ISO 27001 certification hinges on a Statement of Applicability that connects each Annex A control to your actual implementation. An agent can draft that mapping in hours instead of weeks. The mapping itself, however, is a judgment call that needs human sign-off. Dock holds the agent's draft, the ISMS lead's approval, and the pointer back to the evidence in Vanta. The auditor sees one row per control with a clear chain from standard to evidence to approver.
The architecture
Vanta stays the system of record for the raw control evidence: policy documents, access reviews, vulnerability scans, vendor questionnaires. Dock is the system of record for what the agent interprets from that evidence. Each Dock row carries a pointer back to the Vanta record (vanta_control_id), the agent identity that drafted the mapping, the ISMS lead who approved it, the Annex A reference, and the timestamp. When the agent needs current control status, it re-fetches from the Vanta API rather than trusting a cached value. See Dock for compliance for the broader pattern and agent audit and compliance for how this surface satisfies external auditors.
The SoA table in Dock
| annex_a_ref | control_name | applicability | vanta_control_id | agent_draft | ismslead_approved | approved_at |
|---|---|---|---|---|---|---|
| A.5.15 | Access control | Applicable | vc_8821 | "Implemented via Okta SSO + quarterly access reviews. Evidence: AR-Q1-2026." | gina.shah | 2026-05-12 |
| A.8.7 | Protection against malware | Applicable | vc_9104 | "CrowdStrike Falcon on all endpoints. Daily scan logs in Vanta." | gina.shah | 2026-05-12 |
| A.5.34 | Privacy and PII | Not applicable | null | "No PII processing in scope per data map dm_204. Exclusion justified." | gina.shah | 2026-05-13 |
The workflow
The agent pulls the 93 Annex A controls from the ISO 27001:2022 catalog and the current control inventory from Vanta. For each control, it drafts an applicability decision and a one-sentence justification, writing one row per control to the SoA table. Each row links to the Vanta evidence and names the agent identity that authored the draft.
The ISMS lead reviews the table in a single pass. Approving a row stamps her identity and timestamp. Rejecting a row sends it back to the agent with a comment. Marking the SoA "ready for audit" is an irreversible action governed by a two-key handshake between the ISMS lead and the CISO. The handshake is registered in the dangerous ops contract so the agent cannot publish the SoA on its own.
Why this matters
Auditors do not want to hear that an agent drafted your SoA. They want to see a named human attesting to each applicability decision and a clean evidence trail. Dock produces both. The agent does the tedious mapping work in minutes. The ISMS lead spends her time on the judgment calls, not on copying control numbers into a spreadsheet.
The same pattern extends to SOC 2, HIPAA, and PCI mappings. Whatever standard your auditor cares about, the agent drafts the row, a human approves the row, and the row points back to the source evidence. This is the same architecture that powers Dock for security operations for vulnerability triage and incident review.
When the standard updates, as ISO 27001 did in 2022, the agent re-runs the mapping and surfaces only the rows that changed. The ISMS lead approves the deltas. No one rewrites the SoA from scratch.
Get started
Connect your Vanta workspace to Dock and give your compliance agent read access to the control inventory. The agent drafts your first SoA in an afternoon.
FAQ
Does the agent decide which controls are applicable? No. The agent drafts an applicability recommendation with a justification. The ISMS lead approves or rejects each row. Only approved rows enter the SoA.
What if Vanta evidence changes after approval? The agent re-fetches Vanta state on every audit cycle. If a control's evidence has materially changed, the row is flagged for re-review. The previous approval stays in the audit log.
Can the agent submit the SoA to the certification body? No. Publishing the SoA is a dangerous operation that requires a two-key handshake between the ISMS lead and the CISO. The agent prepares the package; humans send it.
Does this work for ISO 27001:2022 Annex A's reorganized control set? Yes. The agent maps to the 2022 control numbering by default and can cross-reference the 2013 numbering for organizations mid-transition.
External references: ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements (ISO/IEC 27001). Certification bodies issuing ISO 27001 certificates operate under accreditation arrangements maintained by the International Accreditation Forum (as of 2026, succeeded by the Global Accreditation Cooperation).
