Deterministic verification for ISO 27001

ISO 27001 Compliance: Evidence, Not Policy Documents

ISO 27001:2022 is the international standard for an information security management system (ISMS). It requires 93 controls across organizational, people, physical, and technological themes. Enterprise customers demand proof of compliance before they buy. Cortex AIF delivers deterministic, source-grounded evidence that auditors accept—no LLM guesses, no manual checklists.

Run a free check →See pricing

The ISO 27001 compliance challenge

ISO 27001 certification requires you to demonstrate that 93 controls from Annex A are implemented and effective. Traditional approaches rely on policy documents, self-attestations, and manual audits. These methods are slow, error-prone, and often fail to produce the objective evidence that certification auditors demand.

Worse, many compliance tools use probabilistic LLMs to “check” controls—but an LLM cannot verify a live control configuration. It can only guess based on old training data. That introduces risk, not assurance.

Evidence, not policy documents - what an auditor accepts

Certification auditors require objective evidence: logs, configuration snapshots, network scans, and other verifiable artifacts. A policy PDF that says “we encrypt data” is not evidence. Cortex AIF produces structured evidence by running deterministic code against your actual infrastructure. Each control is checked against live sources—your cloud APIs, identity providers, endpoint agents—and the result is a timestamped, source-cited proof package.

For example, for control A.8.24 (use of cryptography), Cortex does not ask an LLM to summarize your policy. Instead, it queries your key management system and certificate stores, then outputs a VERIFIED or GAP status with the exact evidence an auditor can inspect.

How Cortex verifies - code is the judge, not the model

Cortex AIF is an anti-fabrication layer. Unlike generic compliance tools that use one LLM to judge another, Cortex uses deterministic code to check each claim against real sources. The code—not a model—decides whether a control is verified. This means every number, every date, every control ID in your compliance report is backed by a source that can be handed to an auditor.

If a fact cannot be proven by code against a live source, Cortex deletes it. No confidence scores, no probabilistic guesses. The result is a compliance report that is auditor-ready and free of hallucinations.

Why ChatGPT and generic checklists fall short

ChatGPT cannot verify a live control. It answers from old training data, cannot query your infrastructure, and cannot cite a specific regulation version. It reassures you with plausible-sounding text, but that text is not evidence.

Generic checklist suites (e.g., spreadsheets, GRC tools) produce a to-do list, not proof. They rely on manual data entry and self-attestation, which auditors increasingly reject. Cortex AIF replaces both with automated, source-grounded verification.

How Cortex AIF works for ISO 27001

Cortex connects to your existing infrastructure—cloud providers, identity systems, endpoint management, code repositories—and runs a library of verification modules mapped to each of the 93 Annex A controls. Each module executes deterministic checks (e.g., “Is MFA enforced on all admin accounts?”) and returns a VERIFIED, PARTIALLY_VERIFIED, UNVERIFIED, or GAP status with supporting evidence.

You get a real-time dashboard showing your compliance posture, plus downloadable evidence packages for each control. No manual effort, no LLM hallucinations.

Start your ISO 27001 compliance journey

Stop relying on policy documents and LLM guesses. With Cortex AIF, you get deterministic, auditor-ready evidence for every ISO 27001 control. Our platform integrates in minutes and continuously verifies your controls as your infrastructure changes.

Ready to see it in action? Contact us for a demo tailored to your ISO 27001 certification timeline.

Run a free Home > Solutions > ISO 27001 Compliance check

Describe your setup or paste your documentation. Get a sourced, per-requirement status in minutes.

Start free check

Frequently asked questions

What is ISO 27001?
ISO 27001 is an international standard for an information security management system (ISMS). The current version is ISO/IEC 27001:2022, which includes 93 controls in Annex A across four themes: organizational, people, physical, and technological. Certification is often required by enterprise customers before they will buy or integrate with a vendor.
How does Cortex AIF verify ISO 27001 controls?
Cortex uses deterministic code—not an LLM—to check each control against live sources. For example, to verify access control, it queries your identity provider and cloud APIs to confirm MFA, role-based access, and least privilege. The result is a VERIFIED or GAP status with timestamped evidence that auditors accept.
Can I use ChatGPT to prepare for ISO 27001?
ChatGPT cannot verify live controls. It generates text based on old training data and cannot query your infrastructure. Its answers are probabilistic and may include fabricated facts. For certification, you need objective evidence from your actual systems, which only a deterministic verification engine like Cortex can provide.
What evidence does an ISO 27001 auditor accept?
Auditors accept objective evidence such as system logs, configuration snapshots, network scan results, and identity provider reports. Policy documents alone are insufficient. Cortex produces structured evidence packages that include the exact source data, timestamps, and verification status for each control.