ISO 27001 evidence mapping answers a deceptively simple question: what proves that a requirement or control is designed and operating in the organization being assessed? Policies can describe intent, but auditors also look for implementation and operation. Tickets, approvals, logs, review records, configuration exports, training records and meeting minutes may all contribute to the answer.

FANG is being designed to make that relationship easier to inspect. Its intended workflow accepts structured and unstructured material, extracts relevant facts, associates those facts with defined control questions and drafts a narrative for review. The system should never conceal the difference between evidence, interpretation and judgment.

Key takeaways
  • Evidence mapping should preserve the original source, location and context.
  • A document can support several controls, but relevance must be explained.
  • Policy language, implementation evidence and operating evidence are different.
  • LLMs can assist extraction; structured rules should determine workflow state.
  • FANG remains an evolving MVP and does not issue audit opinions.

The problem with folder-based evidence collection

Many readiness projects begin with folders named after clauses or Annex A controls. This is better than having no structure, but it does not answer whether the material is current, applicable, approved or sufficient. The same access-control policy may be copied into several folders while the real operating evidence—an access review or offboarding record—is missing.

Folder structures also lose reasoning. A reviewer may know why a file matters, but the next reviewer only sees the file name. When the policy changes, nobody knows which earlier conclusions need to be reconsidered. Evidence mapping should therefore be treated as data with relationships, not as a collection of attachments.

A defensible FANG evidence record

A practical evidence record can contain the evidence identifier, document name, version, date, owner, source location, relevant passage, mapped control, assessment question, reviewer status and notes. It can also record whether the evidence shows design, implementation or operation.

These fields are not presented as a new ISO requirement. They are a practical way to make review work reproducible. If someone challenges a conclusion, the reviewer should be able to move from the narrative back to the structured finding and then to the exact source material.

Step 1: register and classify the source

When a policy, spreadsheet or report enters the workflow, FANG should first record what it is rather than immediately judging it. A source may be a controlled policy, a procedure, an operational record, a system-generated export, a contract or an interview note. The classification affects how much weight it can carry.

Basic quality checks also matter. Is the version visible? Has the document been approved? Is the named owner still responsible? Does the period under review match the audit period? A well-written but obsolete policy should not quietly support a current conclusion.

Step 2: extract candidate facts with provenance

An LLM can help identify roles, review frequencies, commitments, systems, approval language and relevant passages. That is useful when documents are long or inconsistent. Extraction, however, must produce candidates rather than unquestioned facts.

Each extracted statement should retain provenance: document, page or section, and the text that supports it. FANG should also allow a reviewer to reject or correct the extraction. Without this step, a polished summary can drift away from the source and become difficult to audit.

Step 3: map evidence to a control question

Controls should be converted into reviewable questions written in an original interpretive framework rather than copying protected standards text. For example, a review question may ask how privileged access is approved, limited, reviewed and removed. Evidence can then be mapped to the parts it supports.

A policy may support the defined process. An identity export may show assigned access. A completed review record may show operation. Mapping all three provides a stronger picture than attaching the policy and marking the control complete.

Step 4: assess coverage and uncertainty

FANG's structured layer should distinguish supported, partially supported, unsupported and unknown states according to defined criteria. Unknown matters. It means the current material does not justify a conclusion, not that the organization has failed the control.

Uncertainty can trigger a request for evidence, a stakeholder interview or a test. It should not be filled with generated assumptions. This is one of the most important boundaries for responsible audit evidence automation.

Step 5: draft a reviewable narrative

Once the structured finding exists, an LLM can help turn it into readable language: what was reviewed, what the evidence indicates, what remains missing and why the issue matters. The narrative should cite the evidence identifiers and remain consistent with the recorded status.

The reviewer then edits or approves the draft. A final report should never depend on a paragraph whose underlying evidence cannot be found. Narrative generation saves time only when it strengthens traceability rather than replacing it.

Evidence mapping across assessment and implementation

The same model supports more than auditing. During a gap assessment, it shows what the current state is and what information is missing. During implementation, it becomes a plan for creating or improving evidence. During later review, it can show whether the evidence changed and whether the earlier conclusion still holds.

This continuity is central to the FANG idea. Assessment findings should not disappear into a final PDF. They should remain connected to implementation tasks, evidence updates and later review decisions.

Security and confidentiality considerations

ISMS evidence can contain sensitive information about systems, staff, suppliers and weaknesses. Any evidence-processing system must address access control, retention, encryption, logging, data residency and model-provider handling. Documents should not be submitted to an AI service merely because an extraction feature is convenient.

FANG's current prototype status means these concerns are design requirements, not solved claims. A future deployment model must make data handling transparent and allow organizations to choose controls appropriate to their risk.

FAQ

Can one evidence item map to several ISO 27001 controls?

Yes. The mapping should explain which part of the evidence supports each review question instead of treating a shared file as universal proof.

Can AI determine whether evidence is sufficient?

AI can flag likely coverage and missing information. A competent reviewer must determine sufficiency in the organization's scope, risk and audit context.

Does FANG store customer evidence today?

FANG is described as an evolving prototype/MVP. This article explains intended design principles and does not claim a production evidence-hosting service.

Why generate narratives after scoring?

Structured status should constrain the narrative. Generating language first can create an explanation that is inconsistent with the actual finding.

Sources