ISO 27001 software

Pass ISO 27001 faster.
Without the all-in-one tax.

Modular ISO 27001 compliance software with AI-assisted evidence linking, guided audit walkthroughs, and Bring-Your-Own LLM keys. Map every Annex A control, ship audit-ready reports, and only pay for the bricks you actually need.

Book a Demo Free ISO 27001 Assessment
How it works

Built for the four phases of ISO 27001

From scoping the ISMS to passing the surveillance audit, every phase has the bricks it needs and none it doesn't.

Full Annex A coverage

All 93 Annex A controls from ISO 27001:2022 across the four themes — Organizational, People, Physical, Technological — plus the ISMS clauses 4–10. Statement of Applicability auto-generated from your context.

AI-assisted evidence linking

Upload a policy, drop in a screenshot from your IDP, paste a meeting note — the AI Coach maps each artifact to the controls it actually evidences and flags where you're thin. Cuts the 60% of a certification project that traditionally goes into manual evidence wrangling.

Bring your own AI key

Connect your OpenAI, Anthropic, or Gemini key and your ISO 27001 evidence runs against your provider relationship, your data isolation rules, your billing. Per-tenant isolation, no cross-customer model training.

Audit-ready reports

One-click export of the Statement of Applicability, risk treatment plan, internal audit findings, and management review records — formatted for the stage 1 and stage 2 audit submission. Auditors get what they need, you skip the late-night formatting.

Guided + Expert modes

Choose Guided mode if it's your first ISMS — the AI walks you through scoping, risk assessment, control implementation, and the internal audit step by step. Switch to Expert mode for direct edit access, bulk operations, and full visibility once your team is fluent.

Continuous compliance after certification

Surveillance audits land every year. BrickGRC tracks your control maturity continuously, schedules evidence refresh cycles, and flags drift before the auditor does. The 3-year recertification stays a low-stress checkpoint, not a fire drill.

Background

What is ISO 27001 and who needs it?

ISO/IEC 27001 is the international standard for information security management systems (ISMS). The current revision — ISO/IEC 27001:2022 — defines a risk-based framework for protecting the confidentiality, integrity, and availability of the information your organisation handles. Certification is awarded by an accredited certification body after a two-stage audit and is valid for three years, subject to annual surveillance audits.

The standard is structured around two parts. The main clauses (4 through 10) describe the management-system requirements: how you scope the ISMS, run risk assessments, define policy, drive continual improvement, and demonstrate leadership. Annex A lists the 93 controls grouped under four themes — Organizational, People, Physical, and Technological — that you select from based on your risk treatment plan and document in the Statement of Applicability.

Companies pursue ISO 27001 for one of three reasons:

  • Sales unblock. Prospects in regulated industries (finance, healthcare, government, EU public sector) require it. Certification turns "we'll consider it" into a closed deal.
  • Procurement readiness. Enterprise procurement teams use ISO 27001 as the shorthand "this vendor is safe to integrate". Without it, every deal triggers a custom security review you have to staff.
  • Internal hygiene. Even without a buyer demanding it, the framework is one of the cleanest blueprints for actually running a security program — risk-based, documented, continuously improved.

BrickGRC was built for the third group first — security engineers and CTOs who want a workable ISMS without the all-in-one platform price tag — and ended up serving the first two well too. Pick the bricks you need (ISO 27001 is one), bring your own AI key, ship the SoA, get certified.

FAQ

ISO 27001 with BrickGRC — common questions

Does BrickGRC support all 93 ISO 27001:2022 Annex A controls?

Yes. The full Annex A control set across all four themes — Organizational (37 controls), People (8), Physical (14), and Technological (34) — plus the ISMS clauses 4–10. Each control has guided implementation tasks, evidence templates, and AI-assisted maturity scoring on the Initial → Managed → Defined → Quantitatively Managed → Optimised rubric.

How long does ISO 27001 implementation take with BrickGRC?

Most teams reach audit-ready in 8–16 weeks depending on existing security controls. The AI Compliance Coach prioritises gaps so you work on what matters first, and the evidence auto-linking cuts the manual collection time that traditionally consumes 60% of a certification project.

Can I bring my own AI keys for ISO 27001 evidence processing?

Yes. On Professional and Enterprise plans, you can connect your own OpenAI, Anthropic, or Gemini API key. Your evidence is processed under your provider relationship, your data isolation rules, and your billing — never shared between tenants.

Does BrickGRC produce audit-ready reports for the certification body?

Yes. Reports include the Statement of Applicability (SoA), risk treatment plan, control implementation evidence with citations, internal audit results, and management review records — formatted for stage 1 and stage 2 audit submission.

Can I keep my existing ISMS work and migrate it into BrickGRC?

Yes. You can import existing policies (PDF, Word, Markdown), evidence files, and risk registers via bulk upload. The AI Coach maps them to Annex A controls automatically and flags overlaps and gaps.

Is there a free way to evaluate my current ISO 27001 readiness?

Yes. The free Compliance Assessment scores your organisation against ISO 27001 controls in about 15 minutes — no credit card or signup required. You get a maturity score per control plus a prioritised gap list.

Start your ISO 27001 program today.

Pick the ISO 27001 brick, scope your ISMS, and let the AI Coach handle the evidence wrangling. Audit-ready in weeks, not months.

Book a Demo Start Free Trial