Security & Compliance Rethinking ISO 27001 from first principles.
ISO 27001 is 93 controls. The standard itself can be read carefully in an afternoon. So why does certification routinely take twelve to eighteen months, cost six figures, and produce a binder that nobody opens between annual surveillance audits? This series is about that question — and about what compliance looks like if you build it the other way round, from evidence backwards instead of policy documents forwards. Twelve chapters. One argument.
What's broken, and why the industry won't fix it.
The standard is 93 controls. Twelve to eighteen months and a six-figure invoice is not the standard's fault — it is the industry's business model. The opening argument: the compliance ecosystem has a structural incentive to sell preparation rather than protection, and until you see that, every other part of the puzzle stays out of focus. The series begins by naming what nobody quite says out loud.
Read chapter →
Auditors don't grade your documents. They test whether your processes produce repeatable, evidenced outcomes — at three levels of difficulty. Most organisations prepare for the first two and discover the third in the room. This chapter introduces the three-tier model of auditor questions and the only meaningful preparation: being able to answer the hard ones without going looking.
Read chapter →
Three transient test VMs dropped our device compliance score from 95% to 89%. They had no users, never touched production data, and existed for ninety minutes at a time. What they taught us about measurement: most compliance failures are not security failures, they're classification failures — and the denominator you measure against matters more than the rule itself.
Read chapter →What evidence, platforms, controls, and risk look like rebuilt from first principles.
What if an auditor walked in tomorrow, unannounced, and asked for endpoint compliance — right now? In most organisations, the answer is a two-week scramble. This chapter describes a different design: evidence collected continuously, sealed cryptographically at capture, queryable in under sixty seconds. Not a thought experiment — the architecture we built, what it cost to get right, and what continuous looks like in practice.
Read chapter →
I mapped all 93 Annex A controls to specific M365 telemetry endpoints and asked one question: what can we actually measure? Coverage was high, but nobody had drawn the line. This chapter shows the mapping, explains why it required two purpose-built agents instead of one monolithic system, and addresses the architectural separation that makes both halves auditable.
Read chapter →
A.8.1 reads: 'Information stored on, processed by or accessible via user endpoint devices shall be protected.' Twenty words. This chapter walks every step from those twenty words to operating evidence — seven concrete rules, the weighted scoring that turns rules into a control verdict, and the architectural pattern that scales the same exercise to the remaining 92 controls.
Read chapter →
Most risk registers are spreadsheets with fifty rows, vague descriptions, and scores set in a workshop eighteen months ago by people who haven't looked since. What changes when you build a structured, traceable risk system: 105 specific business-failure scenarios, each linked to inherent score, treatment, residual score, and the controls actually carrying the load. Specificity is the whole game.
Read chapter →What that architecture does when an auditor arrives, when something breaks, and when your competitor doesn't have it.
Six auditor questions I've been collecting that don't ask 'do you have this?' — they ask 'why did you choose this, and how do you know it's working?' Each one sounds reasonable. Each one exposes a gap no amount of documentation covers. A guided tour through those six questions and the design decisions they should be probing.
Read chapter →
An internal audit I sat through lasted forty-five minutes and produced a 'no nonconformities' verdict that nobody believed. This chapter is about what an internal audit looks like when it's designed to probe deeper than a checklist — structured conversations, qualifying questions, and the architectural choice to let the audit programme criticise its own design as part of the artefact.
Read chapter →
An auditor asks: 'How does your organisation ensure that risk assessments produce consistent, valid and comparable results?' You know the answer is in the methodology document. You can't assemble cited evidence in sixty seconds. This chapter describes the AI system that closes that gap — three specialised agents, structured citations, and the deliberate decision to let the system say 'I don't know'.
Read chapter →
Detection without response is not a control — it's a report. Most compliance systems detect and stop there. This chapter walks the closed loop: rule-level tickets, two-check automated closure, Clause 10.2 corrective-action handling, and the audit trail that comes free with the architecture. The remediation gap is where most compliance implementations quietly fail.
Read chapter →
Every chapter has been about one idea: compliance should be an outcome of how you run your technology, not a project bolted on top. Here the quiet part gets said out loud. Done genuinely — not theatre-genuinely — compliance is one of the strongest competitive advantages an MSP or regulated business can build. This chapter is about why, and about who can't catch up.
Read chapter →Publishing compliance without publishing your IP.
A regulator emails. They are conducting a thematic review and would like to see your ISO 27001 evidence — not the certificate, the evidence — in forty-eight hours. The Trust Centre is the public surface where all of the above becomes visible without giving away the engineering that makes it work. In development now; arriving late June 2026.
Same questions a real ISO 27001 auditor asks. Immediate gap analysis.
Start your audit preview