alligator.io
alligator.io
?
AB

Good morning, Muji 👋

FDM ISO 27001 workspace. External audit in 16 days.

Audit in 16 days
Audit Readiness
82%
Improving vs last 30 days
Open Gaps
23
↓ 4 vs last 30 days
Policies Due for Review
5
Next: Access Control Policy
Evidence Issues
12
↑ 3 vs last 30 days

Governance Relationship Map New

Explore how your governance assets connect.
Policies28
Risks34
Controls93
Evidence156
Actions47
ISO 27002114 Controls
Information
Security
Last updated: Today, 09:41

Merlin AI Adviser BETA

Top recommendations for you
!
Missing access review evidence12 user access reviews are overdue evidence.
Upcoming management reviewYour Q2 management review is due in 11 days.
?
Policy review suggested5 policies haven't been reviewed in 12+ months.
Ask Merlin a question...
Address 3 high-priority gaps to improve readiness.

Governance Calendar

MAY15
Q2 Management Review
Review
MAY28
ISO 27001 Internal Audit
Audit
JUN10
Risk Assessment Update
Assessment
JUN20
Policy Review: Access Control
Review

Policy Coverage

Coverage by ISO 27002 domain
5. Organisational Controls92%
6. People Controls88%
7. Physical Controls76%
8. Technological Controls81%
Overall coverage84%

Top Risks

R1
Unmanaged AccessHigh
R2
Phishing & Social Eng.High
R3
Data LossMedium
R4
Third-Party RiskMedium
R5
Insider ThreatLow

Recent Activity

Evidence uploaded
Access Review Q1 2025.pdf
2h ago
i
Policy updated
Data Classification Policy
4h ago
!
Risk status changed
Third-Party Risk → In progress
6h ago
Control tested
AC-2: Account Management
1d ago
Action completed
Review vendor due diligence
1d ago

Risk Object Profile

Built from imported risk data — now checking clause, control and policy linkage quality.

RSK-H · Supplier assurance confidence

Suppliers may fail to provide the ongoing level of information security confidence shown during initial selection, or may change their services, controls or subcontracting position without enough assurance review.

Reference: HOwner: Muji AliCompletion: 33%Review: overdue by 3 days
Risk position24Impact: Severe
Likelihood: High
Overdue
Linked clauses0
Linked controls2
Linked policies1
Suggested links8

Governance chain

This turns the risk register entry into a working assurance chain.
RiskRSK-H Supplier confidence

Supplier assurance may deteriorate after onboarding.

Clause6.1.3 Risk treatment

No clause linked yet. Suggested by Alligator.

ControlA.5.19 Supplier relationships

Define supplier security requirements.

PolicySupplier Security Policy

Current linked policy. May need expansion.

EvidenceSupplier review pack

Questionnaires, contracts and assurance records.

Clause and control linkage

Alligator checks whether the risk is properly linked.
No clauses linked so far — you need to link these.
Suggested: 6.1.2 Risk assessment, 6.1.3 Risk treatment, 8.1 Operation, 9.1 Monitoring
You have some controls linked, but you should consider linking these too.
Suggested controls: A.5.20, A.5.21, A.5.22, A.5.23.
Current controls linked
A.5.19 Supplier relationshipsA.5.20 Supplier agreements
Suggested additional links
6.1.26.1.38.19.1A.5.21A.5.22

Policy linkage suggestions

Link the right documents, then improve or create where needed.
Current policy link
Supplier Security Policy Current
You should also think about linking
Supplier Due Diligence Procedure · Supplier Review Register · Procurement Policy
Creation/refactoring suggestion
If no procedure exists, create a Supplier Assurance Procedure.
Merlin note
Generated does not mean approved. Exported does not mean implemented.

Merlin linkage review

No clauses are linked to this risk yet.
You have some controls linked, but should consider linking A.5.21, A.5.22 and A.5.23 as well.

Next best actions

Move from imported register line to governed relationship chain.
1. Link missing clauses

Add 6.1.2, 6.1.3, 8.1 and 9.1 where they apply.

2. Review control coverage

Confirm A.5.19–A.5.23 coverage against the risk.

3. Link more policy documents

Add procedure/register documents, not just one policy.

4. Consider policy refactoring

If the policy set is messy, split or merge documents more cleanly.

5. Generate draft policy

Create a starter document only if a genuine gap exists.

Policy Object Profile

See how this policy connects to risks, controls, clauses, evidence and actions — and the impact of change.

POL-014 · Supplier Security Policy

Defines supplier security expectations, due diligence, contract obligations and ongoing assurance and escalation requirements.

Owner: Muji AliVersion: 1.2Review due: 15 Aug 2026Linked items: 11
Policy statusCurrentLinked controls: 4
Linked risks: 2
Refactor candidate

Relationship map

Visualise how this policy connects to other objects in your framework.
RiskRisk

Supplier assurance confidence

ActionAction

Refresh linked supplier assurance

ControlA.5.19

Supplier relationships

ClauseClause

5.19 · 6.1.3 · 9.1

EvidenceEvidence

Questionnaire + review pack

ProcedureProcedure

Supplier Assurance Procedure

Supplier Security
Policy

Current linked objects

What is already connected to this policy.
Risk · RSK-H Supplier Assurance confidenceLinked
Control · A.5.19 Supplier relationshipsLinked
Control · A.5.20 Supplier agreementsLinked
Evidence · Supplier due diligence questionnaireLinked
Action · Refresh supplier assuranceLinked

Linkage and refactoring suggestions

Alligator suggestions to improve structure and clarity.
Think about linking additional controls

Suggested A.5.21 Managing ICT supply chain, A.5.22 Supplier monitoring

Think about linking more documents

Procurement Policy, Supplier Assurance Procedure, Supplier Reviews

Refactoring suggestion

Move operational steps out of the policy and into a procedure.

Creation suggestion

No procedure exists. Generate a draft Supplier Assurance Procedure.

Merlin policy review

This policy is linked, but not fully optimised.
Consider moving operational detail into a procedure and adding more evidence links.

Next best actions

Recommended steps to strengthen this policy.
1. Link additional controls

Check whether A.5.21–A.5.23 should be connected.

2. Link more evidence

Add supplier monitoring outputs and review records.

3. Add supporting documents

Link the procedure and register, not just the policy.

4. Consider refactoring

Split operational detail into a procedure if the policy is too detailed.

5. Generate draft procedure

Create a starter Supplier Assurance Procedure if missing.

Full Relationship Map

Click any object to see its risks, clauses, controls, policies, evidence and actions.

ViewAll objectsSupplier riskWeak links onlyAudit evidencePolicies

Supplier Assurance Relationship Network

Relationships are stored as the Alligator graph layer.
RiskClauseControlPolicyEvidenceAction

Selected object

Policy
Supplier Security Policy
Current policy with linked risks, controls, procedures, evidence and actions.
RISKS2
CLAUSES3
CONTROLS4
EVIDENCE2

Merlin says

This policy has useful links, but supplier monitoring controls and evidence need strengthening.

Connected objects

Control · A.5.21 ICT supply chainSuggested

Evidence Object Profile

Show whether this evidence proves the linked control activity and what it supports across the governance chain.

EVD-042 · Supplier review pack

Evidence package containing supplier questionnaire, contract check, review notes and assurance follow-up. Alligator checks whether it proves the linked supplier controls.

Owner: Muji AliEvidence type: Review packPeriod: Q2 2026Source: Uploaded
Evidence healthWeakLinked controls: 2
Missing fields: 3
Needs review
Linked risks1 Red
Linked controls2 Green
Linked policies1 Teal
Open actions3 Blue

Evidence assurance chain

The evidence is only valuable if it clearly proves a control activity.
RiskRSK-H Supplier assurance risk
ControlA.5.19 Supplier relationships
PolicySupplier Security Policy
EvidenceSupplier review pack
ActionComplete missing evidence details

Evidence quality check

What is present and what is missing.
File uploadedSupplier review pack exists
!
Date recordedReview date missing
!
Reviewer namedReviewer not recorded
!
Scope definedSupplier scope unclear
!
Exceptions capturedExceptions not documented

Connected objects

Evidence links back to the governance objects it supports.

Merlin evidence review

This evidence is useful, but not audit-ready yet.
It needs reviewer, date, scope and exception details before it strongly supports A.5.19.

Next best actions

Move this evidence from weak to audit-ready.
1. Add reviewer and review date

Record who performed the review and when.

2. Define supplier scope

Confirm which supplier services and systems are covered.

3. Capture exceptions

Record gaps, decisions and follow-up actions.

4. Link to A.5.19 and A.5.20

Make the control relationship explicit.

5. Create follow-up action

Assign missing evidence tasks to the owner.

Generated checklist ≠ approved evidence.

Control Object Profile

See what risks this control treats, what documents define it, what evidence proves it, and what actions are needed.

A.5.19 · Supplier relationships

This control ensures information security requirements for supplier relationships are defined, agreed, and reviewed.

Owner: Muji AliStatus: Partially assuredReview due: 31 Aug 2026Domain: Organisational controls
Control healthPartially
assured
Linked risks: 2
Linked evidence: 3

Control assurance chain

Visualise how this control connects to other objects in your framework.
RiskRSK-H

Supplier assurance risk

PolicySupplier Security Policy
ProcedureSupplier Assurance Procedure
EvidenceSupplier review pack
ActionRefresh supplier assurance
A.5.19
Supplier
relationships
Objects connect through the Alligator relationship graph.

Control coverage and linked objects

Current links and their status.
Risk · RSK-H Supplier assurance riskLinked
Policy · Supplier Security PolicyLinked
Procedure · Supplier Assurance ProcedureLinked
Evidence · Supplier review packWeak
Evidence · Supplier due diligence questionnaireLinked
Action · Refresh supplier assuranceOpen

What proves this control?

Assurance evidence and quality.
Quarterly supplier review pack
Reviewed 15 Apr 2026
Weak
Supplier due diligence questionnaire
Completed 10 Apr 2026
Strong
?
Supplier contract security clause check
No evidence linked
Missing
This control is not fully evidenced yet.
Add or strengthen evidence to improve assurance.

Merlin control review

The control exists and is linked, but evidence quality is inconsistent and supplier monitoring needs stronger proof.

Next best actions

Recommended steps to strengthen this control.
1. Link missing evidence

Identify and link any missing evidence for this control.

2. Add supplier monitoring proof

Add monitoring reports or performance reviews.

3. Confirm contract security clauses

Review contracts to confirm required clauses.

4. Record control owner review

Capture the owner review and confirm effectiveness.

5. Create follow-up action

Create an action to address any gaps or issues.

Generated guidance ≠ confirmed assurance.

Actions

Track draft, approved and completed remediation work.

Refresh supplier assurance evidence

Complete reviewer, date, scope and exception details for the supplier review pack.

Draft

Link clauses to RSK-H

Add 6.1.2, 6.1.3, 8.1 and 9.1 where relevant and record the rationale.

High priority

Confirm supplier contract clauses

Review supplier contracts and attach evidence of required information security clauses.

Open

Governance Calendar

Plan reviews, assessments and audit milestones.

15 May

Q2 Management Review

Review

28 May

ISO 27001 Internal Audit

Audit

27–29 July

External ISO 27001 Audit

External audit

Merlin Adviser

Governance recommendations based on object relationships and evidence quality.

Missing access review evidence

12 user access reviews are overdue evidence.

Supplier assurance weakness

Review pack needs reviewer, date, scope and exception details.

Policy refactoring suggested

Move operational detail into a Supplier Assurance Procedure.

Reports

Audit and management review outputs.

Audit readiness report

Current readiness, open gaps, evidence issues and recommended actions.

Management review pack

Objectives, performance, risks, corrective actions and continual improvement.

Relationship coverage report

Risks, clauses, controls, policies, evidence and actions with weak-link analysis.

Settings

Workspace configuration and governance preferences.

Workspace

Alligator Financial Services
Enterprise Plan

Branding

Logo, colours, domain and document export identity.

Integrations

Connect document storage, identity, ticketing and evidence sources.