⚠️ SAMPLE ARTIFACT FOR DEMONSTRATION PURPOSES ONLY
This is not an actual ISO 27001 evidence package. Real artifacts are generated from your organization's actual controls and evidence.
ISO/IEC 27001:2022
Information Security Management System
Evidence Package
TechCorp AI SaaS Platform
Assessment Period: January 1, 2026 - March 31, 2026
Generated by HAIEC Compliance Engine
Package ID: ISO27001-TCAS-2026Q1-001
Generated: February 16, 2026
1. Executive Summary
This evidence package documents TechCorp AI SaaS Platform's implementation of ISO/IEC 27001:2022 controls for the period January 1, 2026 through March 31, 2026. The assessment covers all applicable controls from Annex A, with particular focus on AI-specific security considerations.
| Metric |
Value |
| Total Controls Assessed |
93 |
| Controls Implemented |
89 (96%) |
| Controls Partially Implemented |
4 (4%) |
| Controls Not Applicable |
0 |
| Overall Compliance Score |
96% |
2. Scope of ISMS
Organization: TechCorp AI SaaS Inc.
Scope Statement: Information security management for the TechCorp AI SaaS platform, including AI model training infrastructure, customer data processing, and API services hosted on AWS US-East-1.
Exclusions: Physical security of third-party data centers (managed by AWS), legacy on-premise systems scheduled for decommissioning.
3. Control Implementation Evidence
3.1 Organizational Controls (A.5)
A.5.1 - Policies for Information Security
Status: IMPLEMENTED
Evidence:
- Information Security Policy v3.2 (approved by Board, January 15, 2026)
- AI-Specific Security Addendum v1.1 (covers model security, data poisoning prevention)
- Policy review meeting minutes (Q1 2026 ISMS Review)
- Employee acknowledgment records (100% completion)
HAIEC Verification: Policy documents retrieved from document management system, SHA-256 hashes verified, approval signatures validated.
A.5.7 - Threat Intelligence
Status: IMPLEMENTED
Evidence:
- Subscription to MITRE ATT&CK for ML (active)
- Monthly threat intelligence briefings (Q1 2026: 3 briefings conducted)
- AI-specific threat feeds integrated into SIEM
- Prompt injection attack signatures updated weekly
HAIEC Verification: Threat feed integration confirmed via API logs, briefing attendance records verified.
3.2 People Controls (A.6)
A.6.1 - Screening
Status: IMPLEMENTED
Evidence:
- Background check policy requiring verification for all employees with access to production systems
- 100% completion rate for new hires in Q1 2026 (12 employees)
- Third-party verification service contract (Sterling Talent Solutions)
3.3 Physical Controls (A.7)
A.7.4 - Physical Security Monitoring
Status: IMPLEMENTED (via AWS)
Evidence:
- AWS SOC 2 Type II Report (covers physical security of data centers)
- Office access logs for TechCorp HQ (badge system, 24/7 monitoring)
- Visitor log for Q1 2026 (all visitors escorted)
3.4 Technological Controls (A.8)
A.8.2 - Privileged Access Rights
Status: IMPLEMENTED
Evidence:
- Privileged access management via Okta (MFA enforced)
- Quarterly access reviews (Q1 2026: 3 accounts removed, 2 downgraded)
- Production database access requires approval + session recording
- AI model training access restricted to ML Engineering team (8 users)
HAIEC Verification: Access logs analyzed, MFA enforcement confirmed, session recordings sampled.
A.8.16 - Monitoring Activities
Status: IMPLEMENTED
Evidence:
- SIEM deployment (Splunk) with AI-specific detection rules
- Monitoring coverage: API requests, model inference calls, data access, authentication events
- Q1 2026 security alerts: 1,247 total, 12 escalated, 0 confirmed incidents
- Prompt injection detection: 34 attempts blocked
3.5 AI-Specific Controls (Custom Addendum)
AI.1 - Model Integrity Protection
Status: IMPLEMENTED
Evidence:
- Model versioning and SHA-256 checksums for all production models
- Immutable model registry (MLflow with S3 backend, versioning enabled)
- Model deployment requires code review + security scan
- Q1 2026: 8 model deployments, all with verified checksums
AI.2 - Training Data Security
Status: IMPLEMENTED
Evidence:
- Training data stored in encrypted S3 buckets (AES-256)
- Data lineage tracking for all training datasets
- PII detection and masking applied before training (100% coverage)
- Data poisoning detection: statistical anomaly monitoring on training inputs
4. Gaps and Remediation
| Control |
Gap |
Remediation Plan |
Target Date |
| A.8.28 - Secure Coding |
AI-specific secure coding guidelines not yet formalized |
Develop AI secure coding standard covering prompt injection, model inversion, data leakage |
April 30, 2026 |
| A.8.31 - Separation of Environments |
Shared model training infrastructure between dev and staging |
Provision dedicated training environment for staging |
May 15, 2026 |
5. Cryptographic Verification
Evidence Package Hash (SHA-256):
a7f3c9e2b8d4f1a6c5e8b2d9f4a7c3e6b8d1f4a7c9e2b5d8f1a4c7e9b2d5f8a1
Signed By: HAIEC Compliance Engine v2.1.0
Signature Timestamp: 2026-02-16T17:30:00Z
Verification URL: https://haiec.com/verify/ISO27001-TCAS-2026Q1-001