ISO 27001
ISMS, scope, Annex A, risk analysis, audits, certification, continuous improvement.
Before starting, we run a 1-minute tech check — microphone, ambient noise, connection. If your setup isn't good enough, the test is fully refunded.
ISMS, scope, Annex A, risk analysis, audits, certification, continuous improvement.
Before starting, we run a 1-minute tech check — microphone, ambient noise, connection. If your setup isn't good enough, the test is fully refunded.
Show recruiters and clients you actually know ISO 27001 — ISMS scoping, Annex A 2022, risk treatment, two-stage audit — with a 15-minute AI-powered oral exam and a score they can verify.
The Plume ISO 27001 badge tests your real ability to design, implement, and sustain an Information Security Management System (ISMS) compliant with ISO/IEC 27001:2022. The AI examiner digs into concrete situations: defining the ISMS scope and organisational context (clauses 4 and 5), drafting and maintaining a Statement of Applicability (SoA), building a risk assessment aligned with ISO 27005 using EBIOS RM, MEHARI, or a scenario-based approach, and managing the two-stage certification audit. The examiner also probes your command of the restructured Annex A in the 2022 version — 93 controls across 4 themes (organisational, people, physical, technological) and 5 attributes — including the harder-to-implement controls like threat intelligence (5.7), cloud security (5.23), and information security for cloud services.
Unlike a LinkedIn self-endorsement or a training certificate, this badge is grounded in a spoken performance: Claude Opus reads the full transcript of your 15-minute session and scores each response on technical depth, quality of real examples, rigour of your risk methodology, ability to navigate multi-framework environments (NIS 2, GDPR, HIPAA, SOC 2, HDS), and your advisory posture. The result is a reproducible 0-to-100 score with a level — Novice, Proficient, Advanced, or Expert — that tells hiring managers, clients, and colleagues exactly what you can do with ISO 27001.
This badge is built for CISOs, GRC consultants, ISO auditors, and anyone who has led or supported an ISO 27001 certification project. It is equally valuable if you are preparing an accredited Lead Implementer or Lead Auditor exam and want to surface blind spots before committing to the official programme, or if you need a credible proof of competence for a bid, a proposal, or a new client relationship.
Here are the concrete dimensions the AI examines during the 15-minute oral.
Ability to define and document the ISMS scope (clause 4.3), map the internal and external organisational context, and defend scope boundaries and exclusions under auditor scrutiny.
Command of the end-to-end risk assessment process: asset identification, threat and vulnerability analysis, likelihood and impact scoring, and the production of a coherent Risk Treatment Plan (RTP).
Drafting and maintaining the SoA for all 93 Annex A controls in ISO 27001:2022, justifying applicability or exclusion of each control, and ensuring consistency with the Risk Treatment Plan.
Preparing and running Stage 1 (documentation review) and Stage 2 (on-site audit), managing non-conformities, writing corrective action plans, and supporting surveillance audits.
In-depth knowledge of the four control themes and five attributes in ISO 27001:2022, with practical insight into the controls that are hardest to implement, such as threat intelligence (5.7), cloud security (5.23), and ICT supply-chain security (5.21).
Ability to map ISO 27001 controls against NIS 2 obligations, GDPR Article 32 technical measures, HDS requirements, or SOC 2 Trust Services Criteria, reducing documentation overlap in multi-certification programmes.
Setting up KPIs and measurement programmes (clause 9.1), running management reviews, managing internal audits, and applying the PDCA cycle to keep the ISMS relevant and the certification sustainable over time.
Advising clients on whether ISO 27001 certification is the right move, identifying when lighter alternatives (ISO 27002 as a guideline, sector-specific frameworks) are more appropriate, and adapting the approach to the organisation's actual maturity.
Final scoring is performed by Claude (Anthropic), which reads back the full transcript and applies this weighted criteria grid.
Precise command of clauses 4 to 10, the 93 Annex A controls in the 2022 version with their four themes and five attributes, and the key changes from ISO 27001:2013. Answers must go beyond surface vocabulary and demonstrate operational understanding.
Ability to back every point with concrete situations from actual projects — scope decisions, SoA exclusion justifications, handling a major non-conformity, dealing with a difficult Stage 2 auditor — with enough detail to confirm genuine field experience.
Rigour and coherence in the risk assessment approach: justification of the chosen method (EBIOS RM, MEHARI, scenario-based), consistency between asset identification, risk scoring, and the Risk Treatment Plan, and ability to adapt the method to different organisational contexts.
Ability to position ISO 27001 within a broader regulatory landscape — NIS 2, GDPR, HDS, SOC 2, DORA — identifying overlaps, avoiding redundant documentation, and advising on an efficient multi-certification strategy.
Quality of oral communication: well-structured answers, ability to nuance (knowing when to steer a client away from ISO 27001), and a credible consultant or senior CISO posture when presenting trade-offs to a board or an external auditor.
A Plume session takes about 20 minutes, from tech check to badge delivery.
The AI confirms your microphone is working and that you are in a quiet environment. A short welcome message explains the format of the ISO 27001 oral exam and what to expect from the examiner.
The AI examiner invites you to introduce yourself and frame your ISO 27001 experience: your most recent role, the type of organisation, and which version of the standard you have worked with (2013 or 2022).
The core of the exam. The AI explores three to five calibrated themes: ISMS scope definition, risk assessment methodology, SoA drafting and maintenance, two-stage certification audit management, Annex A 2022 controls, and multi-framework alignment. Questions adapt to your answers in real time.
The examiner presents one or two nuanced scenarios — when would you advise against ISO 27001 certification, how would you handle a control like threat intelligence or cloud security that is genuinely hard to evidence for a mid-size company.
The session closes, Claude Opus analyses the full transcript and generates your 0-to-100 score, your level (Novice / Proficient / Advanced / Expert), a detailed per-criterion report, and a shareable verified URL for your ISO 27001 badge.
Your score out of 100 translates into a level a recruiter can grasp at a glance.
You know the big picture of ISO 27001 — ISMS, Annex A, certification audit — but have not yet led or supported a project end to end. You can define the key concepts but struggle to justify scope boundaries or SoA exclusions when pressed by an auditor.
You have contributed to at least one ISO 27001 project, either in a support role or on a limited scope. You can build a basic risk assessment, draft a first version of the SoA, and help teams prepare for a Stage 1 audit. You are solid on the main clauses but some Annex A 2022 controls are still unfamiliar territory.
You have led several end-to-end ISO 27001 certification projects, managed two-stage audits, maintained the SoA over time through organisational changes, and mapped the standard against other frameworks like GDPR, NIS 2, or HDS. You know all 93 Annex A 2022 controls and their attributes and can pinpoint the hardest ones to implement in practice.
You are a recognised authority on ISO 27001: you operate as a senior consultant, CISO, or qualified auditor; you master the nuances between the 2022 and 2013 versions; you handle complex multi-framework programmes; and you advise boards on certification strategy, including when to pursue alternatives to ISO 27001.
No degree or years of experience required to take the badge. Here are the profiles it makes the most sense for.
You are running an ISO 27001 compliance programme and need an objective score that documents your operational ISMS expertise beyond a self-declared LinkedIn skill or a training certificate.
You take clients through ISO 27001 certification and want a credible, verifiable proof of competence to include in proposals, on your freelance profile, or in client-facing credentials.
You are preparing an accredited ISO 27001 certification (PECB, BSI, Bureau Veritas) and want to identify blind spots — especially on Annex A 2022 and risk methodology — before committing to the official exam.
You work at the intersection of GDPR and ISO 27001 and need to show that your understanding of the standard goes beyond mapping Article 32 requirements to a controls checklist.
Your company is pursuing ISO 27001 certification to meet contractual or tender requirements and you need to benchmark your own level before kicking off or steering the project.
Where and how your ISO 27001 badge will help you day to day.
A cybersecurity consultancy submits a bid to a financial services firm that requires demonstrated ISO 27001 expertise on each assigned consultant. The Plume badge with an Advanced or Expert score strengthens the proposal and differentiates the offer from competitors listing only training credentials.
A CTO hiring a CISO to lead the company's first ISO 27001 certification uses badge scores to objectively compare two candidates who both list 'ISO 27001' on their CV, looking at the per-criterion breakdown to understand where each candidate is actually strong.
An independent cybersecurity consultant displays their Expert ISO 27001 badge on their LinkedIn profile and freelance marketplace page to justify a higher day rate and attract certification-lead engagements from mid-market companies.
An IT manager preparing for a PECB Lead Implementer exam uses the Plume oral to surface knowledge gaps — particularly on the Annex A 2022 restructuring and EBIOS RM methodology — before investing in official training.
A CISO at a healthcare cloud provider needs to demonstrate joint expertise in ISO 27001, HDS, and NIS 2 to satisfy regulatory requirements. The badge documents their ability to navigate all three frameworks simultaneously, a key argument during cross-referential audits.
A security director runs the badge across the entire security team to map individual levels and build a targeted training plan, prioritising the gaps identified in each person's per-criterion report rather than rolling out a generic ISO 27001 awareness programme.
A few minutes to check you have everything you need.
At the end of your session you don't just get a score — here's everything that awaits you.
You get a precise score from 0 to 100 and an official level (Novice / Proficient / Advanced / Expert) calculated by Claude Opus from the full transcript of your ISO 27001 oral exam.
A full report breaks down your strengths and areas for improvement across all five scoring dimensions: normative depth, concrete examples, risk methodology, multi-framework alignment, and advisory posture.
The audio of your session is stored privately. You can replay it to analyse your answers and work on specific weaknesses before attempting the exam again for a higher level.
You receive a unique, publicly verifiable URL you can share on LinkedIn, in a client proposal, or in a job application — with your score and level visible to anyone who opens the link.
Discover related skills you can validate with Plume.
A 15-min oral exam with an AI, a shareable badge for your recruiters.
Choose this badge · €19.99