This repository contains an audit-grade ISO/IEC 27001 Information Security Management System (ISMS) portfolio built for a fictional B2B SaaS company (“CloudFin Analytics”).
It is designed to demonstrate GRC / ISMS / Internal Audit capability through end-to-end traceability and verifiable evidence (EV-001 → EV-015).
This repo is structured like a real assurance engagement and supports full traceability:
Risk → Control (SoA) → Evidence → Internal Audit → CAPA → Follow-up Verification
You can review artifacts, evidence, and audit outputs exactly as an auditor or hiring manager would.
- ISO 27001 ISMS implementation: scope, policy, risk methodology, objectives, documented information control
- Risk-based control selection: risk register → SoA applicability/justification → implementation status
- Internal audit execution: audit program/plan, checklist, evidence log, findings report
- Corrective action lifecycle: CAPA procedure, tracker, closure evidence, and verification
- Operational readiness documentation: incident response plan & tabletop, backup/restore testing, supplier assessment, vulnerability workflow, access review, awareness training
- Evidence discipline: every implemented item maps to an evidence ID (EV-###)
If you’re short on time, open in this order:
RECRUITER-ONE-PAGER.md— fast summary (what was built + what it proves)CASE-STUDY.md— baseline audit → findings → CAPA → follow-up verificationPORTFOLIO-MAP.md— ISO clauses → exact artifacts + evidence references04_Evidence/EV-INDEX_Evidence_Index_v0.1_2026-02-07.csv— master evidence list (EV-001..EV-015)03_Audit_Pack/AUD-005_Audit_Report_Findings_v0.1_2026-02-07.md— audit report & findings03_Audit_Pack/AUD-008_Followup_Audit_Report_v0.1_2026-02-07.md— follow-up verification (closure proof)02_Registers/ISMS-005_SoA_v0.1_2026-02-07.csv— Statement of Applicability (controls ↔ evidence)