ISO/IEC 27001 was written for human operators. Your agents aren't human. Your ISMS has a blind spot.
ISO/IEC 27001 assumes human operators; agents break that model. ComplyAI extends your ISMS to the agent action layer.
ISO 27001 surveillance audits are increasingly probing for AI-system handling. The forthcoming ISO/IEC 42001 (AI management system) builds on top of 27001 — getting AI agent coverage in place now positions you for 42001 certification later.
ISO 27001 controls ↔ ComplyAI capabilities.
| ISO 27001 control | Requirement | How ComplyAI satisfies it |
|---|---|---|
A.5.1 | Policies for information security | Policy-as-code is the security-edited written policy. Versioned. Approval gated. Auditable. |
A.5.7 | Threat intelligence | Pre-built rule library based on observed AI agent threat patterns (Replit, PocketOS, Samsung, etc.). |
A.5.15 | Access control | AI agent action policy enforced at the action boundary; the agent cannot exceed declared scope. |
A.8.2 | Privileged access rights | Shell ask + MCP safe-default rules treat AI privileged actions as privileged actions. |
A.8.10 | Information deletion | Block destructive shell rules prevent agent-initiated destruction; audited if allowed. |
A.8.15 | Logging | Append-only JSONL ledger + OpenTelemetry export — satisfies the logging control for AI agent actions. |
A.8.16 | Monitoring activities | Live activity dashboard surfaces denied actions and outlier sessions in real time. |
Artifacts your auditor can run with.
- Pre-built policy mapped to ISO 27001 Annex A controls
- Statement of Applicability (SoA) bridge document — what to add for AI
- A.5 and A.8 mapping documentation with example ledger entries
- Audit-export template — JSONL filtered to ISMS-relevant events
- Transition guide for upcoming ISO/IEC 42001 (AI management system)
Common questions on ISO/IEC 27001:2022.
How does this fit into our existing ISMS?
As a documented extension. Your existing SoA gains AI-system coverage; A.5 and A.8 narratives gain AI-agent specifics. The ISMS structure does not change.
Is ComplyAI itself ISO 27001 certified?
ComplyAI is not yet ISO 27001 certified. ComplyAI produces audit evidence in ISO 27001-compatible format for A.5 and A.8 controls. For ComplyAI security posture details, contact sales.
What about ISO/IEC 42001?
ComplyAI is designed to support 42001 compliance. Customers planning 42001 certification typically start with audit evidence collection 6–12 months before the cert window.
Your agents are already taking actions. Governance shouldn't be an afterthought.
ComplyAI is in early access. We're working directly with security and engineering teams to deploy, configure, and demonstrate value in their environment — in a single session.