How I Built an AI Powered ISO 27001 Risk Assessment Automation System Using Python

  • May 9, 2026
  • - No Comments

Introduction

ISO 27001 risk assessments are often time consuming, repetitive, and difficult for small and medium sized businesses to manage efficiently.

Many organisations still rely on:

  • Manual spreadsheets
  • Repetitive questionnaires
  • Static risk registers
  • Disconnected compliance workflows
  • Expensive GRC platforms

To explore a more practical approach, I built an AI powered ISO 27001 risk assessment automation system using Python, Excel, and Jupyter Notebook.

The goal of the project was simple:

Create a lightweight governance, risk, and compliance workflow that automates core ISO 27001 assessment activities without requiring a large enterprise GRC platform.

This project focuses on:

  • ISO 27001 control extraction
  • Automated risk assessment questions
  • Risk scoring automation
  • Risk classification
  • Dashboard metrics
  • Structured risk register generation

The project was built specifically with SMEs in mind because many smaller organisations need compliance support but cannot afford complex governance platforms.

What Problem Does This AI ISO 27001 Automation System Solve?

One of the biggest challenges in ISO 27001 implementation is operational overhead.

Risk assessments often involve:

  • Reviewing dozens of controls manually
  • Writing repetitive assessment questions
  • Tracking stakeholder responses
  • Calculating risks manually
  • Maintaining spreadsheets across teams
  • Producing management reports

This process becomes difficult to scale.

Many organisations also struggle with fragmented workflows where:

  • Risk assessments exist in one spreadsheet
  • Statement of Applicability documents exist elsewhere
  • Dashboards are maintained manually
  • Evidence tracking is inconsistent

This AI powered ISO 27001 automation project explores how Python based workflows can simplify these activities.

How the AI Powered ISO 27001 Risk Assessment System Works

The workflow begins with ISO 27001 controls extracted directly from Word document.

The system then:

  1. Converts ISO 27001 controls into structured datasets
  2. Generates risk assessment questions
  3. Organises stakeholder responses
  4. Calculates likelihood and impact scores
  5. Generates risk scores automatically
  6. Classifies risks into Low, Medium, and High
  7. Produces a structured risk register
  8. Generates dashboard metrics for reporting

This creates a more connected and scalable compliance workflow.

Technologies Used in the Project

The system was built using:

  • Python
  • pandas
  • python-docx
  • Jupyter Notebook
  • Microsoft Excel
  • matplotlib
  • openpyxl

These tools helped automate compliance workflows while keeping the project lightweight and accessible.

Extracting ISO 27001 Controls Using Python

The first step involved extracting ISO 27001 controls from Microsoft Word document.

Using Python and python-docx, the controls were converted into structured data that could be processed programmatically.

This allowed the project to:

  • Read control IDs
  • Extract control names
  • Capture control descriptions
  • Store controls inside pandas dataframes

Instead of manually copying controls into spreadsheets, the workflow automates the process.

Generating ISO 27001 Risk Assessment Questions

One of the most repetitive parts of compliance assessments is questionnaire creation.

To simplify this, the project automatically generated structured risk assessment questions for each ISO 27001 control.

Examples include:

  • How is this control implemented and monitored?
  • How are access rights reviewed and revoked?
  • How are security responsibilities assigned?
  • How is information classified and protected?

This creates a more standardised and scalable assessment process.

Building an Automated ISO 27001 Risk Register

After generating assessment questions, the workflow simulates stakeholder responses and calculates:

  • Likelihood scores
  • Impact scores
  • Risk scores
  • Risk levels

Risks are then categorised as:

  • Low Risk
  • Medium Risk
  • High Risk

The final output is a structured ISO 27001 risk register that can be filtered, reviewed, and visualised.

Dashboard Metrics and Risk Visualisation

The project also generates dashboard metrics to provide visibility into organisational risk posture.

Using Python and matplotlib, the system creates visual summaries showing:

  • Total risks identified
  • High risk controls
  • Medium risk controls
  • Low risk controls

This improves reporting and simplifies management reviews.

Why SMEs Need Lightweight GRC Automation

Many governance, risk, and compliance platforms are designed for large enterprises.

For smaller organisations, this creates challenges such as:

  • High licensing costs
  • Complex implementations
  • Heavy administrative overhead
  • Difficult onboarding processes

This project explores an alternative approach:

Lightweight compliance automation using Python.

The idea is not to replace enterprise GRC tools entirely, but to demonstrate how smaller organisations can automate repetitive compliance activities with simpler workflows.

Future Improvements for the Project

Several enhancements are planned for future versions of the system.

These include:

  • OpenAI API integration
  • AI generated treatment plans
  • Executive summary generation
  • Statement of Applicability automation
  • Streamlit dashboard integration
  • PDF report generation
  • Evidence tracking workflows
  • Web based compliance dashboards

The long term goal is to create a practical AI assisted compliance workflow for SMEs.

Lessons Learned from Building the Project

One important insight from building this project is that governance and compliance are increasingly becoming data and workflow problems.

Many compliance processes still rely heavily on:

  • Manual reviews
  • Static documentation
  • Spreadsheet driven operations
  • Repetitive administrative tasks

Automation can help reduce operational overhead while improving consistency and visibility.

This project also reinforced how useful Python can be for cybersecurity governance, risk management, and compliance engineering.

On A Final Note

AI powered governance, risk, and compliance workflows are becoming increasingly relevant as organisations look for ways to simplify security and compliance operations.

This project demonstrates how Python based automation can help streamline ISO 27001 risk assessment activities while improving structure, scalability, and reporting.

The project is still evolving, but it already highlights how lightweight compliance automation can support organisations that want practical alternatives to large enterprise GRC platforms.

View the Project

GitHub Repository: https://github.com/Iyetunde/AI-ISO27001-risk-assessment-automation

  • AIGRCRisk management
Previous Post
Next Post

Leave a Reply

Your email address will not be published. Required fields are marked *

About This Blog

A beginner-friendly space documenting my transition into tech sharing simple lessons, cybersecurity basics, personal stories, and practical guidance for anyone starting their own journey.

Features

Most Recent Posts

  • All Post
  • AI
  • cloud security
  • GRC
  • Risk management
  • Social engineering
  • Two Factor Authentication
  • What happens after you click a phishing link in the age of AI

Category

© 2025 TechTakeoff. All rights reserved.