Skip to content
Kellwick

Sample deliverables

See exactly what you get.

Illustrative, anonymized examples of the artifacts we hand over - with the real structure and columns. The data is invented for demonstration and does not represent any client.

ISO 27001 Readiness Report

Readiness Review output - typically 8-12 pages

Illustrative sample
62/ 100

Recommendation

Ready with remediation

11 gaps · 3 critical · audit in ~60 days

Executive summary

The ISMS is structurally in place but not consistently operated. Scope is appropriate. The main risks are evidence gaps in the Statement of Applicability, access reviews and supplier assurance. All are closable within the remaining window.

Top gaps

AreaISO refSeverityFinding
Statement of ApplicabilityClause 6.1.3Critical3 controls marked implemented with no supporting evidence
Access reviewsA.5.18HighNo Q2 review record; removals not evidenced
Supplier assuranceA.5.19High4 critical subprocessors never assessed
Risk registerClause 6.1.2MediumScores unchanged since certification
Change / releaseA.8.32MediumEmergency changes lack retrospective approval
Management reviewClause 9.3LowHeld, with decisions and actions recorded

Risk register comment

Register is static - scores have not moved since certification. Owners are named but treatment progress is not tracked.

SoA comment

Three controls marked implemented cannot be evidenced. Two exclusions need stronger justification.

Evidence quality

Where evidence exists it is often partial (screenshots, not records). Access and supplier evidence is weakest.

30-day action plan

  1. 1Reconcile SoA against evidence; fix the three unevidenced controls
  2. 2Run and record a full access review, including removals
  3. 3Rebuild the supplier register and assess critical subprocessors
  4. 4Refresh the risk register with treatment progress and dates

Evidence Map

Control to owner, expected vs current evidence, quality and priority

Illustrative sample
ControlOwnerExpected evidenceCurrentLocationQualityFrequencyPriority
A.5.15 Access controlHead of EngineeringAccess review record, user list, approval trailPartial Google Workspace exportDrive / SecurityWeakQuarterlyHigh
A.5.19 Supplier relationshipsOperations ManagerVendor register, risk ratings, DPAsIncomplete registerNotionPartialAnnualHigh
A.8.16 MonitoringPlatform LeadAlerting config, triage runbook, samplesDatadog + runbookDatadog / RepoStrongContinuousLow
A.8.9 ConfigurationPlatform LeadBaseline config, drift detection evidenceNot evidenced-WeakQuarterlyMedium

Gap Tracker + Remediation Plan

Gap, business risk, ISO reference, owner, due date and status

Illustrative sample
IDAreaFindingBusiness riskISO refSeverityOwnerDueStatus
G-001Statement of ApplicabilityControls marked implemented without evidenceAudit nonconformity; certificate at riskClause 6.1.3CriticalHead of SecurityDay 14Open
G-004Supplier reviewsReviews missing for critical vendorsWeak third-party assurance before auditA.5.19HighOperationsDay 30In progress
G-007Access reviewsNo periodic review evidence; removals not recordedExcess access; likely findingA.5.18HighPlatform LeadDay 21Open

More deliverables (management review pack, internal audit readiness checklist) are provided as part of a Readiness Sprint.

Want deliverables like these for your ISMS?

Book a readiness review