Training
Whether you're preparing for certification or just want your team to understand what they're part of, this is a grounding in the three certifiable management systems Compliance365 works in: the ISMS (information security), the AIMS (AI governance) and the PIMS (privacy) — what each is, why it matters, and what "good" looks like.
Suitable as staff-awareness material (ISO 27001 Clause 7.3) — each section ends with a short knowledge check.
The common backbone
A "management system" isn't paperwork — it's a way of running something on purpose so it keeps working. Every ISO management system shares one harmonised structure (called Annex SL) and one engine: Plan – Do – Check – Act.
You plan (understand your context, scope the system, assess risk, set objectives), do (implement controls and actions), check (scan, audit and measure whether it's working), and act (correct what fell short and improve). Then you go round again. This is why an organisation with a working ISMS already has most of what an AIMS or PIMS needs — the backbone is identical; only the subject changes.
Certification is an accredited third party confirming that engine genuinely turns — not that you own a binder of policies.
Plan-Do-Check-Act — the continual-improvement cycle under ISO 27001, 42001 and 27701 alike.
ISMS · ISO/IEC 27001
Protect the confidentiality, integrity and availability of information — systematically, and provably, not by luck.
An ISMS is the framework of policies, processes, roles and controls an organisation uses to manage information-security risk on purpose. ISO 27001 is the international standard you certify against. The point isn't a folder of policies — it's a living system that identifies risk, treats it, checks that the treatment worked, and improves. Certification is an accredited auditor confirming that system genuinely runs.
Risks trace to treatments trace to evidence. The SoA is current. Objectives are measured, not aspirational. Internal audits and management reviews happen on schedule and produce actions. Residual risks left after treatment carry documented owner acceptance. Nothing is assembled the night before the audit.
For every Annex A control: whether it applies to your organisation, its implementation status, and — crucially — a documented justification for any control you have excluded. It is the first document most auditors open.
Documented acceptance of that residual risk by its owner (or an appropriate authority) — who accepted it, when, and on what basis. Treating a risk does not always mean eliminating it; accepting the remainder is a legitimate decision, but it must be recorded.
ISO 27001 Clause 9.2 requires it independently. The internal audit is how the organisation checks its own ISMS between certification visits and feeds nonconformities into corrective action — it is evidence the system is self-correcting, not just audit-ready once a year.
AIMS · ISO/IEC 42001
Govern the development and use of AI so it is responsible, transparent and accountable — before a regulator or a customer asks you to prove it.
ISO 42001 (2023) is the first certifiable AI management-system standard. It extends the same management-system backbone to the specific risks AI introduces: bias, opacity, loss of human oversight, misuse, and unexpected impact on people. It doesn't ask you to stop using AI — it asks you to know what AI you run, assess its impact, keep a human meaningfully in control, and be able to explain it.
Every AI system in use is in the inventory (including the shadow ones). Each has an impact assessment proportionate to its risk tier. Human oversight is defined and real, not a checkbox. You can answer "what AI do you use, and how do you keep it safe?" without a scramble.
False. It is about governing AI use responsibly — knowing what you run, assessing its impact, keeping humans in control, and being accountable. It enables confident AI adoption, it does not prohibit it.
It weighs impact on individuals and society — fairness, transparency, autonomy, potential harm — not only impact on the business. A system can be low business-risk and high individual-risk at the same time.
Both follow ISO's Annex SL harmonised structure (scope, leadership, planning, support, operation, evaluation, improvement). That means an organisation with a working ISMS already has most of the machinery — 42001 adds the AI-specific content, not a whole new system.
PIMS · ISO/IEC 27701
Extend information security to the protection of personal information — and demonstrate you handle privacy the way regulators and customers now demand.
ISO 27701 is an extension of ISO 27001, not a standalone standard — you build a PIMS on top of a working ISMS. It adds privacy-specific requirements and controls for organisations acting as PII controllers (you decide why and how personal data is processed) and/or PII processors (you process it on someone else's behalf). It maps closely to GDPR and similar laws, so a PIMS is often how organisations operationalise their privacy obligations.
The ROPA is complete and current. Controller/processor roles are clear per activity. Data-subject requests have a defined, timed process. High-risk processing has a DPIA. Privacy is designed into new processes. And because it extends the ISMS, none of this is a parallel, duplicated system.
No. ISO 27701 is an extension of ISO 27001 — you need a working ISMS as the foundation, then add the PIMS requirements and privacy controls on top. They are audited together.
A Record of Processing Activities: what personal data you process, why, the legal basis, data flows and retention. It is the foundation artifact of a privacy programme — most other privacy obligations (rights handling, risk assessment, breach response) depend on knowing what you hold in the first place.
A PII processor. The client, who decides the purpose and means of processing, is the controller. Your obligations as a processor differ from a controller's — ISO 27701 requires you to be clear which hat you wear for each activity, and some activities may make you both.
From theory to running system
Everything above is the theory. Checkpoint is the console Compliance365 delivers it in — the risk register, the Statement of Applicability, the AI system inventory, the privacy records, the internal-audit and management-review cadence — all live in your own Microsoft 365 tenant.
We run tailored awareness and practitioner training on the ISMS, AIMS and PIMS as part of every engagement — grounded in your own scope, your own risks, and the console your team will actually use.
Hi! I’m the Compliance365 AI. I can help you work out which security or privacy framework you need, explain what’s involved, and answer questions about ISO 27001, SOC 2, Essential Eight, and more.
What can I help you with today?
Messages are sent to our AI assistant (Claude, by Anthropic) to generate a reply — not stored as part of your account and not used to train AI models.