ISMS Starter Kit: ISO 27001 in 10 Steps

What’s inside?

• Structured 10-step roadmap from kick-off to certification readiness
• Scope-definition template with a decision tree for exclusions and interfaces
• Risk register with a methodically clean assessment by likelihood and impact
• Sample Statement of Applicability (SoA) against ISO 27001 Annex A with all 93 controls pre-filled
• Editable policy templates (Information Security Policy, Access Control, Cryptography, Supplier Relationships, Incident Management)
• Role and responsibility matrix including RACI mapping
• Internal audit programme with a question catalogue and audit-protocol template
• Checklist to prepare for the certification audit (stage 1 and stage 2)
• Communication templates for management, employees and external stakeholders

Who is this document for?

The Starter Kit is aimed at Information Security Officers (ISOs), CISOs, IT leads and quality-management owners in small and mid-sized organisations who want to build or modernise their ISMS against ISO 27001. It is particularly valuable for organisations that do not yet run a formal ISMS but are working towards certification or NIS2 compliance. Consultants who set up ISMS projects in client environments also get an immediately usable toolkit.

Frequently asked questions about this document

How long does it realistically take to build a certification-ready ISMS with the Starter Kit?

Typical SME projects that use the kit as a working basis take six to twelve months to reach audit readiness – depending on how well existing processes are already documented, how fast management can take decisions, and whether an internal or external Information Security Officer runs the project.

Are the templates compatible with ISO 27001:2022?

Yes. All templates – especially the Statement of Applicability – reflect the 93 controls of the updated Annex A (2022 edition) and the new grouping into organisational, people, physical and technological controls.

Can I adapt the templates to my corporate identity?

Yes. All documents are provided as editable DOCX and XLSX files. Colours, logos, paragraph styles and metadata fields can be adapted centrally so that your corporate design stays intact.

Is the kit sufficient on its own for certification?

The kit provides the structural and documentary foundation. To pass a certification audit you also need clean day-to-day implementation of the controls, an internal audit and a management review. We are happy to support you with our "External Information Security Officer" service.

How does the kit differ from a consulting engagement?

The kit is a structured self-service toolbox – ideal when you want to keep the build-up in your own hands. Our consulting augments the kit selectively (e.g. workshops, risk-assessment sessions, audit preparation) or can take ownership of the full ISMS as a managed service.