Move from zero to audit-ready in one guided system.
afend:. replaces fragmented spreadsheets, scattered policies, and expensive consulting hours with one operating system for compliance. Run ISO 27001, SOC 2, and GDPR programmes in parallel — one internal control library maps M:N to every framework. Built for SaaS, Financial Services, iGaming, and IT Services / MSP / Cloud companies.
Vertical overlays, not a one-size-fits-all checklist.
Each profile pre-loads relevant risks, controls, and policy seeds. Keep, modify, or dismiss - the product tracks your reasoning.
Click any vertical for the full overlay - high-scrutiny controls, evidence checklist, sector pitfalls, and the questions an auditor will actually ask.
- SaaS
Built for cloud-native teams facing enterprise security reviews.
Controls pre-decided for cloud-only SaaS: ~74 of 93Sector risks seeded in the register: 12+ per workspace - Financial Services
Built for regulated operators under active scrutiny.
Regulatory regimes pre-mapped: MiFID II · PSD2 · DORA · NIS2Sector risks in the register: Trading + payment - iGaming
Built for operators and vendors working across licensing and player-risk obligations.
Jurisdictions with ready overlays: UKGC · MGA · Curaçao · KahnawakeLicence obligations mapped per workspace: Annex A cross-walk - IT Services / MSP / Cloud
Built for service firms selling into security-sensitive clients.
Certificates mapped into one evidence trail: ISO 27001 + SOC 2Clients covered per certificate: Unlimited
Six reasons teams pick afend:. over a spreadsheet or a consultant.
afend:. is opinionated. It's not a generic compliance-tracker and it's not a consultancy. It's the operating system for the program that gets you to a clean, audit-ready Statement of Applicability.
One operating system instead of eight spreadsheets.
Scope, risks, controls, policies, evidence, audit findings, management review and the readiness pack live in one system. No reconciliation across tabs, no last-minute screenshot hunt the week before Stage 1.
Industry-aware, not one-size-fits-all.
SaaS, Financial Services, iGaming and IT Services / MSP each get their own pre-loaded risk library, high-scrutiny controls, and sector-specific audit questions. Start from content that already fits your vertical.
Ten guided phases with real gates.
Scope to risks to SoA to policies to evidence to audit to management review to readiness. Each phase has a documented output and a hard gate before the next one unlocks. No guessing whether a team is 'ready'.
Every decision defensible on re-read.
Why this control is Not Applicable. Why this risk is accepted. Who approved the SoA and when. Written into the artifact at the moment of decision - not reverse-engineered the night before the audit.
Auditor-facing by construction.
The readiness pack exports in the structure external auditors expect: scope statement, risk register, SoA, policy pack, evidence map, internal-audit report, management-review minutes, readiness summary. One zip, one hand-off.
A readiness dashboard that names the blockers.
Not a percentage bar. A live list of specific gates still open - this control undecided, that risk unowned, this audit not scheduled. Your team always knows which gate they are on and what needs to happen to unlock the next one.
An ISO 27001 copilot tuned for companies and consultants.
Same copilot, two perspectives. Switch the tab for the one that matches you.
Zero to first policy in minutes
The AI copilot drafts your first Information Security Policy, tuned to your industry and linked Annex A controls, while you're still setting up the workspace. Review, edit, approve.
SoA that reads like you wrote it
One or two sentences of justification per control, matched to whether you marked it Applicable or Not Applicable. 93 rows drafted in the time it takes to review 10.
Management review without the pack scramble
Clause 9.3 minutes drafted from the live state of scope, risks, SoA, policies, evidence, audits, and blockers. Decisions stay blank for the sponsor to fill in.
A copilot that never approves for you
Every output is labelled Draft generated by AI. Nothing enters the ISMS until you click Accept. The human signs scope, SoA, policies, reviews - always.
Four concrete steps, in this order.
This is what happens after you click Start. No abstract capabilities. Real screens, real decisions, real output at the end.
- 01
Create the workspace, pick the industry
Choose SaaS, Financial Services, iGaming, or IT Services / MSP / Cloud. The overlay pre-loads the sector-specific risks, high-scrutiny controls, and policy templates that match. You do not start from a blank SoA.
- Workspace provisioned in seconds, EU-hosted
- 50+ vertical-specific risks seeded
- Annex A catalog pre-flagged per theme
- Core team invited by email magic link
- 02
Answer the 34-question baseline
Twenty minutes across eight domains: governance, access, assets, vendors, incidents, people, documentation, audit history. Produces an immediate readiness score and a ranked list of priority gaps you can start on today.
- Eight domain scores, weighted by audit impact
- Priority gaps mapped to Annex A controls
- Band shown: early foundations to audit-ready candidate
- Private to your workspace, no data leaves the EU
- 03
Walk the 10 guided phases, one gate at a time
Scope, risks, Annex A decisions, SoA approval, policy pack, evidence, internal audit, management review, readiness pack. Every phase has a named output and a hard gate before the next one unlocks.
- Clause citations at every decision (4.3, 6.1.3, 9.2, 9.3)
- Real-time readiness engine that names open blockers
- Role-based ownership - sponsor, program owner, control owners
- In-app help center that matches the flow exactly
- 04
Export the readiness pack, hand it to the auditor
One ZIP: scope statement, risk register, SoA, 17 approved policies, evidence map, internal audit report, management review record, readiness summary. The structure accredited certification bodies expect. Upload it, present it, and move to Stage 1.
- Eight artifacts in one hand-off bundle
- Auditor-facing format, no reformatting needed
- Signed cover letter with effective date + sponsor
- State persists for recertification year two
Evidence collected automatically. Drift alerted instantly.
Connect GitHub, AWS, Okta, Google Workspace, Microsoft 365, Vercel, Supabase, Cloudflare, Datadog, Snyk, GitLab, and 1Password. AFEND pulls control evidence on a nightly schedule, maps it to Annex A, and opens an alert the moment a control regresses.
- GitHub
- AWS
- Okta
- Google Workspace
- Microsoft 365
- Vercel
- Supabase
- Cloudflare
- Datadog
- Snyk
- GitLab
- 1Password
Turn compliance from a consulting project into a managed program.
- 141
- 17
- 3
- 4
Framework requirements
ISO 27001 Annex A (93) + SOC 2 TSC (38) + GDPR articles (10), all in one picker. Map an internal control to many requirements at once.
Core policies
Generated from your company inputs. Linked to the controls they address, not template dumps.
Frameworks live
ISO 27001, SOC 2, and GDPR programmes run side by side from the same workspace. Add more as you grow.
Industry overlays
SaaS, Financial Services, iGaming, IT Services / MSP / Cloud - with specific risk libraries.
Four ways teams run ISO 27001 readiness. Only one is still standing at year two.
Every compliance binder that has ever been audited started as one of these four approaches. The honest comparison:
| afend:. | Spreadsheets | Consultancy | DIY in docs | |
|---|---|---|---|---|
| Starting point | Industry overlay + 93 controls + 17 policy templates pre-loaded | Blank Excel + Annex A PDF | Consultant's generic template | Whatever the last compliance hire remembered |
| Risk library | 50+ industry risks seeded per overlay | None | A deck, usually | Copy-pasted from ISO 31000 |
| Policy writing | 17 structural templates mapped to controls; fill in workspace-specific details | Copy-paste from the internet | Consultant writes them for you (quality varies) | Google Docs + good intentions |
| Evidence linkage | Every evidence item links to one or more Annex A controls with a review cycle | Folder structure and hope | Usually manual at the end | Shared drive scramble |
| Audit-prep export | One-click readiness pack in auditor-expected structure | Manual reformatting across tabs | Consultant reformats (billable) | Manually assemble the binder |
| Cost shape | Monthly subscription, no per-audit fee | Low tools, high team time | €30-80k per engagement | Hidden - usually the highest once measured |
| Surface over time | Living system, recertification re-uses the state | Abandoned after the audit | Gone when the consultant leaves | Institutional memory only |
Consultancies remain useful for opinion, benchmark, and the auditor-facing narrative. afend:.'s Consultant mode is designed for them: one login, many client workspaces, a portfolio view. The spreadsheet column is kept out of fairness - it is what most programmes actually start with.
The things readiness programmes stall on.
Not abstract benefits. Concrete work that disappears the moment your workspace is provisioned.
The 93-control cold start
You don't open a blank SoA. The catalogue is there with defaults per theme, flagged for cloud-only exceptions, and ready for decisions.
The 'which risks should we even have?' problem
Per-industry risk library seeded on setup. Keep, modify, or dismiss each one - afend:. records the reasoning either way.
Policy writing from a blank page
17 core policies ship as structural templates mapped to the controls they cover. Fill in the workspace-specific details. No 'generic policy pack' filler.
Evidence that floats without a control
Uploading a document without saying which control it proves is a UI mistake. The evidence room insists on the link and keeps a review cycle.
'Are we ready?' theatre
The readiness dashboard names the specific gates still open: this control undecided, that risk unowned, this audit not scheduled. No interpretive status.
From zero to audit-ready, in a structured sequence.
Every phase has clear ownership, documented outputs, and a hard gate before the next phase unlocks. No guessing whether a team is really ready.
- 01Workspace creation and baseline
- 02Scope and ISMS foundation
- 03Risk framework
- 04Risk assessment
- 05Control selection and SoA
- 06Policy and procedure setup
- 07Implementation and evidence
- 08Internal audit and corrective actions
- 09Management review
- 10Readiness decision and external audit handoff
Questions buyers ask before they sign up.
If yours isn't here, email [email protected]. Every reply comes from someone who has walked a programme through audit.
How is afend:. different from Vanta / Drata / Sprinto?
Those tools optimise for SOC 2 evidence automation via integrations. afend:. optimises for ISO/IEC 27001 readiness as a guided workflow - scope, risks, controls, policies, internal audit, management review, readiness pack. The two are complementary: many customers use an evidence-collector alongside afend:. and map both toward a single SoA.
Do we still need a consultant?
Most teams don't. afend:.'s industry overlays carry the opinionated scoping a good consultant would start with, and the 10-phase workflow walks you through the decisions. If you want an external reviewer, afend:. has a Consultant mode where one account manages multiple client workspaces - consultants see the whole portfolio and bill per workspace.
What about the actual external audit?
afend:. is a readiness platform, not a certification body. When your readiness dashboard says 'audit ready' and the management review is signed, you book the external audit with an accredited certification body (UKAS, Akkreditierungsstelle DAkkS, ANAB, etc.). The readiness pack hands off cleanly.
Is our data safe with afend:. itself?
Workspace data is stored in the EU (Frankfurt region) with row-level security scoped per workspace, workspace-scoped file storage, and append-only admin audit logging. We use Supabase (Postgres + Storage + Auth) and Vercel as sub-processors. A current sub-processor list is on request.
Can we try it without a credit card?
Yes. 14-day trial on Core and Growth plans - no credit card. The trial unlocks the full guided workflow, the Annex A catalogue, the industry risk library, and the baseline questionnaire. You decide whether to subscribe after you've seen the actual product with your data in it.
What if we're already mid-project with a consultant?
You can import the work so far: scope, risk register, existing policies. afend:. accepts it, maps it onto the SoA and the evidence room, and takes you from wherever you are to audit-ready. Most teams find the state actually improves once it lives in one system instead of fragmented decks and folders.
Eight artifacts. One ZIP. The structure auditors expect.
The readiness pack is not a glossy deck. It is the full document set ISO/IEC 27001 external audits run against, generated from your live workspace. Every artifact cites the clause it satisfies.
- 01Clause 4.3
Scope statement
What the ISMS covers - products, services, systems, locations, interested parties, obligations.
- 02Clause 6.1.2 / 6.1.3
Risk register + methodology
Approved methodology plus every risk with likelihood, impact, owner, and treatment path.
- 03Clause 6.1.3 d
Statement of Applicability
All 93 Annex A controls with reasoned decisions: applicable or NA, justified either way.
- 04Clause 7.5 / Annex A
17-document policy pack
Information Security Policy, Access Control, Incident Management, and 14 more - approved, owned, dated.
- 05Clause 8 / Annex A
Evidence map
Every applicable control linked to approved evidence items, with review cycles on file.
- 06Clause 9.2
Internal audit report
The independent review, findings by severity, corrective actions, verification signatures.
- 07Clause 9.3
Management review record
Executive sign-off, agenda, attendance, decisions, action items, the ISMS on record.
- 08Auditor-facing
Readiness summary + cover letter
Program progress, open risks accepted, the external audit ask, signed and dated by the sponsor.
Finish with a clean, defensible, reviewable readiness pack.
Scope statement, risk register, Statement of Applicability, policy pack, evidence map, internal audit report, management review record, readiness summary - one bundle, ready for the external auditor.
