Live · AI copilot for ISO 27001 & SOC 2

Trust & compliance,
on autopilot.

From AWS finding to audit-ready evidence in minutes. One surface. Zero spreadsheets.

Book a demo See it live

Read-only AWS EU & US residency 15-minute setup

●app.isops.ai/overview

Scanning · 127/142

isops.ai

Overview

Findings 12

Compliance

Infrastructure

Evidence

Remediation

Reports

Overview

A Posture · 87

New scan

Compliance

86%

Compliance score
98/114 controls passing across ISO 27001 & SOC 2.

Active findings

−8 this week

Active findings
1 critical · 4 high · 7 medium. Down from 20 last week.

Evidence

214

+36 auto

Evidence artifacts
214 time-stamped items. 36 auto-attached this week.

Controls

93 / 114

ISO 27001 A

Controls passing
93/114 ISO 27001 Annex A. 21 in progress, 0 failing.

Top findings

View all →

Critical S3 bucket publicly readable (prod-artifacts) aws/s3

ISO 27001 A.8.3SOC 2 CC6.1
Fix: block public ACLs + enable bucket owner enforced. Draft fix →

High IAM access keys older than 90 days aws/iam

ISO 27001 A.9.2.5SOC 2 CC6.2
Fix: rotate 3 keys, notify owners, attach evidence. Auto-rotate →

High Security group allows 0.0.0.0/0 on port 22 aws/ec2

ISO 27001 A.13.1CIS 5.2
Fix: restrict inbound 22 to bastion CIDR / SSM only. Draft fix →

Medium RDS without automated backups aws/rds

ISO 27001 A.12.3SOC 2 A1.2
Fix: enable automated backups, 7-day retention min. Draft fix →

Medium CloudTrail log file validation disabled aws/cloudtrail

ISO 27001 A.12.4SOC 2 CC7.2
Fix: enable log-file integrity validation on trail. Draft fix →

Posture

87 Grade A

IAM 92 Data 88 Net 72

All · 12 Critical · 1 High · 4 Medium · 7 Open SLA ≤ 7d

CriticalS3 bucket publicly readable prod-artifacts2h agoaws/s3

HighIAM access keys older than 90 days 3 users1d agoaws/iam

HighSecurity group allows 0.0.0.0/0 on port 221d agoaws/ec2

HighCloudFront distribution without WAF2d agoaws/cf

HighKMS key without automatic rotation3d agoaws/kms

MediumRDS without automated backups3d agoaws/rds

MediumCloudTrail log file validation disabled4d agoaws/cloudtrail

MediumEBS volume unencrypted 2 volumes5d agoaws/ebs

On track

ISO 27001 : 2022

Annex A · 93 / 114 controls

Stage 2 audit · Jun 2026

On track

SOC 2 · Type II

Trust Services · 58 / 64 criteria

Observation window · Apr→Oct

In progress

PCI-DSS v4.0

73 / 108 requirements

Self-attestation · Q3 2026

On track

GDPR

Controller duties · 42 / 45

DPIA reviewed · Mar 2026

Planning

NIS2

Essential entity · mapping

Transposition · Oct 2026

Maintained

CIS AWS Foundations 2.0

Benchmarks · 52 / 58

Auto-scanned daily

prod · 641 resources staging · 284 sandbox · 112 eu-west-1 us-east-1

IAM

324 users

42 buckets

EC2

87 instances

RDS

12 databases

Lambda

156 functions

VPCs

8 networks

CloudTrail

3 trails

CloudWatch

94 alarms

KMS

21 keys

All · 214 Auto-captured · 186 Manual · 28 Last 30d

Apr 17 · 09:22screenshotS3 bucket policy reviewed — bucket-owner-enforced enabled. auto · ISO 27001 A.8.3

Apr 17 · 08:41jsonIAM rotation log — 3 keys rotated, 0 failures. auto · ISO 27001 A.9.2.5

Apr 16 · 17:03pdfSOC 2 access-review Q2 signed by security-lead. · SOC 2 CC6.3

Apr 16 · 14:12apiCloudTrail integrity validation on 3 trails. auto · ISO 27001 A.12.4

Apr 15 · 22:00jsonBackup verification — RDS prod-db restored to staging. · ISO 27001 A.12.3

Apr 15 · 11:48screenshotMFA enforcement on root account verified. auto · CIS 1.5

Apr 14 · 16:20pdfPen-test attestation Q1 2026 — no criticals. · SOC 2 CC4.1

Block public access on S3 bucket prod-artifacts

Auto-drafted Terraform. Disables ACL, enables BlockPublicPolicy. Low-risk.

Draft

ISO 27001 A.8.3SOC 2 CC6.1· copilot → platform-eng

Rotate 3 IAM access keys > 90d

Runbook: create new key, update secrets manager, revoke old, notify owner.

Review

ISO 27001 A.9.2.5SOC 2 CC6.2· assignee: sec-ops

Restrict SG web-prod port 22 to bastion CIDR

Proposed CIDR: 10.0.64.0/20. Blast-radius: 0 running sessions.

Draft

ISO 27001 A.13.1CIS 5.2· copilot → networking

Enable CloudTrail log-file validation

Single API call. Idempotent. Evidence auto-captured on apply.

Merged

ISO 27001 A.12.4SOC 2 CC7.2· copilot → security

All packs Audit-ready Draft Stakeholder

ISO 27001 : 2022 — Stage 2 pack

142 controls · 214 evidence items · generated Apr 12

Download

SOC 2 Type II — observation Apr→Oct

64 TSCs · 186 auto-captures · continuous

Download

Buyer security questionnaire kit

SIG-Lite · CAIQ v4 · VSA — pre-filled

Download

Board security review — Q1 2026

14 slides · risk register · posture trend

Download

90-day remediation log

47 findings resolved · 12 open · avg 3.2d TTR

Download

The stack you already trust

AWS ISO 27001 SOC 2 PCI-DSS GDPR NIS2

FAQ

Questions, answered.

How long does setup take?

About 15 minutes. You deploy a read-only IAM role via CloudFormation, paste the ARN, and we start scanning. No agents. No writes.

What AWS permissions do you need?

Read-only. Specifically: SecurityAudit plus a few scoped Describe* and List* calls. Full policy is in our security docs.

Where is my data stored?

EU (Frankfurt) or US (us-east-1) — you pick at onboarding. Encrypted at rest (AES-256) and in transit (TLS 1.3).

Can you replace my existing GRC tool?

For AWS workloads — yes. Posture, evidence, and audit packs are first-class. For manual controls (policies, training), we integrate or you keep your existing system.

How does pricing work?

Flat annual fee. No per-seat charges. Scales with AWS account count. Book a demo for a quote.

Trust & compliance,
on autopilot.

ISO 27001 : 2022

SOC 2 · Type II

PCI-DSS v4.0

GDPR

NIS2

CIS AWS Foundations 2.0

One surface. Continuous trust.

See your posture

Fix with AI

Prove it to auditors

Three steps to audit-ready.

Connect AWS

Scan & score

Ship evidence

Private beta with security teams shipping today

One scan, every standard.

Questions, answered.

Retire the compliance spreadsheet.

Trust & compliance, on autopilot.

ISO 27001 : 2022

SOC 2 · Type II

PCI-DSS v4.0

GDPR

NIS2

CIS AWS Foundations 2.0

One surface. Continuous trust.

See your posture

Fix with AI

Prove it to auditors

Three steps to audit-ready.

Connect AWS

Scan & score

Ship evidence

Private beta with security teams shipping today

One scan, every standard.

Questions, answered.

Retire the compliance spreadsheet.

Trust & compliance,
on autopilot.