Instead of “fill in this document,” it asks: “let's understand your company.”

Everything else is generated, and kept current by agents.

It learns your company

The AI interviews your people over email with questions like “How are production databases backed up?” Meanwhile, connectors map your repos, clouds, and identity providers into one living organization graph.

It does the paperwork

Policies grounded in your actual infrastructure, with citations. Interview answers and connector snapshots become classified evidence. Reviews and e-signatures bind to immutable versions.

It runs the whole ISMS

Live readiness per framework and drift detection — plus the operating layer auditors actually check: incident response, internal audits, management reviews and awareness training, all on one graph. An auditor portal traverses every requirement to its evidence. No ZIP files, ever.

The whole management system, not a checklist

Most tools track controls. Constant runs the entire ISO 27001 management system, clauses 4–10 and Annex A, on one evidence graph.

AI email interviewsYour team answers in plain language, and answers become audit evidence automatically. Nobody is asked twice.
Continuous discoveryGitHub today, clouds and identity next. Assets and asset groups appear in your graph by themselves, with drift alerts.
Agentic control verificationPolicy says branch protection everywhere? Constant checks, and opens an issue the moment it drifts.
Audit-grade policiesDrafted from your real controls and assets, cited node by node, then reviewed, signed and versioned immutably, with full document control.
Risk register & SoAA risk matrix with treatment decisions, wired to your Statement of Applicability so every Annex A control has a justified in-or-out.
Incident responseLog incidents from the app, email or API, gated to known people, with root-cause analysis and corrective actions on an append-only trail.
Periodic actionsRecurring tasks tied to controls and assets, assigned and chased by email, so nothing that must happen quarterly quietly lapses.
Supplier & sovereignty scoringSend vendors a security questionnaire by magic link; get a compliance score and an EU data-sovereignty score, with certificates on file.
Internal audit & management reviewRun the clause 9.2 audit programme, turn findings into corrective actions, and assemble the clause 9.3 leadership review from live data.
Awareness trainingAssign courses to staff, who complete a short course and quiz by magic link. Every completion is a scored, dated record for A.6.3.
Ask your AI CISO“Are we ISO 27001 ready?” gets a percentage, the gap list and cited requirements. Grounded, never invented.
Auditor portalOne link. Every requirement, control, evidence item and signature is one click deep. No email attachments.

Security is the product, so it's our first priority.

We sell trust, and we build like it. Constant tracks its own ISO 27001 readiness in Constant.

  • Database-enforced isolation: row-level security, immutable tenant IDs, and adversarial cross-tenant tests as release gates
  • Tamper-evident by design: a hash-chained audit log, signatures bound to content hashes, append-only versions
  • Credentials sealed: AES-256-GCM at rest with least-privilege, read-only connector scopes
  • Built and hosted in the European Union 🇪🇺 so your data stays in the EU

Be constantly audit-ready.

We're onboarding early design partners now. First readiness score in under a day. Your auditors will notice.

Request early access