A client called me a few months ago. He’d bought an ISO 27001 template pack online. Proud of himself. Six months of work filling in documents. I ended up at his office for the preparatory internal audit. We opened the “Security Policy” folder. There were 10 distinct files on the same subject. He didn’t know which one applied. He didn’t know which was up to date. And when I asked him to explain his risk management process, he looked at me with the eyes of a man who’d just realized he had a problem.
This isn’t an exception. It’s what I see more and more.
The Real Question Behind the Question
When an organization asks me whether it can “use templates” or “let AI generate the documentation,” the real question is: “Can we shorten the work?”
The honest answer: no.
ISO 27001 doesn’t certify your documents. It certifies your ability to demonstrate that you understand and control your information security program. That’s a fundamental nuance that template vendors never mention on their sales page.
Reminder: What the Auditor Actually Evaluates
The standard rests on three concrete realities.
Identifying and treating risks specific to your organization. Not the generic risks from a document designed for a fictional company that vaguely resembles yours.
Implementing controls adapted to your context. Not 93 controls copy-pasted because the template included them all by default.
Continuous demonstration that it works. Not a stack of documents produced six months before the audit then filed in a shared folder nobody consults.
A competent ISO 27001 auditor doesn’t look at whether your documents exist. They verify whether you understand them, apply them, and can discuss them with ease and precision. The difference between the two — that’s where certifications are won or lost.
Problem 1: Loss of Control
Templates and AI generate content. A lot of content. Fast. The problem: that content isn’t yours. It describes a generic security program designed for a fictional organization that vaguely resembles yours but isn’t you.
When your auditor asks: “How do you manage privileged access in your cloud environment?”, you must be able to answer with precision. Name your tools. Describe your processes. Explain your exceptions. If your policy was generated by AI or copied from a template, the answer will be vague, hesitant, and disconnected from your systems’ reality.
And the auditor will see it. Immediately.
I’ve had conversations where the client could recite their policy almost word for word. Yet they were unable to explain how it applied in their infrastructure. That’s exactly the signal an auditor looks for: the disconnect between document and operational reality.
A security program you don’t understand = a program you don’t control. And a program you don’t control, you can’t certify. It’s that simple.
Problem 2: Document Scope Creep
Templates come in packages. Often big ones. Often redundant. And nobody tells you what to remove.
My client’s case isn’t isolated. I’ve seen it repeat at several organizations this year: buy a pack of 50, 80, 100 documents. Start filling them in. Six months later, you have 10 files partially covering the same subject with internal contradictions, uncontrolled versions, and nobody knows which takes precedence.
That’s document scope creep. And it’s a direct audit problem.
ISO 27001 requires control of documented information. That includes version control, periodic review, and clarity of update responsibilities. When you arrive at audit with bloated, poorly controlled documentation, you create your own non-conformities. You hand findings to the auditor on a platter.
What I had to do at this client: consolidate 10 documents into one. Remove everything that didn’t apply to their context. Rewrite sections that contradicted their operational reality. Then restart the understanding work they should have done from the start.
The time saved with templates was spent twice on corrections.
AI: Same Problem, New Packaging
Generative AI changes production speed. It doesn’t change the nature of the problem.
You can ask an LLM to generate an incident management policy in 30 seconds. The result will be coherent, well structured, and professional. It will also be generic, incomplete on your specifics, and potentially in contradiction with your actual practices or your obligations under Bill 25.
AI is a writing tool. It’s not a tool for understanding your organizational context. It doesn’t know your infrastructure, critical processes, risk tolerance, or sector constraints.
Using AI to generate your ISO 27001 documentation is like using a GPS to answer the question “Where do I want to go?” The GPS guides you once you know the destination. It can’t choose it for you.
In Practice: How to Use These Tools Without Getting Trapped
Templates and AI can be useful, but only in a precise role: as a starting point to adapt, not as a final deliverable.
Here’s what works:
Start by understanding your context before opening a single template. What are your critical assets? What are your real threats? What is your risk tolerance? That work can’t be delegated to a generic document.
Use templates as structure, not content. A template shows you which sections to include in a policy. It doesn’t tell you what those sections should say for your organization.
Limit your documentation to what you can master and defend. Fewer well-understood documents beat 100 documents nobody can explain in audit.
If you use AI, treat every output as a first draft requiring thorough review by someone who knows your environment. Every control mentioned, every procedure described must be validated against your reality.
Questions to Ask Yourself Before Your Audit
Can you explain your risk management process without reading your document?
If an auditor asks how you concretely apply a given policy, can you answer with precise examples from your operations?
Do you know how many documents cover each subject and which is the official reference in case of contradiction?
Has each document been reviewed, approved, and integrated into your practices, or was it simply deposited in a folder after being filled in?
If you hesitate on any of these questions, you have work to do before going to audit.
In short, ISO 27001 isn’t a documentation test. It’s a demonstration of mastery. Templates and AI can give you a starting structure, but they can’t do the understanding work for you. And that’s exactly the work your auditor will evaluate, from the first question.