ISO 27001¶
ISO/IEC 27001:2022 specifies an Information Security Management System (ISMS). It's the international gold-standard certification for "we take security seriously and can prove it." For Italian SMBs, certification is increasingly demanded by enterprise customers and public-sector tenders.
ISO 27001 is process and management focused. Fenrir doesn't make you ISO-certified — your ISMS does. But Fenrir produces evidence for several Annex A controls.
Annex A controls Fenrir helps evidence¶
ISO 27001:2022 has 93 controls in Annex A. Fenrir touches roughly 20 of them. Here's the most relevant subset:
| Control | Title | Fenrir evidence |
|---|---|---|
| A.5.7 | Threat intelligence | threat_intel table + IOC enrichment |
| A.5.23 | Information security for cloud services | PII anonymizer logs for cloud LLM calls |
| A.5.24 | Incident management planning & preparation | Investigation pipeline + playbooks |
| A.5.25 | Assessment & decision on incidents | AnalystAgent verdict + DPO acknowledgment workflow |
| A.5.26 | Response to incidents | auto_actions_taken log + recommended_actions |
| A.5.27 | Learning from incidents | Persisted reports + dashboard trend analysis |
| A.6.7 | Remote working | auth_monitor evidence on SSH access patterns |
| A.7.10 | Storage media | baseline_new_setuid / usb_device_connected events |
| A.8.7 | Protection against malware | Honeypot + suspicious_request monitors |
| A.8.8 | Management of technical vulnerabilities | cve_monitor + investigation report |
| A.8.15 | Logging | Centralized event log = events table |
| A.8.16 | Monitoring activities | Continuous monitoring across 9 sources |
| A.8.20 | Network security | ufw_monitor + listening port baseline |
| A.8.21 | Security of network services | Same |
| A.8.23 | Web filtering | nginx + honeypot setup |
| A.8.28 | Secure coding | Out of scope — your SDLC |
Common ISO 27001 audit questions, and how Fenrir answers them¶
"Show me the last 30 days of security incidents and how they were handled."
Open the dashboard → AI Investigations tab. Filter date range. Each row links to the full report (verdict, timeline, actions, transcript). PDF export gives you a self-contained document.
"Demonstrate that authentication failures are monitored and acted upon."
SELECT * FROM events WHERE category='ssh_brute_force' OR category='failed_password'; — joined with banned_ips shows what was acted on. Compliance audit's GDPR-5.1.f evidence section also covers this.
"What's your process when a vulnerability is disclosed?"
cve_monitor runs every 6h. When a -security upgrade is pending, an investigation evaluates impact and produces recommended action. Audit trail in investigation_reports.summary.
"How do you ensure the integrity of your security event logs?"
Three answers, each true:
1. Logs are written by system processes (sshd, nginx, etc.) Fenrir only reads.
2. The events table has a created_at timestamp set by the database, not by application code. Tamper would require a DB compromise.
3. The auto_action and raw_llm_output fields preserve the AI investigation transcript verbatim — non-editable in the dashboard UI.
"Show me your incident playbooks."
The Markdown files in p3guardian/ai/playbooks/. Open them — they ARE your runbooks. They're versioned in git. Show the auditor the GitHub history.
Where Fenrir is NOT enough for ISO 27001¶
A non-exhaustive list of what you still have to handle outside Fenrir:
- A.5.1 Information security policies — your written policies, not Fenrir's job
- A.5.2 Information security roles and responsibilities — org chart, RACI matrix
- A.5.4 Management responsibilities — board-level engagement
- A.5.6 Contact with special interest groups — your participation in CISA, ENISA, CERT-IT, etc.
- A.6 People controls — onboarding, screening, training, NDA, off-boarding
- A.7 Physical controls — datacenter access, clear desk policy, secure disposal
- A.8.1 User endpoint devices — laptops/phones — that's an MDM domain
- A.8.5 Secure authentication — MFA — your IAM stack
- A.8.9 Configuration management — Ansible/Puppet/Chef tracking
- A.8.13 Information backup — backup orchestration & restoration testing
- A.8.14 Redundancy of information processing facilities — HA, failover, DR site
Fenrir is a detection and investigation tool. ISO 27001 is a management system. Don't conflate the two when speaking with auditors — but do show how Fenrir gives you faster, cleaner evidence for the controls it does cover.
Realistic certification timeline¶
For a typical SMB starting from zero:
- Month 1-3: scope definition, gap analysis, policy writing
- Month 4-6: implement controls, including Fenrir + IAM + backup + training
- Month 7-9: internal audit, management review, corrective actions
- Month 10-12: Stage 1 audit (documentation review), Stage 2 audit (effectiveness review), certification
Fenrir reduces the implementation phase by giving you a turnkey detection/incident-response stack, but it doesn't accelerate the policy/governance work — that needs human attention from leadership and a real ISMS consultant if you don't have in-house expertise.