Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

How can the ISO 27001 Toolkit help you to achieve ISO/IEC 27001 certification?

Hitting a moving target

When looking at information security the emphasis is usually on risk assessment and the maintenance of controls to protect against risk. And it’s right that this should be the main focus; it is, after all, the main deliverable of the whole information security idea.

In a perfect world we would just assess our risks, based on our perfect knowledge of the business and the threats to it and nothing would ever change. The controls would be appropriate and effective at all times, never need improving and everyone would know how to use them.

But we live in a far from perfect world where things can and do change on a regular basis, we don’t know everything about the business, risks change, people come and go from the organization and  our definition of what’s important moves all the time.

We need an Information Security Management System (ISMS)

So the ISO/IEC 27001 standard proposes that we don’t just need a plan; we need an Information Security Management System or ISMS. The function of the ISMS is to wrap itself around the risk assessment and controls and ensure (among other things) that:

  • Everyone understands what we’re trying to achieve (Objectives)
  • The risk assessment is based on the right information about the business (Business context)
  • We have a good idea of what the current main threats are (Risk management)
  • Everybody knows about the controls (including policies and procedures) and how to use them (Awareness and training)
  • We update the risk assessment when things change around it (Management review)
  • The level of protection in place gets better over time (Continual improvement)

Why start with a blank page?

The CertiKit ISO/IEC 27001 Toolkit (referred to here simply as the “Toolkit”) provides not only the plan, but also a large part of the ISMS that supports it. So within your Toolkit you will have an array of useful documents which provide a starting point for all of the different areas of the standard. The documents are in Microsoft Office 2010® format and consist of Word documents, Excel workbooks, PowerPoint presentations, Visio diagrams and Project plans.

Each document is located within a folder structure that maps onto the various sections of the standard and is placed under the section that is most relevant to its content. Some documents are relevant to multiple sections of the standard and are placed in the one of greatest relevance.

A document reference naming convention is used throughout the Toolkit which is described in ISMS07003 Information Security Management System Documentation Log. This includes a reference to the section number of the ISO/IEC 27001 standard in which the document is stored. The standard doesn’t require that you use this specific naming convention so feel free to change it if you need to.

The documents themselves have a common layout and look and feel and adopt the same conventions for attributes such as page widths, fonts, headings, version information, headers and footers. Custom fields are used for the common items of information that need to be tailored such as [Organization Name] and these need to be changed in each document.

Every document starts with an “Implementation Guidance” section which describes its purpose, the specific areas of the ISO/IEC 27001 standard it is relevant to, general guidance about completing and reviewing it and some legal wording about licensing etc. Once read, this section may be removed from the final version of the document.

Making it your own

The layout and headings of each document have been designed to guide you towards meeting the requirements of the standard and example content has been provided to illustrate the type of information that should be given in the relevant place. This content is based upon an understanding of what a “typical” organization might want to say but it is very likely that your organization will vary from this profile in many ways so you will need to think carefully about what content to keep and what to change.

The key to using the Toolkit successfully is to review and update each document in the context of your specific organization. Don’t accept the contents without reading them and thinking about whether they meet your needs – does the document say what you want it to say, or do you need to change various aspects to make it match the way you do things? This is particularly relevant for policies and processes where there is no “right” answer.

The function of the document content is help you to assess what’s right for you so use due care when considering it. Where the content is very likely to need to be amended we have highlighted these sections but be aware that other non-highlighted sections may also need to be updated for your organization.

Achieving certification

Having created an ISMS and got it working for you, it’s then a short step to achieving certification for your organization, large or small. Advice for the audit is covered in some of our other blogs but with a little effort you’ll be holding your new ISO27001 certificate before you know it.

We’ve helped more than 4000 businesses with their compliance


Compared to competing toolkits, your ISO27001 document structure was very good. The provided "Introduction" of each was useful (I have moved those out of the core documents and into a more comprehensive manual) for the general audience vs security staff. The inclusion of references to 27017 and 27018 were appreciated. You provided more "ISMS-C" oriented artefacts than competitors.

Trusted By Design Inc.

View all Testimonials