When I joined Anecdotes in January 2025 as InfoSec Risk and Compliance Manager, the company already held ISO 27001. While that was a strong foundation, we knew maintaining credibility and expanding trust required going further; namely privacy (ISO 27701) and AI governance (ISO 42001).

In less than six months, Anecdotes not only recertified ISO 27001, but also became one of just 30 organizations worldwide to hold the trifecta of ISO 27001, ISO 27701, and ISO 42001 certifications. Oh, and we did it using our very own AI-native enterprise GRC platform.

Here’s why we pursued them and how your organization can too.

Why These Certifications?

Strengthening Security Foundations: ISO 27001

ISO 27001 has been the bedrock of information security management for decades. Anecdotes first achieved it in 2021, but as we scaled, governance became fragmented. This meant recertification wasn’t just about ticking boxes (true GRC never is); it required integrating our management system so that information security wasn’t siloed but aligned with privacy and AI governance practices.

Building Trust in Privacy: ISO 27701

As an enterprise GRC platform, Anecdotes is trusted with sensitive data from some of the world’s largest enterprises. Achieving ISO 27701 sent a clear message: we don’t just support customers in meeting privacy obligations; we hold ourselves to the same standard. For customers navigating GDPR, CCPA, and other regulations, our certification offers reassurance that data privacy is embedded in how we operate.

Leading in AI Governance: ISO 42001

Few standards have generated as much anticipation as ISO 42001, the first global benchmark for AI management systems. With AI embedded across the platform, it was vital to demonstrate that our use of AI is responsible, explainable, and compliant. Adoption of this standard positioned us ahead of market demand and regulatory requirements, reinforcing Anecdotes’ credibility as a leader in AI-driven GRC.

5 steps that helped us do this in 6 months

Managing three certifications in parallel requires harmonizing requirements into one integrated system, not treating them as separate silos. Here are the 5 steps we took to make that a reality, and you can too.  

Step 1 - Reuse What You Already Have:

We started off by mapping our existing controls and processes to the new standards to ensure we wouldn’t end up doing duplicate work. With Anecdotes’ automated cross-mapping this meant that once we clicked on adopting the framework in the platform all of our work and evidence was automatically mapped to ISO 27001, 27701, and 42001 controls. This “collect once, use many times” approach saved significant time. But even if you have to do the mapping manually, I highly recommend you do it before you start working on the frameworks to save yourself time down the road.

Step 2 - Perform a Comprehensive Gap Assessment:

Once we had the controls mapped, it was time to perform an initial gap analysis to discover what gaps we had across all three frameworks. Saving us from having to chase stakeholders for screenshots and spreadsheets, the Anecdotes platform continuously ingests data from our systems, keeping evidence always fresh and audit ready. On that data we set our own custom rules which provided us with automated gap alerts and triggered remediation playbooks. Based on our gap analysis we implemented missing technical and organizational controls.

Step 3 - Build an Integrated Management System (IMS):

Since we knew we were going for all three frameworks, here as well we wanted to eliminate redundant work. So instead of having three separate management systems (ISMS, PIMS, and AIMS) we combined them into one. We also made sure that they wouldn’t just be static lists in documents, but rather objectives became dynamic, monitored entities. Here’s how:

• Objectives from ISO 27001, 27701, and 42001 were defined in Confluence, tagged with unique prefixes (IS, PR, AI).
• Each objective was created as a Jira “IMS Objective” task.
• Anecdotes’ Evidence Lab allows you to design your own evidence which is then automatically collected like all other evidence in Anecdotes. So we designed a new evidence that pulls these tasks into custom evidence views in the platform.
• We then created monitoring rules on that evidence which flagged objectives that remained stagnant for more than 30 days.
• Finally, we created Playbooks which triggered Slack alerts to owners whenever objectives drifted, referencing linked controls and evidence.

This transformed objectives from passive words into actively monitored, responsive entities. The results? Drift became visible in days instead of months, owners were held accountable with Slack notifications and auditors saw an IMS that was alive and measurable.

Step 4 - Create a Unified Risk Methodology:

Here as well we wanted to make sure that we were saving ourselves time and effort, so we didn’t create separate risk methodologies, but a unified risk methodology for security, privacy, and AI. Based on these methodologies, we ran integrated risk assessments, established treatment plans and identified and documented relevant risks using Anecdotes Risk Manager.

Step 5 -Implement Continuous Internal Audits:

Traditionally, internal audits are reactive snapshots of compliance health, but we wanted a continuous, always-on audit environment. And by combining Anecdotes with Slack, Jira, and Confluence, we were able to create one across all three ISO standards. Here’s how:

• Our monitoring rules were applied to the evidence the Anecdotes platform automatically collected. If evidence went stale or requirements weren’t met, the status changed to “Gap.”
• Gaps triggered playbooks that moved the related control to “Gap” and sent a real-time alert to the relevant Slack channels, giving us a chance to remediate issues before audits.
• Teams reviewed alerts in Slack. If remediation was required, a Jira task was created and linked to Confluence, where it became part of a live internal audit report; all of which synced back into Anecdotes and was shared with our auditors.

Here’s what the founder of Mastermind (our auditor), David Forman had to say:

“The Anecdotes team’s approach to achieving all three of these certifications should be adopted by every organization that values security and innovation. They leveraged the automation and AI capabilities of their own platform to both streamline and improve the quality of their audit, and the result was truly incredible.”

{{ banner-image }}

From Fire Drills to Efficiency Accelerators 

Our journey proves that with the right strategy, team, and platform, achieving ambitious compliance goals isn’t just possible; it’s sustainable. Certifications no longer need to be periodic fire drills. With automation and integration, even pursuing three at once can become a natural outcome of how you operate every day.

My key takeaways?

1. Automation transforms compliance. From internal audit to IMS objectives, automation reduced human dependency, eliminated errors, and made compliance continuous.
2. Certifications are cultural, not just technical. Tools can help, but success came from cross-functional ownership and a culture that embraces accountability.
3. Audits can actually increase efficiency. From faster sales cycles to proactive gap detection and stronger differentiation, certifications didn’t create bottlenecks—they created momentum.

Want to see how Anecdotes can help you transform compliance in your organization? Book a demo here.