Instant access
ISO 27001 Readiness Kit, web version
This page gives you the same orientation as the PDF in a browser-friendly format. It is intentionally diagnostic, so you can understand the work before deciding whether you need templates or a tailored setup.
Goal
Move from “we think we should probably do ISO 27001” to “we know what belongs in scope, what evidence matters, and what the next step actually is.”
The first 5 steps
- Define scope. Choose the systems, teams, and assets that belong inside your ISMS. Start with the core product environment if you need to keep it lean.
- Run a risk assessment. Identify important assets, likely threats, and the potential impact if something goes wrong.
- Draft the Statement of Applicability. Show which controls you are implementing and explain exclusions clearly.
- Appoint an owner. Someone needs to drive the process. For SMEs, this can be part-time, but it should still be explicit.
- Set the baseline policy and evidence set. Start with access control, incident response, secure development, and the evidence that proves they operate.
Minimum evidence pack
- • Asset register
- • Risk register
- • Access logs plus review cadence
- • Onboarding and offboarding checklist
- • Incident log, even for low-severity events
Common pitfalls
- • Writing too much generic policy that nobody maintains
- • Patching controls before defining scope and risk
- • Ignoring ownership and relying on good intentions
- • Waiting until audit week to gather evidence
Choose the right next step
Stay with the free kit
Best if you need orientation, scope clarity, and a realistic picture of the work.
Move to the €49 Starter Pack
Best if you want editable templates, evidence trackers, and folder structures so you can start building immediately.
Choose the €299 Tailored Setup
Best if the timeline is tight and you want the system shaped around your stack, team, and evidence needs.