Sample deliverables
See exactly what you get.
Illustrative, anonymized examples of the artifacts we hand over - with the real structure and columns. The data is invented for demonstration and does not represent any client.
ISO 27001 Readiness Report
Readiness Review output - typically 8-12 pages
Recommendation
Ready with remediation
11 gaps · 3 critical · audit in ~60 days
Executive summary
The ISMS is structurally in place but not consistently operated. Scope is appropriate. The main risks are evidence gaps in the Statement of Applicability, access reviews and supplier assurance. All are closable within the remaining window.Top gaps
| Area | ISO ref | Severity | Finding |
|---|---|---|---|
| Statement of Applicability | Clause 6.1.3 | Critical | 3 controls marked implemented with no supporting evidence |
| Access reviews | A.5.18 | High | No Q2 review record; removals not evidenced |
| Supplier assurance | A.5.19 | High | 4 critical subprocessors never assessed |
| Risk register | Clause 6.1.2 | Medium | Scores unchanged since certification |
| Change / release | A.8.32 | Medium | Emergency changes lack retrospective approval |
| Management review | Clause 9.3 | Low | Held, with decisions and actions recorded |
Risk register comment
Register is static - scores have not moved since certification. Owners are named but treatment progress is not tracked.
SoA comment
Three controls marked implemented cannot be evidenced. Two exclusions need stronger justification.
Evidence quality
Where evidence exists it is often partial (screenshots, not records). Access and supplier evidence is weakest.
30-day action plan
- 1Reconcile SoA against evidence; fix the three unevidenced controls
- 2Run and record a full access review, including removals
- 3Rebuild the supplier register and assess critical subprocessors
- 4Refresh the risk register with treatment progress and dates
Evidence Map
Control to owner, expected vs current evidence, quality and priority
| Control | Owner | Expected evidence | Current | Location | Quality | Frequency | Priority |
|---|---|---|---|---|---|---|---|
| A.5.15 Access control | Head of Engineering | Access review record, user list, approval trail | Partial Google Workspace export | Drive / Security | Weak | Quarterly | High |
| A.5.19 Supplier relationships | Operations Manager | Vendor register, risk ratings, DPAs | Incomplete register | Notion | Partial | Annual | High |
| A.8.16 Monitoring | Platform Lead | Alerting config, triage runbook, samples | Datadog + runbook | Datadog / Repo | Strong | Continuous | Low |
| A.8.9 Configuration | Platform Lead | Baseline config, drift detection evidence | Not evidenced | - | Weak | Quarterly | Medium |
Gap Tracker + Remediation Plan
Gap, business risk, ISO reference, owner, due date and status
| ID | Area | Finding | Business risk | ISO ref | Severity | Owner | Due | Status |
|---|---|---|---|---|---|---|---|---|
| G-001 | Statement of Applicability | Controls marked implemented without evidence | Audit nonconformity; certificate at risk | Clause 6.1.3 | Critical | Head of Security | Day 14 | Open |
| G-004 | Supplier reviews | Reviews missing for critical vendors | Weak third-party assurance before audit | A.5.19 | High | Operations | Day 30 | In progress |
| G-007 | Access reviews | No periodic review evidence; removals not recorded | Excess access; likely finding | A.5.18 | High | Platform Lead | Day 21 | Open |
More deliverables (management review pack, internal audit readiness checklist) are provided as part of a Readiness Sprint.