Skip to content

badrnkarim/ISO27001-ISMS-GRC-Portfolio

BranchesTags

Repository files navigation

ISO/IEC 27001 ISMS Portfolio — Audit-Grade (CloudFin SaaS)

Author/Owner: Badr Karim — Cybersecurity GRC Intern | Security Assurance | Risk-Based Controls | Audit-evedince
Portfolio type: ISO/IEC 27001 ISMS documentation + internal audit execution (audit-style evidence discipline)

This repository is an audit-grade ISO/IEC 27001 ISMS portfolio built as a realistic SaaS scenario (“CloudFin Analytics”) to demonstrate US workplace-style GRC and internal audit execution.
It is structured like an assurance engagement with end-to-end traceability from risk decisions to verifiable proof (EV-001 → EV-015) and audit outcomes.

Why this portfolio is “audit-grade”

This repo is structured like a real assurance engagement and supports full traceability:

Risk → Control (SoA) → Evidence → Internal Audit → CAPA → Follow-up Verification

You can review artifacts, evidence, and audit outputs exactly as an auditor or hiring manager would.

Start Here (10-minute reviewer path)

Open in this order:

  1. RECRUITER-ONE-PAGER.md — fast summary (what was built + what it proves)
  2. CASE-STUDY.md — baseline audit → findings → CAPA → follow-up verification
  3. PORTFOLIO-MAP.md — ISO clauses → exact artifacts + evidence references
  4. 04_Evidence/EV-INDEX_Evidence_Index_v0.1_2026-02-07.csv — master evidence list (EV-001..EV-015)
  5. 03_Audit_Pack/AUD-005_Audit_Report_Findings_v0.1_2026-02-07.md — audit report & findings
  6. 03_Audit_Pack/AUD-008_Followup_Audit_Report_v0.1_2026-02-07.md — follow-up verification (closure proof)
  7. 02_Registers/ISMS-005_SoA_v0.1_2026-02-07.csv — Statement of Applicability (controls ↔ evidence)

What this demonstrates (capabilities)

  • ISO 27001 ISMS implementation: scope, policy, risk methodology, objectives, documented information control
  • Risk-based control selection: risk register → SoA applicability/justification → implementation status
  • Internal audit execution: audit program/plan, checklist, evidence log, findings report
  • Corrective action lifecycle: CAPA procedure, tracker, closure evidence, and verification
  • Operational readiness documentation: incident response plan & tabletop, backup/restore testing, supplier assessment, vulnerability workflow, access review, awareness training
  • Evidence discipline: every implemented item maps to an evidence ID (EV-###)

Connect

LinkedIn: https://www.linkedin.com/in/badrkarim/

About

ISO 27001 ISMS / GRC SaaS portfolio with NIST CSF + SOC 2 mapping: risks, SoA, audits, CAPA, management review, evidence index.

www.linkedin.com/in/badrkarim/

Topics

saas compliance grc isms risk-management iso27001 internal-audit capa security-assurance iso27001-isms-grc-risk-management-cybersecurity audit-evidence

Resources

Readme

License

MIT license

Contributing

Contributing

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages