ISO 27001 Certification: What Automation Can and Cannot Do

ISO 27001:2022 requires building an Information Security Management System (ISMS) that operates continuously — not a set of controls you implement before the audit and relax afterward. That requirement for operational continuity is exactly where automation earns its cost. It handles the monitoring, evidence capture, and alert generation that demonstrate continuous operation. What it cannot do is write your risk treatment plan, make judgment calls about acceptable risk, or substitute for the management commitment that ISO 27001 certification bodies evaluate as closely as the technical controls.

Understanding which parts of your ISO 27001 program can be automated — and which parts require substantive human decision-making — determines how you allocate effort across a multi-year ISMS implementation and maintenance program.

The Structure of ISO 27001:2022

ISO 27001:2022 consists of two parts: the main clauses (Clauses 4-10) and Annex A, which contains 93 security controls organized across four themes — Organizational Controls (37), People Controls (8), Physical Controls (14), and Technological Controls (34).

The main clauses are about the management system: how you define your ISMS scope, how you assess and treat risks, how you set objectives, how you handle nonconformities, and how leadership reviews the program. These clauses require human judgment and documented evidence of organizational decision-making.

Annex A controls are about the security measures themselves: access control, cryptography, incident management, supplier security, and so on. This is where automation makes the biggest difference, because many of these controls are technical in nature and can be monitored and evidenced automatically.

What Automation Handles Well

Annex A Technological Controls (Theme D)

The 34 technological controls in ISO 27001:2022 are where compliance automation delivers the clearest value. Controls like A.8.5 (Secure Authentication), A.8.6 (Capacity Management), A.8.9 (Configuration Management), A.8.15 (Logging), A.8.16 (Monitoring Activities), A.8.20 (Networks Security), A.8.25 (Secure Development Lifecycle) — all of these generate data automatically from your existing security tooling. The challenge is not producing the data; it is collecting it, normalizing it, and mapping it to the specific control objective in a way that satisfies an ISO 27001 auditor.

Specifically, automated compliance platforms handle:

• A.8.8 Management of technical vulnerabilities. Vulnerability scan results from Tenable, Qualys, or Rapid7 can be ingested continuously, mapped to this control, and presented as evidence that vulnerability management is ongoing. Automated dashboards show current vulnerability counts by severity, time-to-remediation metrics, and exception workflows — all evidence components auditors request for this control.
• A.8.12 Data leakage prevention. DLP tool outputs — blocked transfers, policy violations, endpoint alerts — can be captured and mapped to this control continuously, with automated alerting when DLP findings exceed threshold.
• A.8.16 Monitoring activities. SIEM log coverage, alert generation rates, analyst response times, and false positive rates are all measurable automatically and constitute evidence that monitoring activities are ongoing and effective.
• A.5.23 Information security for use of cloud services. Cloud security posture management tools check cloud configurations against security baselines continuously. Every configuration drift event, every policy violation, and every remediation action is captured and can be presented as evidence that cloud services are managed in accordance with security requirements.

Access Control Evidence

Controls A.5.15 through A.5.18 cover access control, access rights management, identity authentication, and privileged access rights. These controls require both technical implementation (MFA, least privilege, access reviews) and ongoing evidence of operation. Automated collection of IdP logs, access review completion records, and privilege assignment changes covers the evidence requirement for this entire control group.

Incident Management Evidence

A.5.24 through A.5.28 cover information security incident management — from event reporting through to learning from incidents. Automated incident ticketing systems, with timestamps for detection, triage, response, and resolution, provide the evidence trail that auditors use to verify incident management controls are operating. If incidents are being managed in a platform that captures this data, the evidence requirement is substantially automated.

What Automation Cannot Do

Clause 6: Planning — Risk Assessment and Treatment

ISO 27001 Clause 6.1.2 requires a formal risk assessment process that identifies threats and vulnerabilities, assesses their likelihood and impact, and produces a risk treatment plan. No automation tool can perform this assessment for you. The risk assessment requires human judgment about:

• Which information assets are in scope for the ISMS (asset inventory and scoping is a human decision, even if the asset discovery tool finds the assets)
• What business impact would result from confidentiality, integrity, or availability failures for each asset type
• Which risks are acceptable without treatment and which require controls
• How residual risk after controls are applied is evaluated against the organization's risk appetite

Automation can provide inputs to this process — vulnerability scan results, threat intelligence feeds, configuration assessment findings. But the judgment calls belong to the risk owners and the ISMS steering committee. ISO 27001 auditors explicitly evaluate whether the risk assessment process is owned and driven by management, not whether a tool produced a report.

Clause 9.3: Management Review

ISO 27001 requires formal management reviews of the ISMS — at minimum annually. These reviews must cover ISMS performance, risk treatment status, audit results, nonconformities, improvement opportunities, and resource adequacy. The review must produce documented outputs: decisions and actions. This is fundamentally a governance process that requires leadership participation and documented decision-making. Compliance automation can generate the inputs to this review (performance data, audit findings, control status reports), but the review itself requires human attendance and judgment.

Certification bodies pay close attention to whether management reviews are genuinely occurring or are paper exercises. Auditors may interview senior leadership to verify that they understand ISMS performance, know the current risk posture, and have made specific decisions about security investment. No tool answers those questions.

Supplier and Third-Party Controls

A.5.19 through A.5.22 cover information security in supplier relationships — from supplier selection criteria through contract requirements to ongoing supplier monitoring and supply chain security. These controls require negotiating contractual obligations with third parties, reviewing supplier security questionnaires and certifications, and making judgment calls about acceptable supplier risk. Automation can manage the questionnaire distribution workflow and track response completion, but the substantive evaluation of supplier security posture requires human review.

Physical Security Controls

ISO 27001:2022's 14 physical controls (Theme C) cover physical security of offices, data centers, equipment, and media. Physical access logs can be captured automatically from badge systems. CCTV coverage can be documented. But controls like A.7.4 (Physical security monitoring), A.7.9 (Security of assets off-premises), and A.7.10 (Storage media) require physical inspections, manual reviews, and documented human oversight that cannot be replaced by automated monitoring systems.

The Timeline Reality

Organizations pursuing ISO 27001 certification for the first time typically ask how long the process takes. The honest answer for a mid-sized technology company is 9-18 months from kickoff to initial certification, with significant variance based on existing security maturity.

The phases where automation accelerates the timeline:

• Gap assessment (months 1-2): Automated tools can map your current security controls against all 93 Annex A controls and produce a gap analysis in days. Manual gap assessment takes weeks.
• Control implementation (months 3-8): Technical controls that require continuous monitoring — vulnerability management, access control logging, change management records — can be implemented and evidenced much faster with automation than with manual processes.
• Pre-audit evidence preparation (months 8-9): If evidence collection has been automated throughout implementation, the pre-audit evidence package generation takes hours rather than weeks.

The phases where automation does not accelerate the timeline:

• Risk assessment and treatment planning — requires organizational consensus and documented decisions
• Policy writing and approval — requires legal review, management sign-off, and employee acknowledgment
• Internal audit program establishment — requires qualified internal auditors and documented audit procedures
• Management review cycles — require leadership time that cannot be compressed

ISO 27001 automation is most valuable not in compressing the initial certification timeline — though it helps — but in making the ongoing surveillance audits (required annually) manageable without dedicating significant staff time to evidence preparation every year. That ongoing operational value is where the investment pays back.