How to Automate ISO 27001 Control Testing with Screenshots
ISO 27001 certification requires documented evidence for every applicable Annex A control in your Statement of Applicability. This guide explains how to automate ISO 27001 control testing using AI-driven screenshots to reduce Stage 2 audit preparation time by 75%.
ISO 27001 certification audits demand rigorous evidence for all applicable Annex A controls defined in your Statement of Applicability (SoA). While GRC platforms help manage policies, the actual collection of evidence—specifically screenshots and workflow documentation for application-level controls—often remains a manual burden. Automating ISO 27001 control testing ensures your ISMS documentation is audit-ready, consistently formatted, and sufficient for Stage 2 certification audits.
What Does Automated Control Testing Look Like for ISO 27001?
Automated control testing for ISO 27001 is the process of using AI-driven tools to execute and document the operational effectiveness of your security controls. Instead of a compliance officer manually taking screenshots of access logs or change management tickets, an automation agent records the workflow, captures timestamped screenshots, and generates a structured evidence pack that maps directly to ISO 27001:2022 Annex A controls.
This automation transforms the audit process from a retrospective "treasure hunt" for screenshots into a continuous, self-documenting system.
What ISO 27001 Evidence Cannot Be Automated with GRC Tools?
Traditional GRC platforms like Vanta, Drata, or Secureframe are excellent for monitoring infrastructure configurations via API (e.g., checking if AWS S3 buckets are encrypted). However, they cannot "see" inside your SaaS applications or internal tools to verify manual processes.
The Automation Gap in ISO 27001:
| Control Type | GRC Tool Capability (API) | Evidence Automation Gap (Screenshots) |
|---|---|---|
| A.8.12 Data Leakage Prevention | Checks if DLP software is installed. | Gap: Cannot prove a specific user was blocked from downloading sensitive data via the UI. |
| A.5.15 Access Control | Lists users in the IdP (Okta). | Gap: Cannot verify that a "Viewer" role in your custom app actually restricts access to the "Admin" settings page. |
| A.8.9 Configuration Management | Checks cloud config settings. | Gap: Cannot capture screenshots of manual configuration settings in legacy or on-premise tools without APIs. |
| A.5.23 Cloud Services | Monitors vendor list. | Gap: Cannot document the review process of a vendor's security certificate inside a procurement portal. |
How to Automate Annex A Control Evidence (Step-by-Step)
To automate the collection of screenshot-based evidence for your ISMS, follow this workflow using an evidence automation tool like Screenata.
1. Map Controls to Your Statement of Applicability (SoA)
Identify the Annex A controls that require operational evidence. Common candidates for screenshot automation include:
- A.5.15 (Access Control): Evidence of role-based access enforcement.
- A.8.32 (Change Management): Evidence of peer review and approval workflows.
- A.8.9 (Configuration Management): Evidence of secure configurations in non-API systems.
2. Record the Control Test Workflow
Activate the automation agent and perform the control test.
- Example: Log in as a non-privileged user and attempt to access a restricted area.
- The agent records the interaction, capturing the "Access Denied" screen as positive proof of control effectiveness.
3. Generate the Evidence Pack
The system processes the recording and generates a PDF report. This report includes:
- Control Reference: Mapped to ISO 27001:2022 (e.g., A.5.15).
- Tester Identity: Who performed the test.
- Timestamp: NTP-synced time of the test.
- Visual Proof: Annotated screenshots of the workflow.
4. Link to Your ISMS
Upload the generated PDF directly to your GRC platform or internal ISMS repository, linking it to the specific risk treatment plan or control requirement.
ISO 27001:2022 Control Examples: Manual vs. Automated
The transition from ISO 27001:2013 to ISO 27001:2022 introduced a consolidated set of 93 controls. Here is how automation handles key requirements.
Example 1: A.5.15 Access Control
Objective: Ensure access to information and other associated assets is limited in accordance with access control policies.
- Manual Method: Admin logs into the application, takes a screenshot of the user list, then logs in as a user, tries to access a setting, takes a screenshot of the error, pastes both into Word, and adds a description.
- Automated Method: The AI agent runs a "Role Verification" script. It captures the user role settings and the "403 Forbidden" screen upon restricted access attempts.
- Result:
A.5.15_Access_Verification.pdf(Generated in 30 seconds).
- Result:
Example 2: A.8.25 Secure Development Life Cycle
Objective: Rules for the secure development of software and systems shall be established and applied.
- Manual Method: Developer takes screenshots of a Jira ticket showing "Code Review" status and a GitHub PR showing "Merge Blocked" checks.
- Automated Method: The agent integrates with the CI/CD pipeline or records the browser view of the PR process, highlighting the "Review Required" branch protection rule.
- Result:
A.8.25_SDLC_Enforcement.pdf(Generated automatically on PR merge).
- Result:
Do Auditors Accept Automated Screenshots for Stage 2 Audits?
Yes. ISO 27001 auditors require evidence that is accurate, complete, and timely.
Automated evidence packs generated by tools like Screenata are often preferred over manual screenshots because they include:
- Metadata Integrity: Timestamps and URL bars are programmatically captured, reducing the risk of falsification.
- Consistency: Every piece of evidence follows the same format, making the auditor's review process faster.
- Context: The generated reports include the control objective and test narrative, which provides necessary context that raw screenshots lack.
During a Stage 2 Audit (Implementation Audit), the auditor verifies that your ISMS is functioning as described. Presenting a library of standardized, timestamped PDF reports demonstrates a high level of maturity in your compliance operations.
How Screenata Integrates with Your ISMS
Screenata acts as the "evidence engine" for your Information Security Management System (ISMS).
- For Drata/Vanta Users: Screenata fills the manual evidence gaps. When your GRC tool flags a missing document for A.5.15, you use Screenata to capture the UI proof and upload it back to the control.
- For Manual ISMS (SharePoint/Confluence): Screenata generates the artifacts that you store in your evidence folders, ensuring version control and audit trails.
Time Savings Impact:
- Manual Collection: ~40 hours per audit cycle.
- Automated Collection: ~2-4 hours per audit cycle.
- Reduction: ~90-95%.
Frequently Asked Questions
What is the difference between Stage 1 and Stage 2 ISO 27001 audits?
Stage 1 is a documentation review to check if your ISMS is designed correctly (policies, SoA). Stage 2 is the "Main Audit" where the auditor verifies that your controls are actually operating effectively, requiring concrete evidence like screenshots and logs.
Can automation help with the transition to ISO 27001:2022?
Yes. Automation tools can map your evidence to the new ISO 27001:2022 control structure (Organizational, People, Physical, Technological), helping you identify gaps where old evidence from the 2013 standard is no longer sufficient.
Does Screenata replace the need for an external auditor?
No. Screenata automates the collection of evidence. You still need an accredited external auditor (certification body) to review that evidence and issue your ISO 27001 certificate.
How often should I collect screenshot evidence for ISO 27001?
While the audit is annual (or involves periodic surveillance audits), best practice is to collect evidence continuously or at least quarterly. Automation allows you to run these checks monthly without adding workload, preventing "evidence rot."
Key Takeaways
- ✅ Automate the Gap: Use screen capture automation to document the application-level controls that API-based GRC tools miss.
- ✅ Focus on Stage 2: Automated evidence is critical for the Stage 2 audit, where operational effectiveness is tested.
- ✅ Use ISO 27001:2022 IDs: Ensure your evidence maps to the new 93 controls (e.g., A.5.15, A.8.9) to stay compliant with the latest standard.
- ✅ Standardize Output: Auditors prefer structured PDFs with metadata over loose image files.
- ✅ Reduce Prep Time: Automation cuts evidence collection time from weeks to hours, allowing you to focus on risk management rather than screenshots.
Learn More About ISO 27001 Certification Evidence Automation
For a complete guide to automating your ISMS documentation, see our guide on automating ISO 27001 evidence collection, including how to map automated screenshots to Annex A controls.
Ready to Automate Your Compliance?
Join 50+ companies automating their compliance evidence with Screenata.