This section tracks evidence of whether AlphaTech's controls are actually working. It is the audit readiness layer. An ISO 27001 auditor would review this section to assess operating effectiveness.

What Is Here

Control Testing Tracker (database below)

Each row is one control test. Includes: what was tested, how, what was found, what evidence exists, and whether remediation is required.

ISO 27001 Audit Readiness

The audit readiness gap analysis is documented in the Assurance Core section below and in the Case Study narrative (Key Decisions section). The Statement of Applicability, when uploaded to the Evidence Repository, will serve as the primary audit readiness document for Stage 1 review.

Business Resilience Suite (Evidence Repository)

The Business Impact Analysis (BIA v2.0), Business Continuity Plan (BCP v2.0), and ICT Readiness for Business Continuity document are stored in the Evidence Repository. The BIA establishes Recovery Time Objectives: Service Delivery (EHR and Apps) is rated Mission Critical with a 2-hour RTO. This is the governing RTO figure for the portfolio.

Gap Analysis (Evidence Repository)

The AlphaTech Gap Analysis documents the baseline compliance posture at engagement start, identifies control deficiencies across ISO 27001:2022 Annex A and HIPAA Security Rule, and provides the structured starting point for the ISMS build programme. It is the before-state document against which the full portfolio demonstrates improvement.

Current Testing Summary

Audit Readiness: Key Gaps

The following gaps would be raised in a Stage 1 ISO 27001 audit:

How Assurance Connects to the Rest of the System