When looking for tools to help you implement ISO 27001 or SOC 2, you will also come across so-called (compliance) automation platforms that promise to take up to 90% of the work off your hands by integrating with your (cloud) services.
In this article, I explain why this paints a somewhat too rosy picture. The post is an adaptation of an article by Maurice Pasman (Instant Management Systems), first published on January 14, 2025.
Integrations with cloud systems
Firstly, no platform can be integrated with “everything” straight away. Of course, there are the top 10 applications and the most commonly used cloud platforms such as AWS, Azure and Google Cloud. But your HR platform is obviously not one of them because it was developed specifically for the German, Austrian or Swiss market. And if you still operate some services on-premise, you can usually forget about integrating such things – it won’t work due to a lack of connectors.
Access with increased rights
An automation platform wants to connect to your systems in order to read as many parameters as possible and then assign them to the requirements from ISO 27001 or SOC 2.
To be able to read these parameters, the platform must of course be equipped with the appropriate rights. But how sure can you be about what happens behind the scenes – knowing that most platforms come from the USA?
Legal issues
Even if your automation platform is hosted in the EU, an American company is required by US law to provide access if requested by the authorities. For this reason, Microsoft and Google have had offices in Ireland for some time. This does not apply to most automation platforms.
Dashboard
As soon as the integrations are set up, you stare blindly at the dashboards, where as many traffic lights as possible should be green.
In fact, you then react to the results of a vulnerability scan or a measurement against a specific baseline. Of course, that’s perfectly fine in itself – the point is: that doesn’t make a certifiable management system!
We have even met customers who have not even carried out a risk analysis, but have already created guidelines – just based on what the platform was able to read. Completely detached from the actual risk situation, i.e. supply-oriented rather than demand-oriented.
Without context
Apart from the fact that it depends on the integration with the compliance automation platform which information can be read and displayed, the information displayed without context does not say much.
Example: MFA is disabled in AWS. But where in ISO 27001 does it say that this is mandatory? That depends entirely on your own policy, which – if you proceed as intended – results from your own risk analysis and the selected risk treatment plan. And what do you actually do if your company policy requires a login with a PKI – and the platform cannot use it?
Not everything can be automated
And this brings us to another – perhaps the most important – point. Do not look blindly at the technical measures. ISO 27001 focuses on the existence and functioning of a management system, which is described in chapters 4 to 10 of the standard. None of this can be automated, these things simply have to be done.
Isn’t it also about monitoring and measuring control measures? Yes, Annex A.8 contains technical measures, some of which can actually be checked automatically. However, this does not apply to organizational measures (A.5), personal measures (A.6) and physical security measures (A.).
Is this different for SOC 2?
The common criteria of SOC 2 (CC1 to CC9) contain many elements that are similar to the management system of ISO 27001 and therefore cannot be automated. However, the audit focuses much more on the existence and functioning of the measures taken than in ISO 27001. The auditor therefore wants to see much more evidence than in a management system audit. Ensuring that this evidence can be found in one place may therefore make SOC2 audits more efficient.
And that’s exactly what Instant 27001 has been doing since 2018.
Start at the beginning
To find out for yourself whether automation makes sense, you first need to understand the basics. This means going through the steps of the management system (manually) and improving your own processes in the company where necessary. In doing so, you will come across things that can perhaps be controlled automatically.
However, this often does not require an automation platform; you can easily monitor many things yourself using existing tools (such as Pingdom, Intune or Purview). And don’t forget that Atlassian now also offers automation in Confluence and Jira, as does Microsoft with PowerAutomate. This allows you to register the notifications centrally.
Conclusion
Automation can be useful once the ISMS has reached a certain level of maturity. If you start with an automation platform without experience, you will be guided by the data available in the links provided and run the risk of overlooking things. This may give yourself and your customers a false sense of security.
By the way, did you know that you can ideally use Instant 27001 together with a compliance automation platform? Visit https://instant27001.com/faq/instant-27001-co-pilot/!
Tags
Share post
Thomas Neeff 
Thomas Neeff 
