Regulatory & Compliance ISO 27001SecurityISMS

ISO 27001 Manager

ISO 27001 ISMS implementation and cybersecurity governance.

$skillfish add ~skills/information-security-manager-iso27001

Real Examples Get Started Models & Context Good to Know

Real Conversations

See how the ISO 27001 Manager skill responds to actual requests. These are representative examples of what your AI agent will produce.

You

We're a 40-person HealthTech SaaS company. A major NHS trust is requiring ISO 27001 certification before signing our contract. We have no ISMS. The auditors are coming in 8 months. Is this achievable and where do we start?

Agent

ISO 27001 in 8 months — achievable for a 40-person company.

Typical timeline: 6–12 months for a company your size. You're at the tight end but doable with focused effort.

8-Month Roadmap:

Month 1–2: Foundation

Appoint ISMS Manager (existing IT/Security lead, part-time OK)
Define ISMS scope — typically: cloud infrastructure, SaaS product, customer data processing
Gap analysis against ISO 27001:2022 controls (Annex A — 93 controls)
Complete asset inventory: systems, data flows, third parties

Month 2–3: Risk Assessment

Define risk methodology (likelihood × impact, 1–5 scale)
Risk register: identify threats/vulnerabilities for each asset
Statement of Applicability (SoA) — which controls apply and why
Risk treatment plan: accept, mitigate, transfer, avoid

Month 3–5: Control Implementation (critical controls first)

Control	Priority	Implementation
A.5 — Information security policies	High	8 core policies
A.9 — Access control	High	RBAC, MFA enforcement, access reviews
A.12 — Operations security	High	Patch management, logging, backups
A.16 — Incident management	High	Incident response procedure
A.17 — Business continuity	Medium	BCP/DR plan, tested restore

Month 5–6: Documentation and training

ISMS manual, risk register, SoA, all 8+ policies
Staff security awareness training (mandatory — auditors will ask)
Internal audit (required before Stage 2)

Month 7: Stage 1 audit (document review)

Month 8: Stage 2 audit (on-site controls verification)

Certification body recommendation: BSI, SGS, or Bureau Veritas for NHS-trusted certs.

Want me to generate the gap analysis template and the prioritized control implementation plan?

You

Our auditor said we need at least 8 documented information security policies for ISO 27001. We have none. Which policies are most critical and what should each contain?

Agent

ISO 27001 — 8 Core Policies to Write First

ISO 27001:2022 Annex A requires documented policies. Here are the 8 highest-priority, what each must cover, and the key clause reference:

#	Policy	Key content required	ISO 27001 clause
1	Information Security Policy	Management commitment, objectives, roles, review cycle	A.5.1
2	Access Control Policy	Who can access what, RBAC principle, MFA requirements, joiners/movers/leavers	A.8.2
3	Acceptable Use Policy	Permitted use of devices, email, internet, cloud services; prohibited activities	A.5.10
4	Incident Management Policy	How to detect, report, classify, and respond to security incidents; 72hr breach notification	A.5.24–5.28
5	Supplier/Third-Party Policy	Due diligence requirements, contractual security clauses, sub-processor list	A.5.19–5.22
6	Data Classification Policy	Classification levels (Public / Internal / Confidential / Restricted), handling rules per level	A.5.12–5.13
7	Change Management Policy	Change request process, testing, approval, rollback for IT systems and code deployments	A.8.32
8	Business Continuity / DR Policy	RTO/RPO targets, backup requirements, recovery testing frequency	A.5.29–5.30

Policy writing rules for ISO 27001:

Each policy needs: purpose, scope, roles and responsibilities, policy statements, review date, approver signature
Policies must be approved by management and communicated to all staff
Review frequency: annually minimum (or after significant change)
Version control: keep previous versions archived

Auditor tip: Policies don't need to be long — 2–4 pages each is fine. Auditors check for completeness and evidence that staff have actually read them (training records, signed acknowledgements).

Want me to write any of these policies in full?

Get Started

How to install and use this skill in your preferred environment.

Skills are designed for AI coding agents (Claude Code, Cursor, Windsurf) and IDE-based workflows where the agent can read files, run scripts, and act on your codebase. Web-based AI can use the knowledge and frameworks, but won't have tool access.

Models & Context

Which AI models and context windows work best with this skill.

Recommended Models

Best

Claude Opus 4 Claude Sonnet 4 GPT-4.1 Gemini 2.5 Pro Grok 3 Kimi K2

Good

Claude Haiku 4.5 GPT-4.1 mini Gemini 2.5 Flash Grok 3 mini

Larger models produce more detailed, production-ready outputs.

Context Window

This skill's SKILL.md is typically 3–10 KB — fits in any modern context window.

8K Skill only

32K+ Skill + conversation

100K+ Skill + references + codebase

All current frontier models (Claude, GPT, Gemini) support 100K+ context. Use the full window for complex multi-service work.

Pro tips for best results

1

Be specific

Include numbers — users, budget, RPS — so the skill can size the architecture.

2

Share constraints

Compliance needs, team size, and existing stack all improve the output.

3

Iterate

Start with a high-level design, then ask follow-ups for IaC, cost analysis, or security review.

4

Combine skills

Pair with companion skills below for end-to-end coverage.

Good to Know

Advanced guide and reference material for ISO 27001 Manager. Background, edge cases, and patterns worth understanding.

Contents

ISO 27001:2022 Structure Overview

ISO 27001:2022 is structured around 10 mandatory clauses plus Annex A. Clauses 1–3 are definitional (scope, references, terms). Clauses 4–10 are the normative requirements auditors test against:

Clause group	Clauses	Purpose
Context	4	Define organizational context, interested parties, ISMS scope
Leadership	5	Management commitment, policy, roles and responsibilities
Planning	6	Risk assessment, risk treatment, information security objectives
Support	7	Resources, competence, awareness, communication, documented information
Operation	8	Operational planning, risk treatment implementation
Performance evaluation	9	Monitoring, internal audit, management review
Improvement	10	Nonconformity, corrective action, continual improvement

Key changes from ISO 27001:2013 to 2022:

Annex A controls reduced from 114 to 93, reorganized from 14 domains into 4 categories
Attribute tagging added to controls (e.g., control type, security property, operational capability) — not mandatory to use but aids SoA structuring
11 new controls introduced covering cloud services, threat intelligence, ICT readiness, and data masking
Clause 6.3 added: explicit requirement to plan changes to the ISMS in a controlled manner

Annex A Controls Overview

The 2022 revision consolidates controls into 4 categories:

Category	Control count	Scope
Organizational	37	Policies, roles, threat intelligence, supplier management, incident management
People	8	Screening, training, disciplinary process, remote working
Physical	14	Physical perimeter, physical media, secure areas, equipment
Technological	34	Access control, cryptography, network security, vulnerability management, SIEM

The 11 new controls in ISO 27001:2022:

Control	Reference	Description
Threat intelligence	A.5.7	Collect and analyze information about threats
Information security for cloud services	A.5.23	Cloud-specific acquisition and use controls
ICT readiness for business continuity	A.5.30	Ensure ICT continuity planning is integrated with BCP
Physical security monitoring	A.7.4	Surveillance of physical premises
Configuration management	A.8.9	Secure configurations for hardware, software, services
Information deletion	A.8.10	Data deletion from systems and media when no longer needed
Data masking	A.8.11	Masking PII and sensitive data consistent with need-to-know
Data leakage prevention	A.8.12	DLP controls on systems and networks
Monitoring activities	A.8.16	Detect anomalous behavior, security events
Web filtering	A.8.23	Manage access to external websites to reduce exposure
Secure coding	A.8.28	Establish and apply secure coding principles

Statement of Applicability (SoA)

The SoA is a mandatory documented output of the risk treatment process (clause 6.1.3). It lists every Annex A control, states whether it is applicable to your ISMS, and — for applicable controls — what justifies inclusion and what the implementation status is.

Key SoA requirements:

Every control must appear — no control can be silently omitted
For each control: applicable (yes/no), justification, implementation status (planned/partially implemented/implemented)
If excluding a control: the justification must demonstrate no risk or regulatory need — not simply that it is inconvenient to implement
The SoA must reference your risk treatment plan — auditors will verify that selected controls map back to identified risks

Common mistake: Marking controls like "Monitoring activities" (A.8.16) or "Supplier security" (A.5.19) as not applicable because they seem complex. Auditors treat unexplained exclusions as evidence of an immature risk assessment. Unless you have zero suppliers and zero networked systems, those controls apply.

Certification Stages

Stage	Focus	Typical duration	What auditors examine
Stage 1	Documentation review	1–2 days on-site or remote	ISMS scope, risk assessment method, SoA, policies, internal audit evidence
Stage 2	Implementation verification	2–5 days on-site	Control evidence, records, staff interviews, system walkthroughs

Typical timeline from decision to certificate:

Organizations with minimal security processes: 12–18 months
Organizations with existing ISO 9001 or SOC 2 foundations: 6–9 months
Between Stage 1 and Stage 2: typically 4–12 weeks to remediate Stage 1 findings

After certification, surveillance audits occur annually; full recertification every 3 years.

Stage 1 readiness checklist: risk register completed, SoA approved by management, all mandatory policies documented and approved, internal audit conducted, management review meeting held with minutes.

Common Implementation Pitfalls

Over-scoping the ISMS boundary: Including all business units when certification is only needed for one product or service line. A narrower, well-controlled scope achieves certification faster and reduces audit surface. Scope boundaries must be documented and defensible.

Policy-writing without evidence: Having an Access Control Policy but no access review records, no MFA enforcement logs, no joiners/movers/leavers process records. Auditors follow policies to evidence. A policy with no supporting records is a nonconformance.

Broken risk treatment linkage: Risk register identifies 30 risks; risk treatment plan references controls; SoA lists controls — but the three documents do not cross-reference each other. Auditors treat unlinked documents as evidence the process is theoretical, not operational.

Ignoring supplier and third-party controls: Clause 5.19–5.22 and the new cloud services control (A.5.23) are consistently under-implemented. Every SaaS tool your staff uses, every contractor with system access, every cloud provider is in scope. Maintain a supplier register with security assessment status.

Internal audit as a formality: ISO 27001 requires that the internal audit programme covers all ISMS clauses over time. Audits that are scheduled the week before Stage 2 and produce zero findings are a red flag — certification bodies expect to see genuine findings and corrective actions.

Ready to try ISO 27001 Manager?

Install the skill and start getting expert-level guidance in your workflow — any agent, any IDE.