top of page

ISO27k Toolkit

The ISO27k Toolkit is a collection of generic ISMS-related materials contributed by members of the ISO27k Forum. We are very grateful for the generosity and community-spirit of the donors in allowing us to share them with you, free of charge. The materials have been donated by individuals with differing backgrounds, competence and expertise, working for a variety of organisations and contexts. They are models or templates, starting points if you will. Your information risks are unique, so it is incumbent on you to assess and treat your risks as you and your management see fit.  Good luck!

ISO27k Toolkit

Everything here, in a zip file


All FREE!

DOWNLOAD

ISMS implementation and cert process French

Merci a Laurent Jaunaux, Integr'Action Conseil

DOWNLOAD

ISMS implementation project estimator

Excel model to estimate how long it will take to implement an ISO/IEC 27001 ISMS

DOWNLOAD

Adaptive SME security executive summary

An executive summary for busy SME owners, CEOs or managers

DOWNLOAD

4.4 ISMS documentation

Checklist for 14 types of ‘documented information’  plus additional discretionary materials

DOWNLOAD

6.1 Information risk register

Systematically ssess, evaluate, rank and decide how to treat your information risks

DOWNLOAD

6.1 Plain SoA with metrics

Generate and record your Statement of Applicability, along with basic metrics

DOWNLOAD

6.1.2 Information risk catalogue

A checklist of 80 commonplace information risks for risk identification

DOWNLOAD

7.3 Single-page FAQ awareness example

Succinct set of  Frequently Asked Questions about "ISO 27001”

DOWNLOAD

9.2 Audit exercise - crib sheet

Suggested answers for the audit exercise, with tips on audit principles

DOWNLOAD

9.2 ISMS internal audit procedure

Describes the typical process for conducting ISMS internal audits

DOWNLOAD

A5.9 Information asset checkllist

How can you protect your stuff if you don't know what you've got?

DOWNLOAD

A5.15 Policy on access control

A skeleton to beef-up according to your needs

DOWNLOAD

A5.34 Policy on privacy

Minimalist starting point for customisation

DOWNLOAD

A6.2 Policy on employment contracts

Extreme minimalism - just 3 generic policy statements to elaborate on

DOWNLOAD

A7.4 Policy on physical security monitoring

Bare bones, just 6 policy statements

DOWNLOAD

A7.14 Policy on secure disposal

8 policy statements about disposing of potentially valuable information

DOWNLOAD

A8.20 Policy on network security

Just 9 policy statements scratch the surface of this deep topic

DOWNLOAD

ISO27k Toolkit terms and conditions

A Creative Commons license covers most of the items

DOWNLOAD

ISMS implementation checklist

Pragmatic guidance for ISO/IEC 27001 implementers

DOWNLOAD

ISMS gap analysis questionnaire

Generic questionnaire on conformity to ISO/IEC 27001

DOWNLOAD

4 Generic cost-benefit analysis

The basis for an ISO27k ISMS business case, proposal or budget request

DOWNLOAD

5.2 Policy management process

Splits the process into policy development and operation

DOWNLOAD

6.1 Iterative risk analysis

Double-sided guide to a cyclical risk analysis method that revolves around incidents

DOWNLOAD

6.1 Plain SoA Español

Cristian Celdeiro ayudó en la traducción a Español

DOWNLOAD

6.3 Change management policy

Addresses the requirement to mange changes to the ISMS 

DOWNLOAD

7.4 Introduction and gap analysis email

Template for a kick-off message introducing the ISMS implementation project 

DOWNLOAD

9.2 Audit exercise - Português Brasileiro

Exercise translated to Português Brasileiro

DOWNLOAD

9.3 ISMS management review agenda

Agenda items for a meeting to discuss an ISMS management review

DOWNLOAD

A5.9 Technology types, risks and controls

3 pages outlining 5 types of technology with the associated risks and controls

DOWNLOAD

A5.19 Policy on outsourcing

Model policy on risks and controls in business process outsourcing

DOWNLOAD

A5.34 Briefing on ISO27k for GDPR

Where information security and privacy requirements coincide, go for common controls

DOWNLOAD

A6.3 Policy on awareness and training

Rolling programme of security awareness and training for managers, staff, contractors etc.

DOWNLOAD

A7.9 Policy on working offsite

7 generic policy statements to bootstrap a workable policy

DOWNLOAD

A8.12 Policy on data leakage prevention

4 crude policy statements to expand upon

DOWNLOAD

A8.32 Policy on change management

Construct your own policy, elaborating on these 5 brief statements

DOWNLOAD

ISMS implementation and certification process

One-page diagram on building, implementing and certifying an ISMS

DOWNLOAD

ISMS implementation guideline

Explains the requirements in ISO/IEC 27001 with pragmatic implementation guidance

DOWNLOAD

Adaptive SME security

Pragmatic approach to information risk and security for SMEs, even micro-orgs

DOWNLOAD

4.4 Documentation mind map

Just the mandatory ISMS docs required by main body clauses

DOWNLOAD

6.1 Security control attributes

Use ‘control attributes’ to specify, select and improve information security controls

DOWNLOAD

6.1 Smart SoA with custom controls

Customise Annex A controls to address your organisation's unique situation 

DOWNLOAD

6.1 Plain SoA Português

Cristian Celdeiro ajudou na tradução para o Português Brasileiro

DOWNLOAD

7.3 Prepare to be audited leaflet

Awareness on being audited by ISMS internal, certification or technology auditors

DOWNLOAD

9.2 Audit exercise

A basic exercise or test for ISMS auditors

DOWNLOAD

9.2 Audit exercise - crib - Português Brasileiro

Crib sheet in Português Brasileiro

DOWNLOAD

A5.4 Policy on mgmt responsibilities

A bare-bones policy skeleton to flesh out

DOWNLOAD

A5.10 Professional services infosec checklist

Security activities for the start, middle and end of professional services engagements

DOWNLOAD

A5.32 Policy on intellectual property

3 basic policy statements to set you off on the right foot

DOWNLOAD

A6 Policy on HR

A very basic HR security policy starter: lots worth adding!

DOWNLOAD

A7.1 Policy on physical controls

Another skeletal policy starter with a dozen policy statements to set you thinking

DOWNLOAD

A7.12 Policy on cabling security

Just 5 simple policy statements to expand into an actual security policy

DOWNLOAD

A8.13 Policy on backups

An important topic for strategies, policies and procedures 

DOWNLOAD

Not quite what you need? 
Willing to contribute?
Get in touch!

Further toolkit contributions are most welcome, whether to plug the many gaps (e.g. materials covering other clauses and controls from ISO/IEC 27001 and 27002), offer constructive criticism, translate these materials or provide additional examples. Case study materials would be great.  Novel ways of satisfying the standards’ requirements, plus creative, inspirational and  innovative approaches are particularly welcome, but so too are simplifications, checklists, diagrams and starting points. Please get in touch if you are willing to donate or seek other materials.  We'll see what we can do to help.

  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

© 2025 IsecT Limited 

 

  • Link
  • LinkedIn
bottom of page