Playbook

Walk Into the ISO 27001 Audit With Operating Evidence

ISO 27001 asks you to operate an ISMS, not describe it. Prepare by backing your Annex A controls with live evidence of operation - access decisions, monitoring, and AI governance - that exports as a bundle.

Talk to usFree to start - no card required.

Why this is hard

The gap most ISO 27001 audits expose is between the documented control and the operating one. You can write a beautiful policy and still fail to show the control fired on real activity over the period. Preparing well means having evidence that Annex A controls operate continuously, including the denials that prove enforcement, ready to export.

  • A documented control is not the same as an operating one
  • Auditors want evidence of operation over the whole period
  • Access by AI agents and service accounts is often unevidenced
  • Assembling evidence at audit time risks gaps in the record

The approach, step by step

From ISMS on paper to ISMS in evidence

  1. 1

    Map controls to Annex A

    Tie your access, monitoring, and emerging-technology controls to the Annex A areas they support.

  2. 2

    Evidence operation at runtime

    Record the access decisions, anomalies, and agent-governance events that show each control firing on real activity.

  3. 3

    Keep the denials

    Retain blocked and stepped-up actions as proof the control is enforced, not just present.

  4. 4

    Capture the policy version

    Record which rules governed each action so you can answer what was in force at any point in the period.

  5. 5

    Export the bundle

    Bundle the period’s hashed, control-mapped evidence for the certification audit.

How SentriAI does the work

SentriAI evidences the ISMS as it operates: authorization and denial decisions support access control, recorded anomalies support monitoring, and agent-governance records support the controls around new technology. Every activity is hashed, tied to Annex A via control-impact hints, and exportable as a bundle.

What you get out of the box

  • Annex A access and monitoring controls evidenced at runtime
  • Blocked and stepped-up actions retained as enforcement proof
  • Policy versioning to answer what governed when
  • An exportable, hashed evidence bundle for the audit

Avoid the common pitfall

Frequently asked questions

How do I prepare for an ISO 27001 audit?

Map your controls to Annex A, evidence their operation at runtime with access decisions, anomalies, and agent-governance records, retain the denials as enforcement proof, capture policy versions, and export the period as a hashed, control-mapped bundle.

What Annex A areas does runtime evidence cover?

Primarily access control, logging and monitoring, and the governance of new technologies like AI agents - evidenced by authorization and denial decisions, recorded anomalies, and agent-governance records.

How do I show controls operate, not just exist?

By recording each time a control fires on a real action, including blocked attempts. That demonstrates operation over the period, which is what an ISMS audit checks, rather than presenting a policy document.

Can ISO 27001 evidence be reused for SOC 2?

Yes. The evidence is framework-neutral, so the same control activities map to SOC 2 CC6/CC7 and other frameworks from one stream.

Stay in the loop

One practical finance briefing a week - new guides, checklists, and benchmarks.

 

Show your ISMS actually operates

Back Annex A controls with live, exportable evidence. Start free, no card required.

Talk to us