NEXUS: An Intelligent ISO 27001 Compliance Audit System Based on Large Language Models and Graph Databases

NEXUS is an AI-driven ISO 27001 compliance audit command center. It uses the Google Gemini large language model to automatically parse enterprise security policies, extract compliance relationships, and map them to a Neo4j graph database to build a compliance knowledge graph. This enables intelligent management of cybersecurity compliance, aiming to solve the problems of time-consuming, labor-intensive manual audits and easy omission of key compliance relationships, thereby improving audit efficiency and accuracy.

Amid the wave of digital transformation, enterprises face complex cybersecurity threats, and ISO 27001 compliance audit is a key link to ensure information security. Traditional manual audits are time-consuming and labor-intensive, and easily miss key compliance relationships. The NEXUS project emerged as the times require, with the core vision of building an AI-driven compliance audit command center to automate tedious inspection processes and help enterprises efficiently identify and manage security risks.

NEXUS integrates artificial intelligence, graph database, and real-time visualization technologies. Its core components include:

• Large Language Model (LLM)：Google Gemini is selected as the intelligent engine, responsible for understanding and parsing complex security policy documents;
• Graph Database (Neo4j)：Stores and queries compliance relationship networks, supporting complex correlation analysis;
• Real-time Visualization Engine：Provides dynamic neural topology map display to intuitively present compliance status. This architecture can process unstructured policy documents and convert them into queryable and analyzable structured knowledge graphs.

Intelligent Document Parsing

Through the Gemini large language model, it processes enterprise security policy documents, identifies implicit compliance requirements and control measures based on semantic context understanding, and supports multiple format files without preset templates.

Dynamic Relationship Extraction

Automatically extracts compliance relationships, including the mapping between security controls and ISO 27001 clauses, policy dependencies, and potential risk associations, to build a complete compliance knowledge network.

Graph Database Mapping

Maps the extracted relationships to the Neo4j graph database. Nodes represent entities such as security controls, policy clauses, and assets, while edges represent relationships between entities, supporting efficient traversal and pattern matching queries.

Real-time Neural Topology Visualization

Dynamically presents the compliance network, allowing observation of compliance coverage heatmaps, connection density of key control nodes, potential compliance gaps, and cascading effects of policy changes.

NEXUS brings multi-dimensional value to enterprises:

• Efficiency Improvement：Manual audits are shortened from weeks to hours, allowing audit teams to focus on high-risk areas;
• Accuracy Enhancement：AI-driven analysis reduces human omissions, and has obvious advantages in handling large amounts of historical documents and cross-departmental policies;
• Continuous Monitoring：Supports continuous compliance status monitoring and timely detection of new risks;
• Knowledge Precipitation：Structured storage of compliance relationships avoids experience loss caused by personnel changes.

The project's technical highlights include:

1. Multimodal AI Integration：Uses Gemini's multimodal capabilities to process policy documents in various formats such as PDF, Word, and plain text;
2. Graph Algorithm Application：Applies algorithms like community detection and shortest path in Neo4j to identify key control points and optimization paths;
3. Stream Processing Architecture：Supports incremental updates, quickly updating relevant compliance relationships when policy documents change.

NEXUS represents the cutting-edge exploration of AI in the field of compliance audit. In the future, it is expected to be applied to more industry standards such as GDPR, HIPAA, and SOC2. For developers and security practitioners, the references are: how to combine LLM with professional domain knowledge, use graph databases to handle complex relationship data, and design intuitive visualization solutions. AI is not replacing human auditors, but acting as an intelligent assistant—handling repetitive work, discovering hidden patterns, providing decision support, and allowing experts to focus on strategic judgment.