Skill Being Reviewed
Skill name: iso27001-gap
Skill path: skills/compliance/iso27001-gap/
False Positive Analysis
Scenario: Clause 6.1.2 (Risk Assessment) repeatability.
Observation: The skill flags the absence of a "Quantified Risk Score" as a Nonconformity.
Why this is a false positive: ISO 27001:2022 does not require quantitative risk assessment. Qualitative assessments (High/Medium/Low) are perfectly compliant under Clause 6.1.2 as long as they are consistent and repeatable.
Recommendation: The skill should accept qualitative methodologies and only flag if the criteria for those levels are missing or undocumented.
Coverage Gaps
1. Missing 2024 Climate Change Amendments:
In early 2024, ISO 27001 was formally amended (Amendment 1). Clause 4.1 now explicitly requires organizations to determine if climate change is a relevant issue. Clause 4.2 adds that interested parties can have requirements related to climate change. The current skill (v1.0.0) is missing these mandatory regulatory updates.
2. 2026 Supply-Chain Wiper Resilience (A.5.30):
Following the 2026 state-sponsored wiper attacks (e.g., Stryker), "ICT Readiness for Business Continuity" (A.5.30) must now explicitly require evidence of offline or immutable backups. If an organization only has cloud-replicated backups, a wiper can destroy them alongside production. The skill should treat "Standard Cloud Backup" as a Partial Gap for A.5.30.
3. AI Asset Inventory (A.5.9):
Modern ISMS scope now includes "Shadow AI" (employees using unapproved LLMs). The asset inventory check (A.5.9) should specifically look for a "Generative AI Usage Policy" and an inventory of AI-integrated SaaS tools.
Remediation Quality
Comparison to Other Tools
| Tool |
Catches this? |
Notes |
| StandardFusion |
Yes |
Strong on GRC and SoA automation. |
| Vanta |
Yes |
Good for automated evidence, but often misses Clause 4 context. |
| ISMS.online |
Yes |
Purpose-built for ISO 27001; usually includes latest amendments. |
Overall Assessment
A very structured and technically accurate skill. The inclusion of Annex A maturity scoring (0-5) is a high-value addition that most simple scanners miss. To be "Gold Standard" for 2026, it must incorporate the Climate Change amendments and the lessons learned from recent supply-chain destructive attacks.
Bounty Info
Skill Being Reviewed
Skill name:
iso27001-gapSkill path:
skills/compliance/iso27001-gap/False Positive Analysis
Scenario: Clause 6.1.2 (Risk Assessment) repeatability.
Observation: The skill flags the absence of a "Quantified Risk Score" as a Nonconformity.
Why this is a false positive: ISO 27001:2022 does not require quantitative risk assessment. Qualitative assessments (High/Medium/Low) are perfectly compliant under Clause 6.1.2 as long as they are consistent and repeatable.
Recommendation: The skill should accept qualitative methodologies and only flag if the criteria for those levels are missing or undocumented.
Coverage Gaps
1. Missing 2024 Climate Change Amendments:
In early 2024, ISO 27001 was formally amended (Amendment 1). Clause 4.1 now explicitly requires organizations to determine if climate change is a relevant issue. Clause 4.2 adds that interested parties can have requirements related to climate change. The current skill (v1.0.0) is missing these mandatory regulatory updates.
2. 2026 Supply-Chain Wiper Resilience (A.5.30):
Following the 2026 state-sponsored wiper attacks (e.g., Stryker), "ICT Readiness for Business Continuity" (A.5.30) must now explicitly require evidence of offline or immutable backups. If an organization only has cloud-replicated backups, a wiper can destroy them alongside production. The skill should treat "Standard Cloud Backup" as a Partial Gap for A.5.30.
3. AI Asset Inventory (A.5.9):
Modern ISMS scope now includes "Shadow AI" (employees using unapproved LLMs). The asset inventory check (A.5.9) should specifically look for a "Generative AI Usage Policy" and an inventory of AI-integrated SaaS tools.
Remediation Quality
Issues found: The remediation roadmap is good but missing the ISO 27001:2022 Transition Period logic. For organizations moving from 2013, the skill should highlight the 11 completely new controls (like A.5.7 Threat Intelligence) as "Gap Priority 1".
Comparison to Other Tools
Overall Assessment
A very structured and technically accurate skill. The inclusion of Annex A maturity scoring (0-5) is a high-value addition that most simple scanners miss. To be "Gold Standard" for 2026, it must incorporate the Climate Change amendments and the lessons learned from recent supply-chain destructive attacks.
Bounty Info