ISO 27001 documentation with AI: the precision problem
ISO 27001 audits fail on precision, not effort. Generic AI produces plausible compliance text that reads well and doesn't survive contact with an external auditor. This is a class of drafting problem where "close enough" literally means a nonconformity.
What ISO 27001 documentation actually is
An ISO 27001 information security management system (ISMS) is document-heavy by design. At the core, you're producing: the ISMS scope statement, the information security policy, the Statement of Applicability (SoA) mapping the 93 Annex A controls to your implementation, control narratives explaining how each applicable control is applied, risk assessment and treatment plans, and the operational records that evidence the whole thing works day to day.
The auditor reads all of it. They read it looking for specific things: unambiguous scope, defensible risk methodology, control narratives that a competent third party could implement from, and an evidence chain that ties each control claim to something verifiable. Vagueness is not just aesthetically bad; it's an audit finding.
Where generic AI breaks (and how it fails an audit)
A control narrative for A.8.24 (Use of cryptography) drafted by a chat-style model reads something like this: "The organisation uses industry-standard cryptography to protect sensitive data. Encryption keys are managed in line with best practice, and cryptographic policy is reviewed regularly." That paragraph is coherent, grammatically fine, and would read as competent in almost any other context.
In an ISO 27001 external audit, that paragraph is a minor nonconformity. Specifically:
- "industry-standard cryptography" is not a policy statement; the auditor wants a reference to a specific standard (e.g., FIPS 140-3 validated modules, or AES-256 for data at rest with a named justification).
- "in line with best practice" is weasel language. Which practice, mandated by which internal document?
- "reviewed regularly" begs the question of frequency and role. Reviewed by whom, at what cadence, evidenced how?
- No cross-reference to a policy or evidence artefact. A good narrative points at the Cryptography Policy document by name and version, and mentions how key rotation events are logged.
None of those failures are visible to a language model that's optimising for fluent prose. The model was trained to write things that read well. ISO 27001 documentation is written to read like an engineering specification: dry, precise, exhaustively cross-referenced, and unambiguous. The two objectives are close to opposites.
The precision requirements, itemised
A workable AI workflow for ISO 27001 documentation has to encode the precision requirements as first-class constraints. In practice, six of them do most of the work.
1. Correct control IDs and clause references
Annex A of ISO/IEC 27001:2022 restructured the controls into 93 in four themes (Organisational, People, Physical, Technological). Older narratives reference the 2013 numbering. Any narrative that references A.13.1.1 in a 2022 SoA is instantly wrong. Automation has to know the version of the standard the organisation is certifying against and use that numbering exclusively.
2. Terminology from the standard, not synonyms
ISO 27001 has specific defined terms: "information security incident", "information security event", "corrective action", "nonconformity". A narrative that swaps "security incident" for "security event" changes meaning. A narrative that says "issues" instead of "nonconformities" reads as sloppy. Terminology has to be enforced at the glossary level so the AI stops helpfully rephrasing.
3. Named evidence artefacts
Every control narrative should point at a specific policy document, procedure, log, or record. "Access is reviewed periodically" is wrong; "Access is reviewed quarterly by the department manager, as defined in Access Control Procedure ACP-001 v3.2, with review records retained in the Access Review Log for three years" is right. The AI can't invent those artefact names; it has to work from an artefact register you provide as source material.
4. Roles by title, not by name
"The Information Security Officer approves..." works; "Sarah in IT approves..." doesn't (people change roles). This is a rule the AI has to be told, because chat-style tools default to whichever name appears in the source transcript.
5. Cadence, not "regularly"
Every mention of review, audit, testing, or update needs an explicit cadence. Monthly, quarterly, annually, or "on change" (with what constitutes a change defined). The auditor will ask, and if the narrative says "regularly", they get to pick the interpretation least favourable to you.
6. Consistent scope references
Every control narrative applies within the ISMS scope. If your scope is "the Sydney office and its cloud infrastructure", the narratives have to consistently refer to that scope. A narrative that says "all company laptops" when your ISMS scope is only Sydney is either wrong (out-of-scope claim) or a scope expansion the auditor will pounce on.
What a structured AI workflow does differently
The workflow shape that makes ISO 27001 documentation tractable looks a lot like the workflow shape for any other structured, high-precision drafting task, but the constraints are dialled up.
A SkyDraft workspace configured for ISO 27001 has:
- A template with one section per control in the organisation's SoA, plus separate templates for the ISMS scope statement, information security policy, and risk treatment plan.
- A glossary that enforces the standard's terminology and bans the weasel words (regularly, appropriate, in line with best practice, industry standard).
- A workspace-level asset register listing every policy, procedure, log, and evidence artefact by name and version. Control narratives must reference these artefacts, and the AI is prompted to raise a clarification if a required artefact doesn't exist yet.
- Sources loaded per document: the current SoA, the risk assessment, any prior surveillance audit findings, and any control-specific evidence (network diagrams, access matrices, key-management logs).
Each control narrative is then drafted section by section. The AI cross-references the artefact register, applies the standard's terminology, and flags anywhere it can't satisfy the precision requirements (no artefact for this control, no defined cadence, ambiguous role assignment). Those flags come back to the compliance officer as clarifications, and the answers become persistent notes that propagate to every related narrative.
For the underlying pattern of surfacing uncertainty rather than inventing, see the clarifications loop. For the role of glossary and voice in enforcing standard-specific language, see why brand voice matters more in AI document tools.
The evidence-mapping problem
The single biggest failure mode when firms try to accelerate ISO 27001 documentation with AI is evidence-mapping. A control narrative might read beautifully, but if the auditor asks "show me the evidence" and the referenced artefacts either don't exist or don't match what the narrative says, that's a major finding.
The workflow response is to make the artefact register a required workspace asset, not an afterthought. Every control narrative is generated against the register, not against an imagined set of documents the model thinks should exist. When the AI can't find a matching artefact, it raises a clarification card ("this control claims quarterly access review; no procedure or log matching that description is in the artefact register. Add it, or soften the claim").
This turns AI drafting from "produce plausible narratives" into "produce narratives that are provably backed by the evidence register". The second one is what surviving an audit actually requires.
Signals to check when evaluating tools
- Can I enforce standard-specific terminology at the workspace level? If not, the tool will drift into synonyms and the auditor will notice.
- Does the tool reference a controlled artefact register, or does it happily invent policy names? Ask for a demo where the artefact register is intentionally incomplete. See whether the tool flags gaps or fabricates around them.
- Can I load the current SoA as source, and does the tool respect the applicability decisions? If your SoA marks A.5.15 as not-applicable, no narrative for that control should be produced.
- What happens when the standard is updated? The 2013 to 2022 transition broke tools that hard-coded numbering. Make sure the tool tracks standard versions explicitly.
- Does the review artefact (edit history, clarification notes) survive an external audit inspection? Auditors sometimes ask to see how documents were produced. The audit trail needs to be at least as clean as your policy trail.
Where this fits in the broader compliance workflow
The gain from applying a structured AI workflow to ISO 27001 documentation is not "documentation gets generated automatically". The gain is that the precision requirements are enforced as constraints instead of relied on as memory. Junior compliance analysts produce narratives that pass senior review on the first pass more often. Senior compliance officers spend their time on the parts that need their judgment (risk methodology, scope decisions, treatment plan trade-offs) instead of on boilerplate wording of control narratives.
This matters more in ISO 27001 than in most document types because compliance analyst time is typically the constraint on how often the ISMS is actually kept current. Between certification cycles, policies drift, procedures update, and the SoA narratives don't catch up. A workflow that makes narrative updates cheap and audit-safe means the ISMS stays live between audits instead of becoming a document freeze that thaws every two years.
Certification cycles compress; surveillance audits feel less like exam week; the drift that always creeps in between audit cycles is reduced because the workflow anchors every narrative to the current artefact register. Recertification becomes an update-in-place exercise rather than a document-archaeology project.
For related patterns, see the earlier post on SOW drafting (the same precision-over-fluency argument for contractual documents), and the how it works page for the mechanical detail of templates, workspace assets, and the clarifications loop.
Where to start
Bring us your current SoA and one or two of your existing control narratives that you like. In a working session we'll set up the template, extract the terminology and evidence-linking patterns from your good narratives, and generate a new narrative live against your artefact register. You'll know within the first control whether the workflow is going to hold up in an audit or not.
SkyDraft pilot workspaces are open. Free during pilot, founder-led setup, no credit card. Pilot pricing locks in when standard pricing publishes.
Try it
Draft ISO 27001 narratives that survive external audit.
SkyDraft pilot workspaces are open. Founder-led setup on a real control set; no credit card.
Request early access