How to get started with ISO 27001 compliance management with SAMMY


The ISO27001 module in SAMMY covers the controls outlined in ISO27001:2022 annex A. These are all the things you need to cover to demonstrate compliance with ISO27001. You can use SAMMY in preparation of a 27001 certification or as a continuous management tool beyond certification.

The ISO27000 family

The 27001 standard is part of the 27000 family which is established by the International Organization for Standardization (ISO) and covers information security management.

Find out more about the ISO27000 family here.

What is included in the ISO27001 controls?

The controls are divided into four sections:

  • Organization
  • People
  • Physical
  • Technological

Where to find ISO27001 management in SAMMY?

The default model in SAMM is OWASP SAMM. In order to start an ISO27001 management instance you must login and go to scopes, where you create a DRP scope. Then you can enter this scope to enter ISO27001 management mode.

ISO27001 management

Fill out an ISO27001 assessment

The workflow starts with the filling out of the different controls. You can choose whether everything should be filled out by the same person, or whether different parts of the assessment are the responsibilities of different team members. 

Validate a DRP assessment

Validation is done on a control level. When done internally it is typically done by the person that is leading the overall assessment. He or she reviews the answers and the evidence presented, should he not be satisfied the activity returns to the assessment step with his comments. If the assessor approves, the control moves to the improvement track. In some cases the validator may be an external expert. 

Implement security roadmaps

When a score on a control is validated the question arises: “Is this good enough”. If it is: great, then the activity is closed. If it is not good enough an improvement process is initiated, a new target score is set together with a target date. The process is assigned to a team member. At the end of the improvement process the stream returns to assessment to evaluate its situation.   

Clear visualization of score

In SAMMY you have a quick overview of scores in the left navigation menu, and there are more detailed scores in the reporting tab on top, these include:

  • Overview of score per business function.
  • Scores per practice.
  • Scores per business function
  • Comparison between scopes
  • Historic growth per business function

Here you can also visualize the improvement roadmap and show the improvement targets. 

ISO27001 report from SAMMY

Automated reports

Sammy can automatically create a report which includes an overview of the state of the controls and the roadmaps for improvement. These reports can facilitate ISO27001 certification. 

Setting target postures

You may choose different thresholds than the ones outlined by ISO. What your ambitions should be depends on many factors of your business, its context and the risk profile of your products. The best way to manage such goals is to set target postures that are tailored to your context. In SAMMY you can easily create such target postures. The target compliance level is then shown along the process to the different teams in the different scopes. The goal then becomes the elimination of the gap between the target compliance and current compliance.

User, role and team management.

SAMMY is a collaborative tool. Tasks and responsibilities can be assigned on a team and an individual level. There is always clear ownership of any task. And individuals always have a clear overview of what they are expected to do.  

Jira integration

As different tasks are assigned to different team members SAMMY is integrated with JIRA in order to automatically feed into their existing task management flow. Soon a similar integration will exist for Microsoft Teams.

If you don’t use JIRA or Teams and would like us to integrate with another tool, or if you have any other suggestions please reach out to us. The roadmap of this tool is community driven.    

Send us feedback