Action in the taxi: Check out this awesome landing page!

ISO 27001

AI as an accelerator or a replacement for your ISO 27001 compliance?

GRC
Claude
MCP
Tidal Control

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

A persistent rumor circulates: give AI enough access, and it will handle your compliance. That's not true. But ignoring AI entirely is just as unwise. In this article, we'll show what AI *can* do and how it works in practice at Triagen.ai and with our own consultants.

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

This article was last updated on
01.07.2026
Written by
Twan
Haesen
Information Security Consultant

What AI can and cannot take over

Compliance is about responsibility: demonstrably showing that you manage risks and that the choices you make align with your organization. An AI model cannot bear that responsibility. It recognizes patterns, reads documents, and executes commands, but it does not assess whether a measure is appropriate for your specific situation, your risk profile, or your processes.

 

At the same time, every compliance process involves a large amount of work that is time-consuming but requires little substantive judgment. Comparing a policy document with a configuration. Creating tasks based on audit findings. Summarizing the status of outstanding risks. This is precisely what AI excels at. The substantive decision remains yours, but the execution of the work becomes much faster.

What AI enables through the Model Context Protocol

The Model Context Protocol (MCP) is an open standard that allows AI assistants like Claude or ChatGPT to connect with a platform such as that of our partner Tidal Control. You link your AI tool to your environment and give commands in plain language. The assistant searches your compliance data, creates tasks, links risks and controls, or summarizes the status of your ISMS.

 

Your existing permissions simply remain in effect. If you only have read access in the portal, the assistant can only read. The connection runs under your identity after you have logged in once. Thus, the AI never gets more access than you yourself have.

 

What can you specifically do with it? Ask questions like "which critical risks have no controls linked?" or "show all suppliers with an expired assessment." Perform bulk actions such as adding multiple assets or controls in a single prompt. Have policy documents searched for content. Or simply: "what's planned for me next week?" — without having to spell out names or dates.

 

How Triagen.ai works with it daily

Triagen.ai builds AI-driven triage and intake software for occupational health services and company doctors. They work with health data, so in addition to ISO 27001, NEN 7510 also applies. It's a small, fast team working towards certification with Tidal Control and Fendix. Every minute saved counts.

 

Stefan Samba, co-founder and CTO, uses the MCP connection directly from his code editor. Triagen works with a so-called monorepo: all source code for the platform (from infrastructure to frontend) is stored in one central repository. This makes it easier to compare policy and technical reality.

 

Previously, that meant looking up the policy document in Tidal, reading the relevant passage, checking the code to see its technical implementation, and manually writing down the result, screen by screen. Now, Stefan gives a single command: "compare this encryption policy with our infrastructure." The assistant reads the policy template, searches the code for encryption settings, finds, for example, TLS 1.3 there, and adjusts the policy accordingly. Stefan verifies its accuracy. The search time goes from minutes to seconds.

 

"Before, you'd grab the policy in Tidal, read it, adjust it, copy it, paste it, moving from one screen to another. Now I just say: compare this policy with our infrastructure, and the MCP automatically adjusts it for me. That works incredibly well."

Process ad-hoc thoughts directly, no detour via the backlog

Anyone who builds all day constantly gets small compliance to-dos: this asset still needs to be added, that vendor isn't listed yet. Previously, such a task would first disappear into Jira and then somewhere on the backlog. Now Stefan opens a session in his AI tool and prompts: "add this vendor and this asset to Tidal Control." Ten seconds, no administrative detour.

"The difference between compliance being kept up-to-date or not lies precisely in these kinds of small frictions," says Stefan.

How it enables the consultant to work more efficiently

The benefits aren't limited to the client. Fendix guides a growing number of organizations through ISO 27001 implementations and incorporates the MCP methodology. For a consultant who advises multiple clients simultaneously, it's a huge advantage to be able to ask targeted questions instead of manually navigating through environments.

 

Take evidence collection, normally the most time-consuming task. Instead of manually gathering files for a quarterly review, a prompt like this suffices: "collect all incidents from Q2 and summarize the outstanding action items for management." Or for an internal audit: "create tasks for all non-conformities from the last audit and assign them to the appropriate system owners." The assistant handles the collation and aggregation, the consultant verifies its accuracy.

 

The same applies to adapting policies to a client's specific situation. A query like "rewrite this password policy to align with the current Entra ID configuration" provides a usable first draft that the consultant can then refine, instead of writing from scratch. This shifts time from administrative tasks to the work you hire a consultant for: advice and guidance.

Securely using AI in your compliance environment

An AI assistant in your compliance environment requires conscious choices, but the principles are not new. The most important safeguard is already built into the technology: through MCP, your existing rights apply, so an assistant can never do more than you are authorized to do yourself. A read-only user remains a read-only user.

 

Additionally, you have control over several settings yourself. Grant your AI tool only the necessary access. Check with your provider whether your data is used to train models and consciously disable that setting if you don't want it to be. Also, be aware that with a non-local assistant, data goes to the provider — weigh what level of sensitivity you allow in that. The same principles of access control and data protection that you already apply elsewhere also apply here.

Embrace AI, don't outsource it

Triagen.ai and Fendix demonstrate where AI in Tidal excels. Not as a replacement for the judgment compliance requires, but as an accelerator for the work surrounding it. Minor daily inefficiencies are eliminated. Gathering evidence is faster. Aligning policies with technical realities requires fewer steps.

 

You remain in control. AI handles the execution. That's a more realistic promise than full automation, and one that holds up in practice.

 

Curious how you can apply this yourself? Feel free to contact us.

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

How many people participate?

Request now

Thanks!
Oops! The form could not be submitted. Please try again.

More resources

Information Security

NIS2 Executive training

thru
Wouter
Training
News

Good news: Fendix is now allowed to perform NIS2 Supply Chain audits!

thru
Kilian
Blog
Partners

New collaboration due to NIS2: Fendix x Together Digitally Safe

thru
Gijs
Blog