Self-assessed · sample · ISO/IEC 27001:2022
Initech: ISO/IEC 27001 readiness from one AICM run
The information-security gold standard. Same GRA diagnostic as the 42001 and 27701 reports; this lens asks what already maps to an ISMS.
Assessed on CSA AICM via the function diagnostic, then rolled through CSA’s AICM→ISO/IEC 27001 crosswalk. Readiness for conversation and planning, not an ISO certification, audit opinion, or measured result.
Executive summary
Initech: 16 controls map to ISO/IEC 27001 but are absent in the function attestation. Close those first for this lens. Self-assessed, not certification.
Information security management (ISMS) — the gold-standard baseline.
Controls in this slice
26
Priority (mapped, absent)
16
Attested implemented
1
CSA matrix mapped
186
Full CSA sheet (CCM bridge): 135 no gap · 51 partial across 16 domains on 186 controls. AI-only AICM ids have no 27001 row.
Control register
Each row is one AICM control from the GRA diagnostic with CSA’s ISO/IEC 27001 gap and clause refs, plus Initech’s illustrative posture.
| AICM | Title | Gap | Clause refs | Posture | Board line |
|---|---|---|---|---|---|
| GRC-01 | Governance Program Policy and Procedures | Partial Gap | 27001: 5.1 · 27001: 5.2 · 27001: 7.3 · 27001: 7.4 · 27001: 7.5 · 27001: 9.1 · 27001: 9.3 · 27001: A.5.1 · 27001: A.5.4 · 27001: A.5.37 | Implemented | Self-attested in place; CSA maps with a partial gap to ISO/IEC 27001. Confirm clause coverage with evidence. |
| GRC-02 | Risk Management Program | No Gap | 27001: 6.1 · 27001: 6.2 · 27001: A.5.23 | Partial | Partially attested; close the practice gap before treating the ISO/IEC 27001 mapping as ready. |
| GRC-03Priority | Organizational Policy Reviews | No Gap | 27001: 7.5.2 (c) · 27001: A.5.1 | Absent | CSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens. |
| HRS-15 | AI Acceptable Use | Unmapped | n/a | Partial | No CSA AICM→ISO/IEC 27001 mapping on this control id. |
| GRC-15 | Human supervision | Unmapped | n/a | Absent | No CSA AICM→ISO/IEC 27001 mapping on this control id. |
| AIS-01 | Application and Interface Security Policy and Procedures | Partial Gap | 27001: 5.1 · 27001: 5.2 · 27001: 7.3 · 27001: 7.4 · 27001: 7.5 · 27001: 9.1 · 27001: 9.3 · 27001: A.5.1 · 27001: A.5.4 · 27001: A.5.37 · 27001: A.8.25 · 27001: A.8.27 · 27001: A.8.28 · 27001: A.8.29 | Partial | Partially attested; close the practice gap before treating the ISO/IEC 27001 mapping as ready. |
| AIS-04Priority | Secure Application Development Lifecycle | No Gap | 27001: A.5.8 · 27001: A.8.25 · 27001: A.8.26 · 27001: A.8.28 | Absent | CSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens. |
| AIS-07Priority | Application Vulnerability Remediation | No Gap | 27001: A.5.26 · 27001: A.8.8 | Absent | CSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens. |
| TVM-01 | Threat and Vulnerability Management Policy and Procedures | Partial Gap | 27001: 5.1 · 27001: 5.2 · 27001: 7.3 · 27001: 7.4 · 27001: 7.5 · 27001: 9.1 · 27001: 9.3 · 27001: A.5.1 · 27001: A.5.4 · 27001: A.5.37 | Partial | Partially attested; close the practice gap before treating the ISO/IEC 27001 mapping as ready. |
| TVM-03Priority | Vulnerability Identification | No Gap | 27001: 6.1.3 · 27001: A.8.7 · 27001: A.8.8 · 27001: A.8.32 | Absent | CSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens. |
| TVM-08Priority | Vulnerability Remediation Schedule | No Gap | 27001: 8.2 · 27001: 8.3 · 27001: A.8.8 · 27001: A.8.19 | Absent | CSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens. |
| A&A-01 | Audit and Assurance Policy and Procedures | Partial Gap | 27001: 5.1 · 27001: 5.2 · 27001: 7.3 · 27001: 7.4 · 27001: 7.5 · 27001: 9.1 · 27001: 9.2 · 27001: 9.3 · 27001: A.5.1 · 27001: A.5.4 · 27001: A.5.37 | Partial | Partially attested; close the practice gap before treating the ISO/IEC 27001 mapping as ready. |
| A&A-02Priority | Independent Assessments | Partial Gap | 27001: A.5.35 · 27001: A.5.36 | Absent | CSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens. |
| A&A-05Priority | Audit Management Process | No Gap | 27001: 9.2 · 27001: 9.3 · 27001: A.5.36 | Absent | CSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens. |
| A&A-06Priority | Remediation | No Gap | 27001: 7.3 · 27001: 7.4 · 27001: 7.5 · 27001: 8.2 · 27001: 8.3 · 27001: 9.3.2.d · 27001: 10 · 27001: A.5.36 · 27001: A.5.37 | Absent | CSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens. |
| STA-01 | Supply Chain Risk Management Policies and Procedures | Partial Gap | 27001: 5.1 · 27001: 5.2 · 27001: 7.3 · 27001: 7.4 · 27001: 7.5 · 27001: 9.1 · 27001: 9.3 · 27001: A.5.1 · 27001: A.5.4 · 27001: A.5.23 · 27001: A.5.37 | Partial | Partially attested; close the practice gap before treating the ISO/IEC 27001 mapping as ready. |
| STA-08 | Supply Chain Inventory | No Gap | 27001: 6.1.1 · 27001: 6.1.2 · 27001: 6.1.3 · 27001: 6.2 · 27001: 8.1 · 27001: A.5.20 · 27001: A.5.21 · 27001: A.5.23 | Partial | Partially attested; close the practice gap before treating the ISO/IEC 27001 mapping as ready. |
| STA-10Priority | Supply Chain Risk Management | Partial Gap | 27001: A.5.20 | Absent | CSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens. |
| STA-13Priority | Supply Chain Compliance Assessment | No Gap | 27001: 8.1 · 27001: 9.2 · 27001: 9.3 · 27001: A.5.19 · 27001: A.5.21 · 27001: A.5.22 | Absent | CSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens. |
| BCR-01Priority | Business Continuity Management Policy and Procedures | Partial Gap | 27001: 5.1 · 27001: 5.2 · 27001: 7.3 · 27001: 7.4 · 27001: 7.5 · 27001: 9.1 · 27001: 9.3 · 27001: A.5.1 · 27001: A.5.4 · 27001: A.5.29 · 27001: A.5.30 · 27001: A.5.36 · 27001: A.5.37 | Absent | CSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens. |
| BCR-02Priority | Risk Assessment and Impact Analysis | No Gap | 27001: 4.2 · 27001: 6.1.2 · 27001: 6.1.3 · 27001: 8.2 · 27001: 8.3 · 27001: A.5.29 · 27001: A.5.30 | Absent | CSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens. |
| BCR-08 | Backup | No Gap | 27001: A.8.13 · 27001: A.5.23 · 27001: A.5.30 | Partial | Partially attested; close the practice gap before treating the ISO/IEC 27001 mapping as ready. |
| BCR-06Priority | Business Continuity Exercises | No Gap | 27001: A.5.30 | Absent | CSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens. |
| IPY-01Priority | Interoperability and Portability Policy and Procedures | Partial Gap | 27001: 5.1 · 27001: 5.2 · 27001: 7.3 · 27001: 7.4 · 27001: 7.5 · 27001: 9.1 · 27001: 9.3 · 27001: A.5.1 · 27001: A.5.4 · 27001: A.5.23 · 27001: A.8.25 · 27001: A.8.26 · 27001: A.8.27 · 27001: A.5.37 | Absent | CSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens. |
| IPY-03Priority | Secure Interoperability and Portability Management | No Gap | 27001: A.5.19 · 27001: A.5.23 · 27001: A.5.31 · 27001: A.5.32 · 27001: A.5.33 · 27001: A.5.34 | Absent | CSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens. |
| IPY-04Priority | Data Portability Contractual Obligations | No Gap | 27001: A.5.9 · 27001: A.5.20 · 27001: A.5.23 | Absent | CSA maps to ISO/IEC 27001, but practice is not attested. Priority for this lens. |