The ISO27k Toolkit is a collection of generic ISMS-related materials contributed by members of the ISO27k Forum. We are very grateful for the generosity and community-spirit of the donors in allowing us to share them with you, free of charge. The materials have been donated by individuals with differing backgrounds, competence and expertise, working for a variety of organisations and contexts. They are models or templates, starting points if you will. Your information risks are unique, so it is incumbent on you to assess and treat your risks as you and your management see fit.
The November 2022 release of the ISO27k Toolkit is a zip containing the following files:
- ISO27k ISMS 2 ISO27k standards listing 2022 - a listing of the ISO/IEC 27000 standards.
- ISO27k ISMS 4 generic business case 2022 - use this to convince your management that the business benefits of an ISMS far outweigh the costs, if they are not already sold on the idea.
- ISO27k ISMS 4.4 implementation and certification process 2022 - a single-page diagram summarizing the entire process of designing, developing, implementing and certifying an ISMS.
- ISO27k ISMS 4.4 mandatory documentation checklist release 2022 - a detailed checklist covering the few items of ‘documented information’ that are formally required by ISO/IEC 27001:2022 plus rather more that your organisation probably requires to manage its information risks and security controls, and if necessary demonstrate that to the certification auditors.
- ISO27k ISMS 6.1 guideline on security control attributes 2022 - a white paper expands on the ‘control attributes’ concept introduced in ISO/IEC 27002:2022, explaining how attributes can be used to specify, select and improve information security controls.
- ISO27k ISMS 6.1 SoA 2022 - a simple Excel spreadsheet with which to generate and record your Statement of Applicability.
ISO27k SGSI 6.1 SoA 2022 Español - Cristian Celdeiro ayudó en la traducción a Español.
ISO27k SGSI 6.1 SoA 2022 Português - Cristian Celdeiro ajudou na tradução para o Português Brasileiro.
- ISO27k ISMS 6.3 information security policy on change and configuration management 2022 - ISO/IEC 27001:2022 clause 6.3 is a new requirement for changes to the ISMS to be managed, while changes to IT assets, configurations, processes, controls etc. are generally worth managing to mitigate information risks that are unacceptable to the organisation.
- ISO27k ISMS 7.3 FAQ one pager 2022 - a very succinct set of Frequently Asked Questions about “ISO 27001” - an example security awareness briefing for workers in general that you might like to use when initially implementing your ISMS. [You may also appreciate the much lengthier online ISO27k FAQ!]
- ISO27k ISMS 7.3 prepare to be audited leaflet 2022 - guidance on how to handle being audited by ISMS internal auditors, certification auditors, IT auditors and the like.
- ISO27k ISMS 7.4 intro and gap analysis email template 2022 - donor text for a message to general managers about implementing an ISO27k ISMS.
- ISO27k ISMS 8.1 implementation project estimator 2022 - a simplistic Excel model to estimate how long it will take to implement a certifiable ISMS using ISO/IEC 27001.
- ISO27k ISMS 9.2 audit exercise 2021 - an exercise/test for ISMS auditors
ISO27k ISMS 9.2 audit exercise 2021 crib sheet - suggested answers
ISO27k ISMS 9.2 audit exercise 2021 - Português Brasileiro
ISO27k ISMS 9.2 audit exercise 2021 crib sheet - Português Brasileiro.
- ISO27k ISMS 9.2 internal audit procedure 2022 - describes a typical process for conducting ISMS internal audits.
- ISO27k ISMS 9.3 management review meeting agenda 2022 - a simple agenda for a management meeting to discuss the findings of an ISMS management review.
- ISO27k ISMS A5.9 information asset checklist 2022 - knowing what information assets are might be risk can be a useful basis for an ISMS, so here are some clues about what to look for.
- ISO27k ISMS A5.10 professional services information security checklists 2022 - suggests information security activities for the start, middle and end phases of professional services engagements in which valuable information is shared and created.
- ISO27k ISMS A5.19 information security policy on outsourcing 2022 - a generic model policy covering the risks and controls relevant to business process outsourcing.
- ISO27k ISMS A5.34 briefing on ISO27k controls for GDPR 2022 - where information security and privacy requirements align, common controls may satisfy both.
This is a work-in-progress: further contributions are most welcome, whether to plug the many gaps (e.g. materials covering other clauses and controls from ISO/IEC 27001:2022), offer constructive criticism, translate these or provide additional examples of the materials provided. Novel ways of satisfying the standard’s requirements - creative approaches that may inspire others - are particularly welcome. Please get in touch if you plan to offer additional content: we can help with guidance on style, readability and copyright.
Terms and conditions of use
Please read and respect the copyright notices within the individual files. Most are released under the Creative Commons Attribution-Noncommercial-Share Alike license: you are welcome to reproduce, circulate, use and create derivative works from these materials, provided that: (a) they are not sold or incorporated into commercial products, (b) they are duly attributed to the ISO27k Forum at ISO27001security.com, and (c) if they are published or shared, derivative works are shared under the same terms.