Move from obligation to evidence: map what applies, assess the gap, draft the artefacts, structure control activity and prepare for scrutiny: audit, certification, regulatory review, customer assurance and attestation. Senior practitioner judgement at the core of every output.
Not yet a self-serve product. Available through engagement with the practice during the preview window.
A senior practitioner scopes the work, runs the toolkit alongside your team, and is accountable for every output.
AI accelerates the structured tasks. Senior practitioners review, judge and sign off every output before it leaves the practice.
General availability anticipated H2 2026, informed by early-access partner feedback during the preview.
International standards. Recognised control catalogues. Backbone toolkits.
Structured implementation kits for the international standards underpinning most certification and assurance programmes. Each kit covers the management system, the control set with implementation guidance, and the artefacts required for external audit.
ISO/IEC 27001:2022 ISMS, end-to-end.
93 Annex A controls mapped, risk methodology, Statement of Applicability, internal audit programme, management review pack. The backbone toolkit, most other frameworks map directly to it.
Business continuity that auditors can verify.
BCMS scope, BIA template, business continuity plans, exercise programme, supplier dependency mapping. Configured to align with ISO 27001 for joint certification, or to run standalone.
AI management system aligned to EU AI Act and NIST AI RMF.
AI policy, AI risk register, AI impact assessment, model and system cards, monitoring procedures, incident handling. Build once, satisfy ISO 42001, NIST AI RMF, and EU AI Act overlap.
Six functions, operationalised for board, audit and regulator.
Govern, Identify, Protect, Detect, Respond, Recover. Tier-based maturity assessment, profile builder, sector-specific implementation guidance, executive-readable scoring. Maps to ISO 27001 and CIS Controls.
Govern, Map, Measure, Manage for the generative-AI era.
Trustworthiness assessments across the seven characteristics. Generative AI Profile (NIST AI 600-1) playbook actions baked in. Pairs with ISO 42001 for management-system depth.
Cyber hygiene baseline, IG1 / IG2 / IG3 tiered.
18 controls, 153 safeguards, mapped to NIST CSF and ISO 27001. Implementation Group banded for scale-appropriate ramp. Includes v8.1 and recent SAT updates.
Self-assessment and Plus-audit ready, with Apr 2025 updates.
Five technical control families, scope determination wizard, cloud-services scoping, MFA artefacts, 14-day patching SLA. UK government-supplier ready (DSPT, DEFCON 658, NHS scope).
EU and UK statutory obligations. Mapped to controls.
Translation kits that convert legal text into a working programme of control activity, governance moves and evidence artefacts sized to the organisation in question.
ICT risk, third-party register, incident classification.
Five DORA pillars covered. ICT risk framework, third-party register schema, incident classification matrix, threat-led penetration test scoping. Aligned to the ESA RTS and ITS.
Sector-tier scoping. Supplier obligations. Incident reporting.
Essential vs important entity classification, NIS 2 Article 21 control mapping, member-state transposition tracking (different deadlines across IE, NL, DE), board accountability mapping.
Risk-tier classification. Conformity assessment. FRIA. Post-market monitoring.
Provider, deployer, importer, distributor role determination. Annex III high-risk classification. Technical documentation packs. FRIA templates. Post-market monitoring procedures.
EU GDPR for organisations with European data subjects.
Lawful basis register, ROPA, DPIA template, controller-processor agreements, international transfer mechanisms (SCCs, BCRs, adequacy). EDPB-aligned guidance and recent CJEU case-law baked in.
UK GDPR, DPA 2018, DUAA 2025 changes baked in.
Lawful basis, Article 22 automated decision-making, ICO AI audit framework, DUAA 2025 legitimate-interests changes, international transfers (IDTA, Addendum, UK extension to the EU-US DPF).
AICPA Trust Services Criteria. ICFR for service organisations.
Attestation kits aligned to the AICPA Trust Services Criteria and ICFR control objectives. Each kit maps onto ISO 27001 controls to avoid duplicate evidence collection across overlapping reporting cycles.
ICFR control set under AT-C 320 for service organisations.
Type 1 readiness through Type 2 examination. Control objectives, complementary user entity controls, subservice organisation handling (carve-out vs inclusive). Different scoping from SOC 2, calibrated to financial-reporting impact.
Trust Services Criteria, all five categories, mapped to ISO 27001.
Common Criteria CC1 to CC9, optional categories (Availability, Confidentiality, Processing Integrity, Privacy), system description, management assertion. Run alongside an ISO 27001 programme without duplicating evidence collection.
Every toolkit produces the same shape of evidence. Structured, scoped to the standard or regulation, and ready to be picked up by an internal team, a board sub-committee or an external auditor.
Each toolkit combines AI-enabled workflows with senior practitioner review, so outputs remain grounded in context, risk appetite, implementation reality and accountable decision-making.
Engage InfoSecAI when the scope is complex, multi-framework, time-sensitive or board-facing. The toolkit accelerates the structured tasks; senior practitioners ensure the judgement stays human.
Each kit contains the management system architecture, the control catalogue with implementation guidance, evidence templates, RACI definitions and a maturity self-assessment.
AI-assisted drafting, mapping and gap analysis under senior practitioner review. The judgement remains with the human reviewer and the senior accountable owner of the work product.
Toolkits are accessed through advisory engagement during the private preview. General availability is anticipated in H2 2026 following partner feedback.
The toolkits are currently available through advisory-led private preview, with direct senior practitioner support. Early-access engagements inform the development roadmap. Limited capacity each quarter; general availability anticipated H2 2026.