ISO 27001 software for small businesses

Simple ISO 27001 document and evidence management software.

Store your policies, controls, risks, suppliers, audit evidence and compliance records in one organised ISMS workspace. Built for small businesses that have outgrown spreadsheets and shared drives, but do not need a heavy GRC platform.

No card required Cancel anytime UK Hosted
Statement of Applicability ISO/IEC 27001:2022 · Annex A
A.5.1 Policies for information security Evidenced
A.5.15 Access control Review due
A.5.23 Cloud services security Evidenced
A.6.3 Awareness and training Gap
A.8.16 Monitoring activities Evidenced
Control coverage: 87 of 93 Export as Word document

What is ISOvault?

ISOvault is ISO 27001 document and evidence management software for small businesses. It provides one structured workspace for the records an Information Security Management System requires: policies and procedures, the 93 Annex A controls, the risk register, assets, suppliers, access reviews, audit evidence, non-conformances and corrective actions.

It is designed for companies with under 100 employees that mainly need a simple, controlled place to organise ISO 27001 records. It replaces spreadsheets, SharePoint folders, Google Drive and Notion for this purpose, without the cost and complexity of a full GRC or compliance automation platform.

The problem

Running ISO 27001 on spreadsheets and shared drives creates work that never ends.

Most small companies manage ISO 27001 with a folder structure, a master tracking spreadsheet and dozens of Word documents. It works at first. Then it quietly stops working.

Records fall out of sync

Controls link to risks, risks to assets, assets to suppliers, policies to controls. When one record changes, the others do not update. The gaps only surface when an auditor asks a question you cannot answer.

Version control by filename

Policy_v2_FINAL_revised.docx sits next to Policy_v3_DRAFT.docx and nobody is certain which version staff actually read and acknowledged.

Audit preparation becomes a scramble

Evidence lives in inboxes, drives and trackers. Every surveillance audit means days of pulling it together, checking review dates and chasing sign-offs.

The person running it has another job

ISO 27001 is usually owned by an IT Manager, Operations Manager or finance lead alongside their real role. They need the admin to take hours, not weeks.

The product

Three foundations, with an AI layer across all of them.

ISOvault is deliberately focused. It does the record-keeping and cross-referencing that ISO 27001 actually requires, and does it well.

Document store with versioning and cross-referencing

Policies and procedures stay as Word documents, because that is what auditors review. ISOvault is their controlled home: upload, version, tag to controls, set review dates and track who has read and acknowledged each document.

Asset, supplier and access database

Information assets, suppliers and the user access matrix in one linked database, mapped to the 93 pre-loaded Annex A controls and your risk register. Open a supplier and see every asset, control and risk that depends on it.

Calendar and reminders

Automatic reminders at 90, 60 and 30 days for policy reviews, supplier reassessments, internal audits and corrective action deadlines. One compliance calendar, so nothing is discovered two weeks before the audit.

AI layer, included on every account

AI gap analysis and cross-referencing

The AI reads your whole ISMS: policies, controls, risks, assets and suppliers. It flags risks with no control, controls with no evidence, policies that do not cover the controls they are linked to, and suppliers overdue for review. It gives a genuine opinion on where you stand, not just a list of empty fields.

What is ISO 27001 evidence management?

ISO 27001 evidence management is the process of collecting, organising and maintaining the records that show your information security controls are operating effectively. This includes policies, risk assessments, supplier reviews, access reviews, training records, internal audit notes, management review minutes and corrective actions.

ISOvault gives small businesses one controlled workspace for this evidence, rather than scattering it across spreadsheets, shared drives and email threads. Every piece of evidence is linked to the control it supports, so audit preparation is a report, not a project.

How it works

From shared-drive chaos to audit-ready in four steps.

1

Sign up

14-day trial, no card required. Your workspace is ready in under a minute, UK Hosted.

2

Import your ISMS

Upload your existing policies, supplier list and asset register. ISOvault structures them and links them to the 93 Annex A controls.

3

Run the gap analysis

The AI reviews everything and produces a single report: controls needing evidence, risks without controls, documents overdue for review.

4

Generate your audit documents

Export the Statement of Applicability, risk register and supplier register as Word documents, ready to hand to your auditor.

Comparison

How ISOvault compares with the alternatives.

Vanta, Drata and ISMS.online are strong options for companies that want a broad compliance automation platform. ISOvault is designed for small businesses that mainly need a simple, controlled place for ISO 27001 documents, evidence and audit records.

Spreadsheets and shared drives Document toolkits GRC platforms (Vanta, Drata, ISMS.online) ISOvault
Typical annual cost Free, plus significant admin time £500 to £3,000 one-off £6,000 to £60,000+ £1,500 ex VAT
Linked records across controls, risks, assets and suppliers Manual, breaks silently None Yes Yes, automatic
Document versioning and read acknowledgement Filename suffixes None Varies by platform Built in
Word document output for auditors Native, but manual Templates only Usually PDF or in-platform Generated from your data
Setup and onboarding Build it yourself Adapt templates yourself Sales-led, onboarding programme Self-serve, same day
Contract None One-off purchase Usually annual Monthly, cancel anytime

Costs shown are indicative ranges based on published pricing and market information, and vary by company size and scope. If your business needs continuous cloud-control monitoring across many frameworks, a GRC platform may be the right choice. If you need your ISO 27001 records organised, evidenced and audit-ready, ISOvault does that for a fraction of the cost.

Pricing

One plan. Everything included. Your price never rises.

Price for life
£ 125 / month + VAT

Monthly billing. Cancel anytime. The price you join at is the price you keep, for as long as you remain a customer.

  • Full 93-control register (ISO 27001:2022)
  • Unlimited users
  • Unlimited document storage
  • AI gap analysis and cross-referencing
  • Statement of Applicability and register exports in Word format
  • Compliance calendar and automatic reminders
  • Asset, supplier and access database
  • UK Hosted
Start 14-day free trial
14-day trial, no card required No setup fees, no contracts
Free templates and guides

Practical ISO 27001 resources.

Free templates and plain-English guides for anyone implementing ISO 27001, whether or not you use ISOvault.

FAQ

Common questions.

Is ISOvault a replacement for an ISO consultant?
No. A good consultant interprets the standard, advises on risk appetite and challenges your thinking. ISOvault replaces the spreadsheets, folder structures and version-suffixed documents used to run the programme. Many consultants use ISOvault as the workspace for their clients.
Who is ISOvault for?
Small businesses, startups and SaaS companies, typically under 100 employees, pursuing ISO 27001 for the first time or maintaining an existing ISMS. The typical user is an IT Manager, Operations Manager or finance lead who owns the ISO programme alongside their day job.
Where is the data hosted?
UK Hosted, in London. All customer data, documents and backups. Each customer has isolated database and document storage. We are working toward Cyber Essentials certification for ISOvault itself, and we use the product to manage it.
Does it integrate with our existing tools?
ISOvault is deliberately focused. It does not scan your cloud accounts or sync with your HR system. You can upload documents from any source, export everything to Word, and sign in with single sign-on. The aim is one good place for your ISMS, not another integration project to maintain.
What about ISO 9001, ISO 14001 or GDPR?
ISO 27001:2022 is the core framework today. ISO 9001 and a GDPR module are on the roadmap and will run on the same platform, using the same document, risk and calendar structure. Existing customers will not need to migrate.
What does "price for life" mean?
Sign up at £125 per month plus VAT and that is your price for as long as you remain a customer. No renewal uplifts and no repackaged plans. If prices rise for new customers, yours stays where it started.

Get your ISO 27001 records organised.

Fourteen days, no card, full product. Import your existing documents, run a gap analysis and generate your Statement of Applicability. If it does not save you time, walk away with the Word documents.

Start your free trial