Range Scenario · crucible · 35 min
Compliance: AI Search for ISO 27001 Evidence Collection
This cybersecurity training scenario simulates a working incident. An ISO 27001 surveillance audit needs evidence for 18 cybersecurity controls. An LLM search tool reads policies and ticket history and proposes evidence. Verify, fill the gaps, deliver to the auditor.
Scenario briefing
You are the cybersecurity GRC analyst preparing the surveillance audit for your ISO 27001:2022 certification. The auditor sent a sample of 18 controls (drawn from Annex A) for which they want evidence. You have 5 days to deliver.
An LLM search tool indexes your policy library, IT ticket system, change-management records, and risk register. For each control, it proposes the strongest candidate evidence with citations. Your job is to verify each citation actually proves the control, fill gaps where evidence is thin, and reject hallucinated citations.
This scenario tests GRC tradecraft, evidence-bar discipline, and the use of LLM search as a research accelerator without trusting it as the auditor's eye. Sources: ISO/IEC 27001:2022, NIST CSF 2.0 GV.RR (Roles and Responsibilities), NIST SP 800-53A.
What you will practice
- Map an ISO 27001 Annex A control to specific evidence types
- Verify LLM-cited evidence against the source system
- Recognize hallucinated ticket numbers and fabricated approvers
- Fill evidence gaps when records are thin
How this scenario is scored
The scenario has 6 ordered steps. Most steps are exact-match (a MITRE ATT&CK technique ID, a tool name, or a yes/no decision) or multiple choice. Free-text steps queue for manual review and do not affect the auto-final-score in the MVP.
Each step has a max score of 100 points. Hints deduct points up front, listed before you reveal them. Your final score is the sum across steps. Range Elo updates on completion based on scenario difficulty (Intermediate) and your final score percentage.
Frequently asked questions
What does ISO 27001 evidence usually look like?
Evidence falls into a few classes: documented policy, signed records (training acknowledgements, access reviews), system records (change tickets, risk register entries), and observation (auditor sees control operating live). Auditors expect to see the policy, the records of the policy in operation, and a sample of the records that were generated by it during the audit period.
What is the most common LLM hallucination in evidence search?
Fabricated ticket numbers and made-up approver names. The LLM produces plausible-sounding ticket IDs and signatures because it has seen the ticket-format pattern. Verify every cited ticket exists in the actual system before sending to the auditor. A single fabricated citation can damage audit trust for the entire engagement.
How does AI fit into the audit workflow long term?
AI accelerates research, drafts the evidence package, and suggests gap-fillers. The GRC analyst still owns the evidence quality, the audit relationship, and the certification posture. AI makes a 5-day audit package a 1-day audit package; it does not turn a poorly-controlled program into a well-controlled one.
Course content is for educational purposes only and does not constitute professional advice. All claims are supported by cited peer-reviewed academic research. DecipherU does not teach or reproduce any proprietary sales methodology. Verify all referenced sources independently.
Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
By subscribing you agree to our privacy policy. Unsubscribe anytime.