ai · security · skills

Self-assessed · sample · ISO/IEC 27001:2022

Initech: ISO/IEC 27001 readiness from one AICM run

The information-security gold standard. Same GRA diagnostic as the 42001 and 27701 reports; this lens asks what already maps to an ISMS.

Assessed on CSA AICM via the function diagnostic, then rolled through CSA’s AICM→ISO/IEC 27001 crosswalk. Readiness for conversation and planning, not an ISO certification, audit opinion, or measured result.

Executive summary

Initech: 16 controls map to ISO/IEC 27001 but are absent in the function attestation. Close those first for this lens. Self-assessed, not certification.

Information security management (ISMS) — the gold-standard baseline.

Controls in this slice

26

Priority (mapped, absent)

16

Attested implemented

1

CSA matrix mapped

186

Full CSA sheet (CCM bridge): 135 no gap · 51 partial across 16 domains on 186 controls. AI-only AICM ids have no 27001 row.

Control register

Each row is one AICM control from the GRA diagnostic with CSA’s ISO/IEC 27001 gap and clause refs, plus Initech’s illustrative posture.

AICMTitleGapClause refsPostureBoard line
GRC-01Governance Program Policy and ProceduresPartial Gap27001: 5.1 · 27001: 5.2 · 27001: 7.3 · 27001: 7.4 · 27001: 7.5 · 27001: 9.1 · 27001: 9.3 · 27001: A.5.1 · 27001: A.5.4 · 27001: A.5.37ImplementedSelf-attested in place; CSA maps with a partial gap to ISO/IEC 27001. Confirm clause coverage with evidence.
GRC-02Risk Management ProgramNo Gap27001: 6.1 · 27001: 6.2 · 27001: A.5.23PartialPartially attested; close the practice gap before treating the ISO/IEC 27001 mapping as ready.
GRC-03PriorityOrganizational Policy ReviewsNo Gap27001: 7.5.2 (c) · 27001: A.5.1AbsentCSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens.
HRS-15AI Acceptable UseUnmappedn/aPartialNo CSA AICM→ISO/IEC 27001 mapping on this control id.
GRC-15Human supervisionUnmappedn/aAbsentNo CSA AICM→ISO/IEC 27001 mapping on this control id.
AIS-01Application and Interface Security Policy and ProceduresPartial Gap27001: 5.1 · 27001: 5.2 · 27001: 7.3 · 27001: 7.4 · 27001: 7.5 · 27001: 9.1 · 27001: 9.3 · 27001: A.5.1 · 27001: A.5.4 · 27001: A.5.37 · 27001: A.8.25 · 27001: A.8.27 · 27001: A.8.28 · 27001: A.8.29PartialPartially attested; close the practice gap before treating the ISO/IEC 27001 mapping as ready.
AIS-04PrioritySecure Application Development LifecycleNo Gap27001: A.5.8 · 27001: A.8.25 · 27001: A.8.26 · 27001: A.8.28AbsentCSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens.
AIS-07PriorityApplication Vulnerability RemediationNo Gap27001: A.5.26 · 27001: A.8.8AbsentCSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens.
TVM-01Threat and Vulnerability Management Policy and ProceduresPartial Gap27001: 5.1 · 27001: 5.2 · 27001: 7.3 · 27001: 7.4 · 27001: 7.5 · 27001: 9.1 · 27001: 9.3 · 27001: A.5.1 · 27001: A.5.4 · 27001: A.5.37PartialPartially attested; close the practice gap before treating the ISO/IEC 27001 mapping as ready.
TVM-03PriorityVulnerability IdentificationNo Gap27001: 6.1.3 · 27001: A.8.7 · 27001: A.8.8 · 27001: A.8.32AbsentCSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens.
TVM-08PriorityVulnerability Remediation ScheduleNo Gap27001: 8.2 · 27001: 8.3 · 27001: A.8.8 · 27001: A.8.19AbsentCSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens.
A&A-01Audit and Assurance Policy and ProceduresPartial Gap27001: 5.1 · 27001: 5.2 · 27001: 7.3 · 27001: 7.4 · 27001: 7.5 · 27001: 9.1 · 27001: 9.2 · 27001: 9.3 · 27001: A.5.1 · 27001: A.5.4 · 27001: A.5.37PartialPartially attested; close the practice gap before treating the ISO/IEC 27001 mapping as ready.
A&A-02PriorityIndependent AssessmentsPartial Gap27001: A.5.35 · 27001: A.5.36AbsentCSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens.
A&A-05PriorityAudit Management ProcessNo Gap27001: 9.2 · 27001: 9.3 · 27001: A.5.36AbsentCSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens.
A&A-06PriorityRemediationNo Gap27001: 7.3 · 27001: 7.4 · 27001: 7.5 · 27001: 8.2 · 27001: 8.3 · 27001: 9.3.2.d · 27001: 10 · 27001: A.5.36 · 27001: A.5.37AbsentCSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens.
STA-01Supply Chain Risk Management Policies and ProceduresPartial Gap27001: 5.1 · 27001: 5.2 · 27001: 7.3 · 27001: 7.4 · 27001: 7.5 · 27001: 9.1 · 27001: 9.3 · 27001: A.5.1 · 27001: A.5.4 · 27001: A.5.23 · 27001: A.5.37PartialPartially attested; close the practice gap before treating the ISO/IEC 27001 mapping as ready.
STA-08Supply Chain InventoryNo Gap27001: 6.1.1 · 27001: 6.1.2 · 27001: 6.1.3 · 27001: 6.2 · 27001: 8.1 · 27001: A.5.20 · 27001: A.5.21 · 27001: A.5.23PartialPartially attested; close the practice gap before treating the ISO/IEC 27001 mapping as ready.
STA-10PrioritySupply Chain Risk ManagementPartial Gap27001: A.5.20AbsentCSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens.
STA-13PrioritySupply Chain Compliance AssessmentNo Gap27001: 8.1 · 27001: 9.2 · 27001: 9.3 · 27001: A.5.19 · 27001: A.5.21 · 27001: A.5.22AbsentCSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens.
BCR-01PriorityBusiness Continuity Management Policy and ProceduresPartial Gap27001: 5.1 · 27001: 5.2 · 27001: 7.3 · 27001: 7.4 · 27001: 7.5 · 27001: 9.1 · 27001: 9.3 · 27001: A.5.1 · 27001: A.5.4 · 27001: A.5.29 · 27001: A.5.30 · 27001: A.5.36 · 27001: A.5.37AbsentCSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens.
BCR-02PriorityRisk Assessment and Impact AnalysisNo Gap27001: 4.2 · 27001: 6.1.2 · 27001: 6.1.3 · 27001: 8.2 · 27001: 8.3 · 27001: A.5.29 · 27001: A.5.30AbsentCSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens.
BCR-08BackupNo Gap27001: A.8.13 · 27001: A.5.23 · 27001: A.5.30PartialPartially attested; close the practice gap before treating the ISO/IEC 27001 mapping as ready.
BCR-06PriorityBusiness Continuity ExercisesNo Gap27001: A.5.30AbsentCSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens.
IPY-01PriorityInteroperability and Portability Policy and ProceduresPartial Gap27001: 5.1 · 27001: 5.2 · 27001: 7.3 · 27001: 7.4 · 27001: 7.5 · 27001: 9.1 · 27001: 9.3 · 27001: A.5.1 · 27001: A.5.4 · 27001: A.5.23 · 27001: A.8.25 · 27001: A.8.26 · 27001: A.8.27 · 27001: A.5.37AbsentCSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens.
IPY-03PrioritySecure Interoperability and Portability ManagementNo Gap27001: A.5.19 · 27001: A.5.23 · 27001: A.5.31 · 27001: A.5.32 · 27001: A.5.33 · 27001: A.5.34AbsentCSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens.
IPY-04PriorityData Portability Contractual ObligationsNo Gap27001: A.5.9 · 27001: A.5.20 · 27001: A.5.23AbsentCSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens.