Effectiveness Layer for Your ISMS

Do your controls still work when the attacker is an AI?

MRIS assesses the 93 controls of ISO/IEC 27001:2022 Annex A (ISO/IEC 27002:2022) against AI-accelerated attacks — and names concrete compensating controls for every gap.

Free framework · 2 PDF documents · No registration · For CISOs and security leaders

Why “Mythos”?

Mythos (Anthropic) was the first frontier AI model whose capabilities in an attacker’s hands fundamentally changed the security landscape. MRIS uses it as the reference threat model: every control is measured against an attacker with Mythos-level capabilities.

What has changed

Four findings on the AI-accelerated threat

Patch gap

Collapse of the patch window

The time between a known vulnerability and its exploitation is shrinking toward zero.

Timeline

Timeline compression

Minutes, not days, pass between initial access and damage.

Scaling

Fragmentation

Attacks run in parallel and distributed to overwhelm the response.

Actor

Capability decoupling

Attack capability no longer depends on the actor's resources.

1
Assess93 controls against the Mythos threat model
2
ClassifyFour categories, bridge into ISO/IEC 27005
3
Harden13 MHC close the gaps
Risk Classification

Four categories. One clear verdict per control.

Each of the 93 controls from ISO/IEC 27001:2022 Annex A is assessed against the AI threat landscape. The result feeds directly into your risk assessment under ISO/IEC 27005.

93Controls total
Bridge to ISO/IEC 27005: A partially degraded control raises the likelihood by one level, a pure-friction control by two levels.
Compensating Controls

Select a control — see the flanking hardening

Select a control from ISO/IEC 27002:2022. MRIS shows the flanking Myth-Hardening Controls (MHC) that close the gap.

Select a control on the left
to see the matching MHC.

Mappings per MRIS, Annex A/C. Excerpt of degraded and flanked controls.

Leverage

A few controls cover many gaps

Number of degraded controls each MHC flanks. Prioritization starts with the broadest impact.

Scope

What MRIS does — and deliberately does not

MRIS provides

  • +Effectiveness assessment of all 93 ISO 27002 controls against the AI threat
  • +Gap analysis against C5:2026, NIST, DORA, CRA and NIS2
  • +Audit-ready catalog of 13 Myth-Hardening Controls with maturity levels
  • +Bridge into the risk process under ISO/IEC 27005

MRIS deliberately does not provide

  • Not a full ISMS — an established ISMS is assumed
  • No risk-management process of its own
  • Not a compliance-mapping or certification tool
  • No organization-specific policy hierarchy
Assessed against
ISO/IEC 27001:2022ISO/IEC 27002:2022BSI C5:2026NISTDORACRANIS2-RichtlinieNIS2-DVO
Download

Both documents. Free.

Main document

MRIS v1.6 – Myth-Resistant Information Security

Complete assessment of the 93 controls from ISO/IEC 27001:2022 Annex A, with gap analysis and MHC catalog.

PDF · April 2026 · ~99 pages · English
Download
Implementation guideline

MRIS Implementation Guide v1.2

Prioritization with Threat Priority Score, roadmap and RACI for the 13 MHC.

PDF · April 2026 · 49 pages · English
Download
Usage note

MRIS and the Implementation Guide are working aids for assessing the effectiveness of existing security controls. They assume an established ISMS and do not replace it. They do not constitute legal, compliance or certification advice, make no claim to completeness and establish no warranty. Use is at your own responsibility. Named standards, frameworks and trademarks belong to their respective owners.