ISO 27001 SMB Starter Pack — Gap Assessment Templates

Q: What is included in the ISO 27001 SMB Starter Pack?

You receive 7 PDF files: (1) ISO 27001:2022 Gap Assessment covering all 93 controls with self-assessment scoring, (2) Risk Register with 15 pre-populated industry risks, (3) Statement of Applicability template, (4) 12 policy templates covering access control, passwords, incident response, data classification, BYOD, remote work, vendor management, acceptable use, business continuity, backup, encryption, and physical security, (5) 90-day implementation roadmap, (6) Board/executive presentation template, and (7) Certification readiness checklist.

Q: Is $147 USD really enough to start ISO 27001 preparation?

Yes — for the documentation and assessment phase. A consultant-led gap assessment starts at approximately $30,000 USD (Source: TrustNet Inc). This pack gives you the same structured 93-control assessment you would receive from a consultant, as a self-guided toolkit. You will still need a formal auditor for certification, but completing this pack first means you arrive at the audit better prepared and with far less wasted spend.

ISO 27001 Certification is a $20,000–$70,000+ Investment

Full certification costs are significant — and many SMBs waste tens of thousands going in blind. A structured gap assessment is how you cut the waste and know exactly what you are walking into.

Certification Costs $20K–$70K+

Full ISO 27001 certification in Australia typically costs $20,000 to $70,000+ AUD including consultant support and auditor fees — before you factor in staff time. (Source: iso-27001.com.au, 2025)

Enterprise Contracts Require It

ISO 27001 is frequently referenced in procurement processes, enterprise contracts, and security questionnaires. Without it, SMBs are disqualified from supplier panels before the conversation starts. (Source: Chill Compliance, Dec 2025)

93 Controls Across 4 Domains

ISO 27001:2022 restructured 114 controls into 93 across Organizational, People, Physical, and Technical domains — with 11 brand-new controls added for cloud, threat intelligence, and ICT continuity. Without a structured assessment, knowing where to start is genuinely difficult. (Source: ANAB / Protiviti)

Gap Assessment Alone = $30,000

Hiring an ISO 27001 consultant for the gap assessment phase alone costs approximately $30,000 USD. That is the fee to find out where you stand — before a single policy is written or a control is implemented. (Source: TrustNet Inc)

What is Included

Seven documents that take you from "we need ISO 27001" to a structured, audit-ready foundation — without the consultant invoice.

ISO 27001:2022 Gap Assessment Core document

Self-assessment scoring tool covering all 93 controls across all 4 domains. For each control, assess your current state, identify gaps, and calculate your readiness score. The same structured approach a consultant uses — without the $30,000 fee.

Risk Register 15 pre-populated risks

Ready-to-use risk register with 15 pre-populated risks drawn from common SMB threat scenarios: data breaches, ransomware, insider threats, vendor failures, and more. Add your own risks using the included scoring methodology.

Statement of Applicability Template

The Statement of Applicability (SoA) is a mandatory ISO 27001 deliverable. This template lists all 93 controls, lets you mark each as applicable or excluded, and documents your justification — exactly what auditors expect to see.

12 Policy Templates Biggest value

Ready-to-customise policy documents for the 12 controls SMBs most commonly fail to have documented:

Access Control Policy
Password Management Policy
Incident Response Policy
Data Classification Policy
BYOD (Bring Your Own Device) Policy
Remote Work Security Policy
Vendor Management Policy
Acceptable Use Policy
Business Continuity Policy
Backup and Recovery Policy
Encryption Policy
Physical Security Policy

90-Day Implementation Roadmap

A week-by-week action plan for the first 90 days of your ISO 27001 implementation. Covers gap assessment completion, policy adoption, risk treatment planning, and preparation for the Stage 1 audit. Designed for teams without a dedicated information security manager.

Board / Executive Presentation Template

A ready-to-present slide deck template for getting ISO 27001 buy-in from leadership. Covers the business case, cost comparison, timeline, and resource requirements in language executives understand.

Certification Readiness Checklist

A pre-audit checklist covering every mandatory requirement for ISO 27001 Stage 1 and Stage 2 audits. Use this before engaging your certification body to confirm you are ready and avoid costly audit failures.

Consultant gap assessment alone: $30,000

$147 USD

The structured foundation — without the consultant invoice

ISO 27001:2022 — What Changed and Why It Matters

The 2022 edition is a significant update. If your organisation holds a 2013 certificate, transition was required by October 2025. If you are starting fresh, the 2022 edition is the only version you should be preparing for.

114 Controls Became 93

ISO 27001:2022 restructured the original 114 controls into 93. Fifty-seven controls were merged into 24 combined controls. Fifty-eight controls remain mostly unchanged with minor contextual updates. Eleven controls are entirely new. The total count decreased but the scope expanded. (Source: Protiviti)

4 New Domains Replace 14

The 2022 edition organises controls into 4 themes: Organizational (37 controls), People (8 controls), Physical (14 controls), and Technical (34 controls). This replaces the 14 control domains from the 2013 edition. The new structure is easier to navigate for SMBs. (Source: ANAB Blog)

11 Brand-New Controls

New controls in the 2022 edition cover areas that did not exist in 2013: threat intelligence, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding. These are the gaps most SMBs will fail on. (Source: ANAB / Protiviti)

Globally 70,000+ Certificates Issued

As of the most recent ISO Survey, approximately 70,938 ISO 27001 certificates had been issued globally. ISO 27001 is the world's most widely adopted information security management standard. (Source: ISO Survey, iso.org)

Built For

This is a starter pack for SMBs at the beginning of the ISO 27001 journey — not a tool for enterprises already in active certification.

IT Managers

Tasked with "getting the business ISO 27001 ready" without the budget for a full consulting engagement. Use this to run your own gap assessment, build the policy library, and present a structured plan to leadership.

Operations Managers

Who own compliance and procurement qualification but have limited security expertise. The gap assessment and 90-day roadmap give you a clear path without requiring deep technical knowledge.

Business Owners

Pursuing enterprise contracts or government supply chains where ISO 27001 is a procurement gate. Use this pack to understand the full scope of what certification requires before committing to the investment.

MSPs and IT Providers

Who advise SMB clients on ISO 27001 preparation. This toolkit provides a scalable, structured foundation for initial client assessments — without rebuilding documentation from scratch each time.

The $147 vs $30,000 Decision

A consultant-led gap assessment gives you the same structured output as this pack — at approximately 200x the price. The difference is who does the work.

Feature	Free / DIY	ISO 27001 Consultant	This Starter Pack
All 93 controls assessed	No structured tool	Yes	Yes
Statement of Applicability template	No	Yes	Yes
12 policy templates included	No	Yes (extra cost)	Yes
Risk register with pre-populated risks	No	Yes	Yes
90-day implementation roadmap	No	Sometimes	Yes
Board presentation template	No	Rarely	Yes
ISO 27001:2022 aligned (93 controls)	No	Yes	Yes
Price	$0 (but no structure)	$20,000 – $70,000+	$147

Frequently Asked Questions

Does this pack get my business ISO 27001 certified?

No — and that distinction matters. ISO 27001 certification requires a formal audit by an accredited certification body, which typically costs $20,000–$70,000+ AUD. This pack gives you the structured toolkit to begin that journey: understand your gaps, document your policies, and prepare for the audit process. Think of it as the foundation, not the finish line.

What is included in the pack?

Seven PDF files: ISO 27001:2022 Gap Assessment (all 93 controls), Risk Register (15 pre-populated risks), Statement of Applicability template, 12 policy templates (access control, passwords, incident response, data classification, BYOD, remote work, vendor management, acceptable use, business continuity, backup, encryption, physical security), 90-day implementation roadmap, board/executive presentation template, and certification readiness checklist.

How long does ISO 27001 certification take for an SMB?

Typical SMB certification timelines range from 6 to 18 months depending on starting maturity and resource availability. The gap assessment is the critical first step — it tells you exactly how far you are from certification and where to focus effort. This pack gives you that assessment plus the policy documentation to accelerate the process.

Why do I need ISO 27001 if my business already follows the Essential Eight?

The Essential Eight is an excellent technical controls baseline for Australian businesses, but it is not internationally recognised. ISO 27001 is the global standard referenced in enterprise procurement, government contracts, and export markets. If you are bidding for large enterprise or government contracts, ISO 27001 is frequently a procurement gate. The two frameworks complement each other — Essential Eight compliance can help accelerate ISO 27001 preparation.

What changed between ISO 27001:2013 and ISO 27001:2022?

ISO 27001:2022 restructured the controls from 114 (across 14 domains) down to 93 controls across 4 themes: Organizational, People, Physical, and Technical. Eleven controls are brand new, covering threat intelligence, cloud security, ICT readiness, and data leakage prevention. Fifty-seven controls were merged into 24. Transition from 2013 certification was required by October 2025. (Source: ANAB, Protiviti)

Is $147 USD really enough to start ISO 27001 preparation?

Yes — for the documentation and gap assessment phase. A consultant-led gap assessment starts at approximately $30,000 USD (Source: TrustNet Inc). This pack provides the same structured 93-control assessment as a self-guided toolkit. You will still need an accredited certification body for the formal audit, but completing this pack first means you arrive audit-ready and avoid costly failures or remediation cycles.

Start Your ISO 27001 Journey Today

Most SMBs spend months — and thousands — going in circles before running a structured gap assessment. Skip that. Know exactly where you stand, what policies you are missing, and what your 90-day path looks like.