence that each control operates |
| Policies | /policies | Policies linked to the controls they support |
| Evidence | /evidence, /evidence-automation | Artifacts, including from governed actions |
| Risks | /risks | The risk register the ISMS manages |
Evidence from governed actions
Where you have action governance in place, the govern→evidence loop can feed ISO controls too: an authorization or logging action produces evidence that a control operated, written as a hash-chained ledger entry. As with SOC 2, this is opt-in and flows when a compliance sink is configured.
How it connects
- Shares the control library with SOC 2, NIST CSF, HIPAA, PCI, and GDPR
- Policy management keeps policies mapped to Annex A controls
- Continuous monitoring watches control and test health
- The auditor portal exposes the ISMS to your certification body
Frequently asked questions
Does Fintra support ISO 27001?
Yes. ISO 27001 is one of the genuinely seeded frameworks in Fintra’s control library, with roughly ninety canonical controls across the supported frameworks. You map Annex A controls, manage linked policies, run control tests, and attach evidence using the real compliance routers rather than building an ISMS from scratch.
What is included in ISO 27001 automation?
The seeded control set, control tests to evidence each control, policy management linked to controls, an evidence store, and a risk register. Where action governance is in place, governed actions can also feed evidence into ISO controls when the compliance loop is enabled.
Can governed actions produce ISO evidence?
Yes, when the compliance loop is configured. The same govern→evidence mechanism that produces SOC 2 evidence can attach hash-chained evidence to ISO controls. It is opt-in and requires a configured sink, so it is active once enabled at deploy time.
How is this different from a spreadsheet ISMS?
A spreadsheet ISMS is manual and drifts out of date. Here the control set is seeded, policies and tests are linked to controls, evidence can be generated by the work itself, and continuous monitoring flags overdue tests and unowned policies - so the ISMS stays current instead of being rebuilt before each audit.
Stay in the loop
One practical finance briefing a week - new guides, checklists, and benchmarks.
Run your ISMS on real controls
Start from a seeded ISO 27001 control set and keep it audit-ready.
Talk to us