ISO/IEC 27001:2022 · ISMS · Certification Documentation

ISO 27001:2022 Templates

ISO 27001 certification is granted against a management-system standard — it requires a documented ISMS, a full Statement of Applicability, and a defined set of controls. This pack gives you all three: the 8 mandatory ISMS documents, a Statement of Applicability covering all 93 Annex A controls, and 19 editable control policies — cross-mapped to SOC 2.

Built for startups pursuing first-time certification
AuditWolf ISO 27001:2022 Starter Pack — Statement of Applicability, ISMS documents and 19 policies
The gap

Certification starts with your ISMS documents and a Statement of Applicability.

Before a certification body will schedule your Stage 2 audit, you need a defined ISMS scope, a risk methodology, a Statement of Applicability covering all 93 Annex A controls, and a set of policies — plus records proving you ran an internal audit and a management review. Drafting that from a blank page takes weeks, and generic templates are unmapped and recognizably copied. An auditor notices both.

What's included

The three things certification requires — done.

Delivered as editable Word and PDF, in one combined pack and as individual files. Every document carries a practitioner's note on how a certification auditor evaluates it.

Statement of Applicability Clause 6.1.3(d)

All 93 Annex A:2022 controls with applicability, a fill-in justification, and implementation status — the master checklist your auditor works from. Every control title verified against ISO/IEC 27002:2022.

8 Mandatory ISMS Documents Clauses 4–10

The management-system documents a certification body checks first — scope, policy, risk methodology, treatment plan, internal audit, management review, corrective action, document control.

19 Annex A Control Policies Annex A + SOC 2

Editable policies implementing the controls (access control, incident response, vendor risk, encryption, secure development, BC/DR, and more), each mapped to ISO 27001 and SOC 2.

Part A — Mandatory ISMS documents

The eight documents Clauses 4–10 require.

These are the management-system documents SOC 2 doesn't ask for — and the first thing an ISO auditor requests. Each is editable, with fill-in fields for your scope, risk criteria, and cadence.

01Cl 4.3
ISMS Scope
02Cl 5.2 · 6.2
Information Security Policy & Objectives
03Cl 6.1.2
Risk Assessment & Treatment Methodology
04Cl 6.1.3
Risk Treatment Plan
05Cl 9.2
Internal Audit Programme
06Cl 9.3
Management Review
07Cl 10.1
Nonconformity & Corrective Action
08Cl 7.5
Documented Information Control

Also included: an ISO 27001 implementation roadmap — a phased plan from "nothing documented" to the Stage 2 certification audit.

Part B — Statement of Applicability

All 93 Annex A controls, in the format your auditor expects.

The SoA is the single most-scrutinized document in a Stage 2 audit. Ours lists every Annex A:2022 control across the four themes — Organizational (37), People (8), Physical (14), Technological (34) — each with applicability, a justification you can adopt, status, and the policy that implements it.

Every control title verified verbatim against ISO/IEC 27002:2022.
Fill-in applicability and justification columns — no blank-page drafting.
Delivered as its own file and inside the combined pack.
What's inside the ISO 27001:2022 Starter Pack — SoA, ISMS documents, policies, roadmap
Traceability

Mapped to the standard — and to SOC 2.

An auditor tests what you do against what you documented. Every document is tied to the clause or control it satisfies, so coverage is demonstrable, not asserted — and the control policies carry a SOC 2 mapping too.

ISO 27001:2022 Clauses 4–10 + Annex A

Mandatory documents traced to the management-system clause they satisfy; the SoA and policies traced to Annex A:2022 controls.

SOC 2 Trust Services Criteria

Every control policy also cites its SOC 2 Common Criteria reference, so one control set carries a dual-framework program.

Who it's for

Built for teams chasing their first certificate.

Founder

Startup pursuing ISO 27001

International or enterprise buyers demand the certificate. You need a real, mappable ISMS without a five-figure consulting engagement.

First hire

First security hire

Certification landed on your desk. Start from an auditor-ready SoA and document set instead of a blank page.

vCISO

vCISO / consultant

Customize and deploy per client under the license — run ISO 27001 readiness as a billable service.

The alternatives

A faster baseline than the usual three.

ApproachCostWhat you get
Engage a consultant$15k–40kCustom ISMS, slowly and expensively
Compliance platform$10k+/yrEvidence automation — the SoA and documents are still yours to write
Free generic templates$0Unmapped, inconsistent, no complete SoA
AuditWolf ISO 27001 Pack$199 onceFull SoA (93 controls) + 8 ISMS docs + 19 mapped policies + roadmap

The certificate itself is issued by an accredited certification body after the Stage 1 and Stage 2 audits — this pack gets your documentation ready for them.

Start free

Not ready to buy? Start with the checklist.

Every document and record ISO/IEC 27001:2022 requires, clause-referenced. Tick what you already have; the gaps are your to-do list before a certification audit.

Download the free checklist
Questions

What buyers ask before purchasing.

What is a Statement of Applicability and why do I need one?

The SoA (Clause 6.1.3(d)) lists all 93 Annex A controls with each control's applicability, justification, and status. It's the master checklist a certification auditor works from, so it's mandatory. This pack includes a complete SoA covering all 93 controls.

Which mandatory documents does ISO 27001:2022 require?

Clauses 4–10 require the ISMS scope, information security policy and objectives, a risk assessment and treatment methodology, a risk treatment plan, an internal audit programme, management review, corrective action, and document control. All eight are in the pack, plus the SoA and 19 Annex A policies.

Do I still need a certification body?

Yes. This pack gets your documentation ready for the Stage 1 and Stage 2 audits, but the certificate is issued by an accredited certification body after they audit your implementation. The pack removes the blank-page work; the certificate comes from the auditor.

Does this cross-map to SOC 2?

Yes. The 19 Annex A control policies are the same ones in our SOC 2 pack, each carrying both its ISO 27001:2022 Annex A reference and its SOC 2 Trust Services Criteria mapping — one control set supports both frameworks.

How does this compare to a consultant or Vanta?

A consultant bills $150–300/hr; platforms run $10,000+/yr and still expect you to author the documents. This is a one-time $199 documentation baseline — the SoA, mandatory ISMS documents, and policies — authored by a practicing security professional.

Is this legal or certification advice?

No. These are editable templates for building your ISMS — not legal or certification advice, and not a guarantee of certification. Align each document to how you operate and validate with your chosen certification body.

Ready for Stage 2

SoA, ISMS docs, and policies — adopt-ready.

$199 · one-time · editable Word + PDF · yours to keep
Get the pack
Also from AuditWolf

Chasing SOC 2 first?

The SOC 2 Starter Policy Pack gives you the 19 core security policies a SOC 2 examination expects — mapped to the Trust Services Criteria and ISO 27001 — plus a 90-day audit-readiness plan and an evidence-collection index. The same policies cross-map straight into this ISO pack.

ISO 27001 Pack · $199 Get the pack