Enhancing Productivity with AI During the Development of an ISMS: Case Kempower
Atro Niemeläinen, Muhammad Waseem, Tommi Mikkonen
TL;DR
The paper investigates how generative AI can accelerate the development and implementation of an ISO27001:2022–compliant ISMS in a real-world setting. Through seven semi-structured interviews, it demonstrates that AI can generate initial baselines and document structures for the 116 ISO27001 controls, producing substantial time and cost savings while requiring careful human validation. The study highlights benefits and risks, including information leakage and potential AI misinformation, and argues for restricted, in-house GenAI to mitigate these concerns. Overall, the Kempower case shows that AI can meaningfully boost administrative efficiency in security management, with practical adoption contingent on robust oversight and secure AI environments.
Abstract
Investing in an Information Security Management System (ISMS) enhances organizational competitiveness and protects information assets. However, introducing an ISMS consumes significant resources; for instance, implementing an ISMS according to the ISO27001 standard involves documenting 116 different controls. This paper discusses how Kempower, a Finnish company, has effectively used generative AI to create and implement an ISMS, significantly reducing the resources required. This research studies how the use of generative AI can enhance the process of creating an ISMS. We conducted seven semi-structured interviews held with various stakeholders of the ISMS project, who had varying levels experience in cyber security and AI.