FANG stands for Focused Assessment and Narrative Generator. It is an evolving ISO 27001 ISMS accelerating engine being built to explore a practical question: how can software reduce the repetitive work involved in assessments, evidence review and report writing without pretending that governance or auditing can be reduced to a chatbot answer?
The intended answer is a structured workflow. FANG combines defined control logic, repeatable scoring, evidence references and human-approved narratives. Language models can assist with extraction and summarization, but they do not become the source of authority. The standard, the organization's risk decisions, the available evidence and the reviewer remain the source of truth.
- FANG is an evolving prototype/MVP, not a finished compliance platform.
- It organizes work across assessment, implementation and auditing.
- Structured control logic is kept separate from LLM-generated language.
- Every conclusion should remain reviewable, traceable and open to challenge.
- FANG does not certify organizations or replace accredited certification bodies.
Why build an ISO 27001 accelerating engine?
ISO 27001 work often becomes fragmented. Intake answers sit in forms, control ratings live in spreadsheets, policies are stored across folders, evidence appears in tickets and screenshots, and findings are rewritten into several reports. The difficult part is not merely storing those files. It is maintaining a defensible relationship between business context, risk, controls, evidence, conclusions and actions.
Generic automation can make this worse if it generates confident language without showing how the conclusion was reached. FANG is therefore designed around an evidence chain: what requirement or control is being assessed, what information was supplied, which source supports the assessment, what structured status applies, what remains uncertain and which human accepted the final result.
The three connected FANG workflows
1. Assessment
The assessment workflow begins with structured intake. Questions can capture the organization's scope, systems, information, suppliers, processes and existing safeguards. Responses can then feed a repeatable gap assessment rather than an unstructured conversation.
The intended outputs include control-level scoring, current-state observations, missing-information flags, prioritized gaps and a readable assessment narrative. Ratings such as conforming, partially conforming, not conforming or not yet known need defined criteria. They should not be invented differently each time a model runs.
2. Implementation support
After assessment, teams need a workable plan. FANG is intended to help organize actions, map evidence to controls, identify missing policies and assign implementation work. The engine can highlight that a document exists while evidence of operation is still missing. That distinction matters: a policy is not proof that a process is working.
Implementation support should also retain ownership and status. A finding without an owner becomes commentary. A missing control without a target action becomes a recurring audit surprise. Structured work items turn the assessment into an ISMS improvement backlog.
3. Auditing support
The auditing workflow explores how policies, spreadsheets, logs and other supplied evidence can be reviewed against control expectations. A language model may extract dates, roles, commitments or relevant passages. FANG's structured layer should then associate that information with the control under review and preserve the source reference.
The result is not an automatic audit opinion. It is a review package: evidence found, evidence missing, possible inconsistencies, draft observations and questions for a competent reviewer. The reviewer must decide whether the evidence is reliable, sufficient and relevant in context.
How FANG differs from a generic compliance chatbot
A generic chatbot responds to text. An ISMS workflow needs state and traceability. It needs to know which organization, scope, assessment version, control, risk, evidence item and reviewer decision a statement belongs to. It also needs to distinguish facts extracted from a document from interpretations and final judgments.
FANG's design direction separates those layers. Source facts should remain linked to the original material. Scoring should follow explicit logic. Generated narratives should explain structured findings rather than silently create them. Human changes should be visible. This approach is slower than claiming one-click compliance, but it is more defensible.
What FANG should never claim
No software can grant ISO 27001 certification. Certification is performed by an independent accredited certification body within a defined scope. Software also cannot accept risk on behalf of leadership, determine organizational context without stakeholder input or replace the skepticism and competence expected from an auditor.
FANG should help people work with better structure. It should not hide uncertainty, fabricate evidence, reproduce protected standards text or turn a generated paragraph into an unsupported conclusion. The current project is a prototype and proof of work; its value is in testing these design principles honestly.
Where the prototype goes next
The useful path forward is incremental: improve intake quality, refine control-scoring rules, preserve evidence provenance, make review decisions explicit and test whether reports remain consistent when source evidence changes. Security, privacy and document handling also need to be treated as core design concerns because ISMS evidence may contain sensitive organizational information.
The long-term ambition is not to remove practitioners. It is to give them a clearer workspace for assessment, implementation and auditing so more time can be spent on risk, judgment and improvement instead of repetitive document assembly.
FAQ
Is FANG an ISO 27001 certification tool?
No. FANG is an independent prototype for organizing ISMS work. It is not affiliated with ISO and cannot issue or guarantee certification.
Does FANG conduct audits automatically?
No. It is intended to assist evidence review and reporting while a competent human determines conclusions.
Is FANG available as a finished commercial product?
No. It is currently an evolving MVP and proof-of-work project. Descriptions refer to the intended system design and tested prototype concepts.
Why use an LLM at all?
LLMs can help extract, classify and summarize unstructured material. Their output must remain constrained by structured rules, source references and human review.