Marcus Nightingale
Practical ISO 27001 tooling and notes. I focus on clear control language, maintainable evidence, and frictionless audits.
Engineer-led ISO/IEC 27001 implementer turning controls into testable, auditable engineering.
I’m a UK-based software engineer working where backend systems, infrastructure, and ISO/IEC 27001 implementation meet. I build ISMS tooling alongside product systems so controls live in the same repos, pipelines, and day-to-day workflows that ship software.
My work covers compliance automation, CI/CD security, authentication hardening, audit evidence capture, and secure architecture. I treat controls as engineering constraints: keep them small, repeatable, and measurable — and capture evidence where the work actually happens.
Why this site exists
A lot of ISO guidance is either high-level or template-heavy. This site is a set of implementation-grade tools and notes designed to reduce documentation friction and help teams produce consistent, reviewable evidence.
Focus areas
- ISO/IEC 27001:2022 control intent, interpretation, and applicability
- Statement of Applicability creation, maintenance, and export workflows
- Evidence capture aligned to engineering delivery and change control
- CI/CD security, release governance, and audit-ready logs
- Authentication, identity, and access control design
- Secure architecture and infrastructure hardening
These tools exist because I’ve had to make ISO work in production — not just in documents.
Bento mantra: everything fits in its place.