Pillar · Govern
The compliance category sells you a folder of attestations. Argitron runs the operating system the auditor expects to find.
Most ISMS programs run on a Confluence page, a SharePoint folder, and three spreadsheets glued together by a half-time GRC analyst. The risk register hasn't been updated since the last audit. The Statement of Applicability lives on someone's laptop. Annex A control evidence is a screenshot scavenger hunt.
ISO 42001 just made it worse. The board read about the EU AI Act, asked you for an AI Management System, and now you have an entirely new control framework with no AI-system inventory and no impact-assessment workflow.
You don't need a fourth tool. You need one tool that runs the management system.
ISO 27001 Annex A (Organisational 37 / People 8 / Physical 14 / Technological 34), ISO 42001 Annex A (9 areas, ~38 controls), NIST CSF 2.0, NIST AI RMF, SOC 2, HIPAA, PCI — all mapped to underlying controls. Implement once, satisfy many.
Every Annex A control has applicability, justification, owner, implementing policy, and live evidence. SoA exports to PDF + signed JSON. Auditors stop asking why a control is missing — because none are.
Asset-aware risk register. Risks link to assets, treatments link to controls, controls link to evidence. Project RAID logs and ITIL incidents promote into enterprise risk; nothing gets re-keyed.
First-class AI-system records: provider, purpose, training data lineage, fundamental-rights and ethical impact assessment, lifecycle stage, deployment scope, retirement plan. Required by ISO 42001 A.6 and EU AI Act Article 9.
Plan (objectives, SoA, treatment plan), Do (controls, work, change records), Check (internal audit, metrics, management-review pack), Act (CAPAs, improvements). The cycle is the workflow.
Audit programmes, audit reports, nonconformity tracking, corrective actions. Management-review pack auto-assembled from live data: KPIs, audit findings, risk posture, change trends, supplier issues, lessons learned.
An ISO 27001 evidence bundle (typical):
Bundle is cosign-signed and hash-chained. Auditor can verify integrity offline.
ISO 27001 certification typically takes 6–12 months for a first-time certifier (3 months if you're well-prepared and using automation; 12–18 months consultant-led). Stage 1 audit (documentation, 1–2 days) precedes Stage 2 (operating evidence, 5–15 days for an SMB). Certificate is valid 3 years with annual surveillance audits.
ISO 42001 typically adds 4–9 months on top of an existing ISMS, or 3–4 months if 27001 is already in place. Schellman, BSI, and others are actively certifying.
Argitron does not certify your organisation — auditors do. We make sure that when they arrive, the artefacts they ask for are signed, current, and one click away.
| Phase | Typical duration |
|---|---|
| Readiness with automation | 3–6 months |
| Stage 1 audit | 1–2 days |
| Stage 2 audit | 5–15 days (SMB) |
| Certificate validity | 3 years |
| Surveillance audits | Annual |
| ISO 42001 add-on (with 27001 in place) | 3–4 months |
Argitron pulls evidence from the systems you already run. No "rip and replace."
AWS, Azure, GCP, DigitalOcean, Hetzner, on-prem
Okta, Entra ID, Google Workspace, Keycloak, Auth0
GitHub, GitLab, Bitbucket, Jenkins, Azure DevOps
BambooHR, Personio, Workday, Rippling
CrowdStrike, SentinelOne, Microsoft Defender, Jamf, Intune
Elastic, Splunk, OpenSearch, Wazuh, Grafana, Datadog
Free under 25 assets. SOC 2 starter pack and ISO 27001 evidence pack included on day one.