Skip to content
Cybsis

AI features

Audit readiness in 2 months, not 6.
With a fraction of the staff time.

A standard ISO 27001 or E-ITS implementation takes about six months from project kick-off to first audit, and it pulls 15–25 people into workshops, drafting, and review across that period. With Cybsis's three AI features doing the bulk of risk identification, document drafting, evidence mapping, and gap analysis, customers consistently reach audit readiness in about two months — and the same milestones need 3–5 reviewers instead of a full cross-functional team.

Three AI features. All opt-in.
All bring-your-own-provider — public or self-hosted.

Cybsis's AI surface is split into three distinct paid modules. Most customers running a real implementation buy all three; smaller organisations often start with one or two and add the rest as they scale. A fourth, jurisdiction-specific add-on — Ludwig DPO — extends Ludwig into an assistant to your data protection officer.

In-workflow sparkle buttons

AI Assistant

Suggests risks from asset and business-process descriptions, drafts chapter content, surfaces next-best-actions, analyses uploaded policies for coverage gaps, walks you through implementing a single control. Lives inside the forms you already use; never auto-applies.

€400/yrbring your own provider

Module details →

Long-form document generation

AI Documents

Drafts policies, procedures, risk assessments, and BCM plans from your instance data plus a structured questionnaire. Generated drafts flow through the same 5-stage lifecycle as hand-written documents; on approval the controls each one satisfies auto-link.

€600/yrbring your own provider

Module details →

Standalone chat advisor

Ludwig

A seasoned information-security specialist in chat form. Reads your live instance data, answers questions about standards, controls, risks, audits, and the platform itself, and proposes actions you approve before they run. Requires AI Assistant. An optional DPO add-on extends Ludwig into an assistant to your data protection officer, with answers grounded in a verbatim legal corpus.

€1,500/yrbring your own provider

Module details →

Where the time — and the staff days — go.

The compression isn't magic. Six implementation phases, each with a measurable traditional cost (weeks elapsed and people pulled in) and a measurable AI-compressed version. Both axes matter: for private buyers, the calendar is the constraint; for public-sector teams who can't easily hire short-term, the headcount is.

  1. Phase 01

    Asset & business-process inventory

    Traditional

    ~3 weeks · 5–8 people

    Interviewing each department head, building spreadsheets, classifying CIA, mapping owners. Coordination across IT, HR, facilities, finance.

    With AI

    ~3 days · 2 people

    XLSX bulk import handles the inventory itself; AI Assistant proposes CIA classifications from the descriptions, sub-asset hierarchies from the names, and likely process-to-asset links. A CISO plus one analyst confirms or corrects.

  2. Phase 02

    Risk identification & assessment

    Traditional

    ~5 weeks · 8–12 stakeholders

    A series of risk workshops with stakeholders from every team, cross-team coordination to align taxonomies, threat-catalogue research.

    With AI

    ~1 week · 2–3 reviewers

    AI Assistant suggests risks from each asset and business-process description, scored against your active threat catalogues. Workshops shorten to validation sessions with the risk owner, not generation sessions with everyone.

  3. Phase 03

    Control implementation & SoA

    Traditional

    ~7 weeks · 5–10 people + external consultant

    Mapping which controls apply, what evidence satisfies them, who's responsible. Multiple consultant days at day-rates; control owners pulled into review meetings repeatedly.

    With AI

    ~2 weeks · CISO + control owners

    AI Assistant suggests evidence per control, tailored to your instance. Single-control chat answers "what does A.5.1 mean for our org?" without booking a consultant call. Control owners only need to validate, not research.

  4. Phase 04

    Policy & procedure drafting

    Traditional

    ~8 weeks · 2–3 writers + 4–6 reviewers per document

    Twenty or more documents — information security policy, acceptable use, incident response, BCP, access control, etc. Each one drafted, circulated, marked up, redrafted.

    With AI

    ~2 weeks · 1 reviewer per document

    AI Documents drafts each one from your instance data plus a structured questionnaire. Output flows through the same 5-stage lifecycle as a hand-written document; one reviewer approves or sends back for revision.

  5. Phase 05

    Gap analysis & readiness

    Traditional

    ~2 weeks · external consultant + internal coordinator

    Consultant walks the entire ISMS, scoring against the standard. Two to three weeks of consultant time at consultant day-rates plus internal liaison.

    With AI

    continuous · just the CISO

    Ludwig reads your live data and answers "what's missing for audit?", "which controls flipped to amber and why?", "are we ready for next month?" on demand. No scheduled consultant engagement, no calendar lag.

  6. Phase 06

    Audit preparation

    Traditional

    ~3 weeks · the whole ISMS team

    Evidence-gathering sprints, finding the right document for each requirement, formatting reports. Pulls the whole compliance team away from operational work.

    With AI

    ~4 days · 1–2 people

    Audit campaign module + AI evidence analysis: upload evidence, AI rips it into pieces and scores each piece against the standard's requirements. Findings auto-coded, gaps surfaced before the auditor arrives.

Figures are typical, not guaranteed. Small organisations with one standard go faster; regulated sectors with heavy approval chains go slower. The biggest single variable is whether the team uses AI Documents — the policy-drafting phase is the longest and most headcount-hungry stage in any traditional implementation.

Your own people can do this work.

The traditional pattern: bring in a consultant who knows the standard, give them three weeks to learn your business, accept their draft, sign it. The work is correct but rented — when audit findings come back next year, the person who wrote it is gone.

With AI in the loop, the pattern inverts. The person who already knows your business — your operations lead, your CISO, your in-house counsel — gets specialist-grade assistance on tap. Drafts come out competent. They review, edit, and approve as themselves. The result is owned by people who'll still be there in twelve months.

Three ways to power it.

All three AI features share one configurable provider. Pick the mode that fits your trust boundary and procurement model.

1 · Bring your own key
Anthropic, OpenAI, Gemini, or Azure OpenAI. You supply the API key; inference cost lands on your billing. RaulWalter never sees the key in plaintext or the request/response payloads.
2 · Self-hosted endpoint
Point Cybsis at an OpenAI-compatible endpoint you run — Ollama, vLLM, or any in-house LLM. No third-party API call, no prompt leaving your network. The air-gapped path.
3 · RaulWalter-supplied key
One invoice. We wire up the provider on your behalf and bill inference alongside your annual subscription. Mention it in the quote and sales will scope usage.

Off by default. Removable at any time.

None of the AI features are on out of the box. An administrator enables them explicitly under Administration → AI Settings, per instance. The toggle is reversible — flipping it off hides every sparkle button and every Ludwig entry-point immediately. The provider configuration is encrypted at the field level (AES-256-GCM); RaulWalter staff cannot read it.

Every AI call is written to the AI Usage Log — which user, which feature, how many tokens, against which provider. The log is exportable and auditable like the rest of the activity audit trail.

More detail on the trust model, encryption surface, and the three provider modes lives on the Security & privacy page.

Two months to audit readiness, not six.

Configure a bundle that includes the AI features you need, request a quote, and we'll line up a walkthrough on a demo instance pre-populated with the AI in action.