ISO 27001 certification is granted against a management-system standard — it requires a documented ISMS, a full Statement of Applicability, and a defined set of controls. This pack gives you all three: the 8 mandatory ISMS documents, a Statement of Applicability covering all 93 Annex A controls, and 19 editable control policies — cross-mapped to SOC 2.

Before a certification body will schedule your Stage 2 audit, you need a defined ISMS scope, a risk methodology, a Statement of Applicability covering all 93 Annex A controls, and a set of policies — plus records proving you ran an internal audit and a management review. Drafting that from a blank page takes weeks, and generic templates are unmapped and recognizably copied. An auditor notices both.
Delivered as editable Word and PDF, in one combined pack and as individual files. Every document carries a practitioner's note on how a certification auditor evaluates it.
All 93 Annex A:2022 controls with applicability, a fill-in justification, and implementation status — the master checklist your auditor works from. Every control title verified against ISO/IEC 27002:2022.
The management-system documents a certification body checks first — scope, policy, risk methodology, treatment plan, internal audit, management review, corrective action, document control.
Editable policies implementing the controls (access control, incident response, vendor risk, encryption, secure development, BC/DR, and more), each mapped to ISO 27001 and SOC 2.
These are the management-system documents SOC 2 doesn't ask for — and the first thing an ISO auditor requests. Each is editable, with fill-in fields for your scope, risk criteria, and cadence.
Also included: an ISO 27001 implementation roadmap — a phased plan from "nothing documented" to the Stage 2 certification audit.
The SoA is the single most-scrutinized document in a Stage 2 audit. Ours lists every Annex A:2022 control across the four themes — Organizational (37), People (8), Physical (14), Technological (34) — each with applicability, a justification you can adopt, status, and the policy that implements it.

An auditor tests what you do against what you documented. Every document is tied to the clause or control it satisfies, so coverage is demonstrable, not asserted — and the control policies carry a SOC 2 mapping too.
Mandatory documents traced to the management-system clause they satisfy; the SoA and policies traced to Annex A:2022 controls.
Every control policy also cites its SOC 2 Common Criteria reference, so one control set carries a dual-framework program.
International or enterprise buyers demand the certificate. You need a real, mappable ISMS without a five-figure consulting engagement.
Certification landed on your desk. Start from an auditor-ready SoA and document set instead of a blank page.
Customize and deploy per client under the license — run ISO 27001 readiness as a billable service.
| Approach | Cost | What you get |
|---|---|---|
| Engage a consultant | $15k–40k | Custom ISMS, slowly and expensively |
| Compliance platform | $10k+/yr | Evidence automation — the SoA and documents are still yours to write |
| Free generic templates | $0 | Unmapped, inconsistent, no complete SoA |
| AuditWolf ISO 27001 Pack | $199 once | Full SoA (93 controls) + 8 ISMS docs + 19 mapped policies + roadmap |
The certificate itself is issued by an accredited certification body after the Stage 1 and Stage 2 audits — this pack gets your documentation ready for them.
Every document and record ISO/IEC 27001:2022 requires, clause-referenced. Tick what you already have; the gaps are your to-do list before a certification audit.
The SoA (Clause 6.1.3(d)) lists all 93 Annex A controls with each control's applicability, justification, and status. It's the master checklist a certification auditor works from, so it's mandatory. This pack includes a complete SoA covering all 93 controls.
Clauses 4–10 require the ISMS scope, information security policy and objectives, a risk assessment and treatment methodology, a risk treatment plan, an internal audit programme, management review, corrective action, and document control. All eight are in the pack, plus the SoA and 19 Annex A policies.
Yes. This pack gets your documentation ready for the Stage 1 and Stage 2 audits, but the certificate is issued by an accredited certification body after they audit your implementation. The pack removes the blank-page work; the certificate comes from the auditor.
Yes. The 19 Annex A control policies are the same ones in our SOC 2 pack, each carrying both its ISO 27001:2022 Annex A reference and its SOC 2 Trust Services Criteria mapping — one control set supports both frameworks.
A consultant bills $150–300/hr; platforms run $10,000+/yr and still expect you to author the documents. This is a one-time $199 documentation baseline — the SoA, mandatory ISMS documents, and policies — authored by a practicing security professional.
No. These are editable templates for building your ISMS — not legal or certification advice, and not a guarantee of certification. Align each document to how you operate and validate with your chosen certification body.
The SOC 2 Starter Policy Pack gives you the 19 core security policies a SOC 2 examination expects — mapped to the Trust Services Criteria and ISO 27001 — plus a 90-day audit-readiness plan and an evidence-collection index. The same policies cross-map straight into this ISO pack.