From scattered documents to an audit-ready ISMS workflow.
ISO27001KIT helps teams move from scattered documents to a more organised, audit-ready ISMS workflow - with templates, tools, and AI that respect what ISO 27001:2022 actually expects.
Why ISO27001KIT exists
Most ISO 27001 projects start the same way: a folder full of half-finished policies, a risk spreadsheet that no one trusts, and a deadline from a customer or auditor. The standard is clear, but the path from "we should do this" to "we can prove we do this" is not.
ISO27001KIT exists to shorten that path. We focus on the small number of artefacts auditors actually sample - scope, risk register, SoA, evidence, internal audit, management review - and make each one easier to produce, keep current, and defend.
Who it is for
- Startups and SMBs pursuing ISO 27001:2022 for the first time
- ISMS managers replacing scattered Word and Excel files with a single workflow
- Security leads preparing for Stage 1 or Stage 2 audits
- Consultants delivering ISO 27001 implementations for multiple clients
- Internal teams maintaining certification through surveillance audits
Implementation philosophy
Audit reality over paperwork theatre
A policy nobody follows fails an audit. We focus on documents that match how your team actually works.
Evidence is the unit of work
Every control needs proof an auditor can sample. Tools and templates are designed around what evidence each clause expects.
Small steps, finished work
Implementation moves in finished increments - scope, then risk, then SoA, then evidence - not endless half-done documents.
How the toolkit connects your ISMS
ISO 27001 is one connected system, not a stack of separate documents. The kit is structured around the same flow auditors follow:
- 1ScopeDefine what is in and out of the ISMS.
- 2RiskIdentify, score, and decide what to treat.
- 3ControlsSelect Annex A controls in the SoA with justifications.
- 4EvidenceShow each applicable control is actually operating.
- 5Internal auditIndependently test that controls work.
- 6Management reviewClose the loop with leadership on the ISMS performance.
What AI helps with
- Explain a clause or Annex A control in plain language
- Draft first-pass policy wording you then review and own
- Suggest auditor-style questions to test a control
- Reword weak justifications in your Statement of Applicability
What humans still need to decide
- Whether a control actually applies to your business
- Risk acceptance and treatment decisions
- Approving policies, scope, and the SoA
- Operating the controls every day and capturing evidence
- Internal audit findings and management review outcomes
The ISO 27001 practitioner behind the kit

Aymen Bentijani
Founder of ISO27001KIT
Cybersecurity GRC Consultant, ISO 27001 Lead Implementer, writer, and builder of practical security tools.
Aymen Bentijani founded ISO27001KIT to help implementers, consultants, auditors, and security teams make ISO 27001 implementation more practical, structured, and audit-ready.
With a background in cybersecurity GRC and ISO 27001 implementation, Aymen focuses on turning complex compliance work into usable documents, risk workflows, Statement of Applicability guidance, evidence tracking, and implementation tools.
ISO27001KIT was built to help teams move away from scattered files, unclear responsibilities, weak evidence, and last-minute audit preparation - and toward a clearer ISO 27001 implementation workflow.
What this means for the kit
Practical ISO 27001 documents
Templates are designed to support real implementation work, not just create paperwork.
Risk and SoA alignment
The kit connects risk assessment, treatment decisions, Annex A controls, and Statement of Applicability reasoning.
Audit-readiness mindset
The workflow is built around helping teams understand what evidence they need and why it matters during audit preparation.
Practitioner feedback shaping the kit
ISO27001KIT is built around practical ISO 27001 implementation problems: readiness gaps, scattered audit evidence, weak risk registers, Statement of Applicability clarity, and audit preparation. Feedback from ISO 27001, GRC, audit, and cybersecurity professionals helps shape the practical direction of the kit.
"Most gaps only surface during audits. A quick readiness check like this helps shift teams from reactive fixes to proactive ISMS maturity."
"Audit readiness is often scattered across files and teams. Centralized evidence tracking with clear ownership transforms preparation from reactive scrambling into structured progress."
"One of the biggest shifts in risk management happens when the register stops being a repository and becomes a decision tool."
"Risk registers often become audit artifacts instead of living risk management tools. The focus on linking risks to business processes is exactly what many organisations need."
"A useful audit reference for showing which applicable security controls have been implemented."
Comments have been lightly edited for clarity and attributed using first name and broad professional role. They are practitioner feedback, not formal customer testimonials.
Policies and security
Ready to make your ISMS auditable?
Pick a plan that matches where you are, or run a free readiness check to see where the biggest gaps live before you commit to anything.
