An ISO 27001 copilot that moves with your readiness program.
AFEND AI writes the first draft of your scope statement, risk register, Annex A justifications, policies, audit findings, and management review. It reads your workspace, answers in your industry's voice, and never approves anything on your behalf. You stay in control; it just stops making you stare at a blank page.
A capability per readiness moment - not one generic chat window.
AFEND AI lives where the work happens. A button on the scope page drafts the scope statement. A button on the policy page drafts the policy body. A panel in the topbar answers questions grounded in the workspace you're looking at.
Scope helper
/app/scopeTakes the in-scope items, interested parties, and obligations you already captured and drafts the formal clause 4.3 scope statement in two paragraphs. Tuned to your industry overlay, not a template.
Risk helper
/app/risksType a risk title and pick a category; the helper drafts the 2-3 sentence description: scenario, trigger, business impact. Never suggests a score - your methodology owns that.
Annex A justification
/app/controlsOne or two sentences per control, tuned to whether you've marked it Applicable or Not Applicable. The SoA auditors will read first, drafted so every row tells a reason specific to your scope.
Policy helper
/app/policiesGenerates a 600-900 word policy body in Markdown, aware of the Annex A controls the policy is linked to, your company name, and the industry you operate in. Review sections are named; placeholder text is absent.
Audit finding helper
/app/auditFrom a finding title, drafts the description: what was observed, why it matters, the direction for the corrective action. Factual, no accusation, matched to the finding's severity.
Management review minutes
/app/management-reviewReads the live state of scope, risks, controls, policies, evidence, audit findings, blockers, and drafts the clause 9.3 minutes - Inputs reviewed and Points for decision, leaving the decisions blank for the sponsor to record.
Ask anything, in context
global panelRight-drawer chat that knows which page you're on, which phase is open, and what's still blocking. Answer in two sentences; offer three bullets; reference the actual control or risk number - never a generic consulting non-answer.
The five moments a readiness program stalls - compressed.
| Before | With AFEND AI |
|---|---|
| Opening a blank policy page and trying to remember what a "good" Access Control Policy says | A 700-word first draft aware of your controls, your industry, and your company name, ready to tighten in ten minutes |
| Writing 93 SoA justifications, most of which read identical because you ran out of phrases | One or two sentences per control, each tied to the decision you picked and the scope you approved |
| Staring at a finding title at 11pm, trying to phrase the description without accusing anyone | The observed-fact-then-why-it-matters-then-next-step pattern, drafted from the title and severity |
| Assembling the management review pack the night before the meeting | Clause 9.3 minutes drafted from live workspace data with the decision points listed, for the sponsor to fill in |
| Explaining ISO 27001 concepts to the team over and over | A contextual chat that answers "what does this phase do" with the numbers from your actual workspace |
The rules the assistant follows, by design.
AFEND AI is opinionated about what it refuses to do. These six rules are the product, not marketing copy - each one is enforced at the prompt, the code, and the approval UI.
Every output is a draft
AFEND AI labels its own output. No artefact enters the ISMS until you click Accept. Scope, SoA, policies, management review - these are the approval moments, and the user, not the AI, signs them.
Source context is visible
Every draft shows exactly which workspace data was read to produce it - scope, risks, controls, policies, evidence, blockers. You see what informed the answer before you accept it.
Private to the workspace
Your ISMS data is hosted in the EU (Frankfurt). Evidence content is blocked from leaving that boundary by default; the safety layer only passes the workspace metadata your policy explicitly allows.
Regenerate, edit, never auto-save
If the first draft is not quite right, Regenerate. If 90% is right, Accept and edit inline. AFEND AI never silently writes to a field; every keystroke in the final artefact is yours.
Can never mark you compliant
The assistant is not allowed to approve a phase, close a finding, sign a policy, or mark readiness. These are human decisions, and the system enforces that at the prompt and code level.
English, Spanish, French, German
Output in the language your team works in. Switch locale and the drafts, the explanations, and the review notes all render in the active language without losing the audit-facing precision.
Different roles, same copilot.
The assistant reads the same workspace regardless of who's asking; the experience shifts to the work that role actually does.
Program owners
You write the first drafts of almost everything. AFEND AI gets you to the 70% that's editable in the same 15 minutes you'd have spent staring at a blank page.
Executive sponsors
Ask the panel what's open, what needs your sign-off, what would a reasonable auditor flag. Land on the review meeting already briefed.
Consultants running multiple clients
Same copilot, per-workspace context. Industry overlay, scope, and linked controls shape every draft so a SaaS client's policy doesn't read like a bank's.
Regulated customers
Local-only mode keeps every draft computed on infrastructure you control; nothing leaves. Drop-in for FX, iGaming, financial services where data residency is not optional.
EU-hosted. Evidence stays where your compliance says it should.
Workspaces are provisioned in Supabase's Frankfurt region. A safety layer decides, per data class, whether content can leave the EU perimeter at all. Evidence bodies are excluded by default. Regulated customers can pin the whole workspace to a local-only processing mode so no request traverses a cloud provider boundary.
- Row-level security scoped per workspace - one customer's data never crosses another's boundary, including between clients of the same consultant.
- Every request is logged for 180 days with tokens, latency, and the redacted context label set - auditable, purgeable, never silent.
- English, Spanish, French, German at launch. Your locale, your drafts.
AFEND works without the copilot.
The readiness program is the product. The copilot is a thick layer of help on top. Disable it for a workspace and everything still works: the 10 phases, the Annex A catalogue, the 17-document policy pack, the internal audit workflow, the readiness pack export. You never depend on a draft assistant to finish the program.
- All 93 Annex A controls seeded, decisions captured with justifications
- 17-document policy pack with linked controls and review cycles
- Internal audit + findings + corrective actions workflow
- Readiness pack export - 8 artefacts, auditor-facing
Questions buyers ask about the copilot.
The honest short answers. If yours isn't here, email office@afend.com.
Does AI decide things for me?
No. AFEND AI drafts, explains, and reviews. It cannot approve scope, sign a policy, close a finding, or mark readiness. Every formal decision in the ISMS is a human action, and the system enforces that; the assistant labels its output as a draft and the accept step is always a user click.
Does it fabricate evidence or numbers?
No. The assistant reads the metadata your workspace has already produced - scope items, interested parties, risks, control decisions, policy links, evidence counts, audit findings, review history. When a field is empty it says so explicitly. If you ask a question the workspace cannot answer, it tells you it cannot answer.
Is it the same answer for every customer?
No. The draft is tuned to your company name, your industry overlay, your scope, and the specific artefact you opened. A SaaS workspace's Access Control Policy draft reads differently from an iGaming workspace's because the assistant sees the linked controls and scope items, not just the policy code.
Where does my data live?
In the EU, Frankfurt region. That applies to your workspace, your drafts, and the request log we keep for audit and billing. A safety layer enforces which data classes can be sent to a cloud assistant at all; you can configure this or go further and turn the workspace fully local.
Can I turn it off?
Yes - per plan, per workspace, or globally. Core, Growth and Regulated plans unlock different assistant capabilities, but a workspace can always be pinned to disabled. Local-only mode is available for the Regulated tier.
Does it replace a consultant?
For most SMBs, largely yes; for the rest, it compresses consultant time. The assistant handles the repetitive drafting that consultants spend most billable hours on. A consultant is still valuable for opinion, auditor-facing narrative, and the judgment calls the assistant is not allowed to make.
Which languages does it support?
English, Spanish, French, and German at launch. Output in your active UI language; switch mid-program and your drafts switch with you without losing accuracy.
What if a draft is wrong?
Click Regenerate for a second take, or Insert and edit inline. Every response carries a thumbs up / thumbs down; the downvoted outputs feed a review queue that tunes the prompt templates. Nothing is ever auto-saved to a field without your explicit action.
Bring your scope. Keep your decisions. Let the drafting get out of your way.
The 14-day trial unlocks the guided workflow, the Annex A catalogue, the industry risk library, and the assistant - no credit card. Cancel any time.