InfoSecAI toolkits help organisations map obligations, assess gaps, draft governance artefacts, structure control activity, and prepare for audit, certification, regulatory review, customer assurance, and attestation activity. They are designed to reduce manual effort while keeping context, risk appetite and accountable review at the centre.
Pre-built ISMS, AIMS, and cyber-hygiene baselines. Map once, report everywhere. Each toolkit includes policies, procedures, control artefacts, audit packs, and an AI Copilot that drafts in your house style.
ISO/IEC 27001:2022 ISMS, end-to-end.
93 Annex A controls mapped, risk methodology, Statement of Applicability, internal audit programme, management review pack. Stands as the backbone toolkit: most other frameworks cross-map to its control baseline.
One control set. One control baseline. Twelve frameworks downstream.
Business continuity management that auditors can verify.
BCMS scope, BIA template, business continuity plans, exercise programme, supplier dependency mapping. Configured to align with ISO 27001 for joint certification planning, or to operate as a standalone resilience programme.
Drills you can run. Plans auditors will accept.
AI management system aligned to EU AI Act and NIST AI RMF.
AI policy, AI risk register, AI impact assessment, model and system cards, monitoring procedures, incident handling. The AI governance backbone: build once, satisfy ISO 42001 plus EU AI Act provider obligations plus NIST AI RMF Govern function.
The AI management system that holds up under audit.
Six functions, operationalised for board, audit and regulatory review.
Govern, Identify, Protect, Detect, Respond, Recover. Tier-based maturity assessment, profile builder, sector-specific implementation guidance, executive-readable scoring. Maps cleanly to ISO 27001 controls so the work does not double.
A framework that survives contact with operations.
Govern, Map, Measure, Manage for the generative-AI era.
Trustworthiness assessments across the seven characteristics. Generative AI Profile (NIST AI 600-1) playbook actions baked in. Pairs with ISO 42001 for management-system depth, or runs standalone for risk practitioners.
Concrete actions, not just principles.
Cyber hygiene baseline, IG1 / IG2 / IG3 tiered.
18 controls, 153 safeguards, mapped to NIST CSF and ISO 27001. Implementation Group banded for scale-appropriate ramp. Includes v8.1 and recent SAT (Self-Assessment Tool) updates.
The baseline most other frameworks already assume.
Self-assessment and Plus-audit ready, with Apr 2025 Montpellier updates.
Five technical control families, scope determination wizard, cloud-services scoping, MFA artefacts, 14-day patching SLA. UK government-supplier ready (DSPT, DEFCON 658, NHS supplier frameworks, central-government CCS frameworks).
From self-assessment to Plus audit, no rework.
All Security Frameworks & Standards toolkits launch H1 2026. Early-access partners shape the roadmap.
Request early access for Frameworks & Standards toolkitsLegal text turned into operational control work. Regulator obligations mapped to existing ISO 27001, NIST CSF and CIS Controls so the same control work supports the regulator and the auditor. Includes ICO, ESA, and ENISA implementation guidance.
ICT risk, third-party register, incident classification.
Five DORA pillars covered. ICT risk framework, third-party register schema, incident classification matrix, threat-led penetration test scoping. Aligned to the ESA RTS and ITS finalised in 2024 and in force since January 2025.
From legal text to operational control work in one toolkit.
Sector-tier scoping. Supplier obligations. Incident reporting.
Essential vs important entity classification, NIS 2 Article 21 control mapping, member-state transposition tracking (different deadlines across IE, NL, DE), board accountability artefacts.
One framework that survives twenty-seven national variations.
Risk-tier classification. Conformity assessment. FRIA. Post-market monitoring.
Provider, deployer, importer, distributor role determination. Annex III high-risk classification. Technical documentation packs. Fundamental rights impact assessment template. GPAI obligations. CE-marking ready packs aligned to applicability timelines.
From legal text to CE-marking-ready inside the implementation window.
EU GDPR for organisations with European data subjects.
Lawful basis register, ROPA, DPIA template, controller-processor agreements, international transfer mechanisms (SCCs, BCRs, adequacy). EDPB-aligned guidance and recent CJEU case law reflected.
One ROPA. Zero spreadsheet sprawl.
UK GDPR, DPA 2018, DUAA 2025 changes baked in.
Lawful basis, Article 22 automated decision-making, ICO AI audit framework, DUAA 2025 legitimate-interests changes, international transfers (IDTA, Addendum, UK extension to the Data Privacy Framework, transfer risk assessments).
A framework aligned to DUAA expectations.
All Regulations toolkits launch H1 2026. Early-access partners shape the roadmap.
Request early access for Regulations toolkitsService organisation attestations under AICPA standards. Mapped to ISO 27001 controls so SOC readiness and ISO surveillance activity can be planned side by side. Type 1 readiness through Type 2 examination, scoped properly from day one.
ICFR control set under AT-C 320 for service organisations.
Type 1 readiness through Type 2 examination. Control objectives, complementary user entity controls, subservice organisation handling (carve-out vs inclusive). Different scope from SOC 2. Built that way from day one, not retrofitted.
ICFR is not security. The toolkit reflects that.
Trust Services Criteria, all five categories, mapped to ISO 27001 controls.
Common Criteria CC1 to CC9, optional categories (Availability, Confidentiality, Processing Integrity, Privacy), system description, management assertion. Run alongside an ISO 27001 surveillance audit without doubling work. Same control baseline, two attestations.
One control baseline. Two attestations. No rework.
All Attestations toolkits launch H1 2026. Early-access partners shape the roadmap.
Request early access for Attestation toolkitsUse the first conversation to clarify the outcome, and next steps.