Store your policies, controls, risks, suppliers, audit evidence and compliance records in one organised ISMS workspace. Built for small businesses that have outgrown spreadsheets and shared drives, but do not need a heavy GRC platform.
ISOvault is ISO 27001 document and evidence management software for small businesses. It provides one structured workspace for the records an Information Security Management System requires: policies and procedures, the 93 Annex A controls, the risk register, assets, suppliers, access reviews, audit evidence, non-conformances and corrective actions.
It is designed for companies with under 100 employees that mainly need a simple, controlled place to organise ISO 27001 records. It replaces spreadsheets, SharePoint folders, Google Drive and Notion for this purpose, without the cost and complexity of a full GRC or compliance automation platform.
Most small companies manage ISO 27001 with a folder structure, a master tracking spreadsheet and dozens of Word documents. It works at first. Then it quietly stops working.
Controls link to risks, risks to assets, assets to suppliers, policies to controls. When one record changes, the others do not update. The gaps only surface when an auditor asks a question you cannot answer.
Policy_v2_FINAL_revised.docx sits next to Policy_v3_DRAFT.docx and nobody is certain which version staff actually read and acknowledged.
Evidence lives in inboxes, drives and trackers. Every surveillance audit means days of pulling it together, checking review dates and chasing sign-offs.
ISO 27001 is usually owned by an IT Manager, Operations Manager or finance lead alongside their real role. They need the admin to take hours, not weeks.
ISOvault is deliberately focused. It does the record-keeping and cross-referencing that ISO 27001 actually requires, and does it well.
Policies and procedures stay as Word documents, because that is what auditors review. ISOvault is their controlled home: upload, version, tag to controls, set review dates and track who has read and acknowledged each document.
Information assets, suppliers and the user access matrix in one linked database, mapped to the 93 pre-loaded Annex A controls and your risk register. Open a supplier and see every asset, control and risk that depends on it.
Automatic reminders at 90, 60 and 30 days for policy reviews, supplier reassessments, internal audits and corrective action deadlines. One compliance calendar, so nothing is discovered two weeks before the audit.
The AI reads your whole ISMS: policies, controls, risks, assets and suppliers. It flags risks with no control, controls with no evidence, policies that do not cover the controls they are linked to, and suppliers overdue for review. It gives a genuine opinion on where you stand, not just a list of empty fields.
ISO 27001 evidence management is the process of collecting, organising and maintaining the records that show your information security controls are operating effectively. This includes policies, risk assessments, supplier reviews, access reviews, training records, internal audit notes, management review minutes and corrective actions.
ISOvault gives small businesses one controlled workspace for this evidence, rather than scattering it across spreadsheets, shared drives and email threads. Every piece of evidence is linked to the control it supports, so audit preparation is a report, not a project.
14-day trial, no card required. Your workspace is ready in under a minute, UK Hosted.
Upload your existing policies, supplier list and asset register. ISOvault structures them and links them to the 93 Annex A controls.
The AI reviews everything and produces a single report: controls needing evidence, risks without controls, documents overdue for review.
Export the Statement of Applicability, risk register and supplier register as Word documents, ready to hand to your auditor.
Vanta, Drata and ISMS.online are strong options for companies that want a broad compliance automation platform. ISOvault is designed for small businesses that mainly need a simple, controlled place for ISO 27001 documents, evidence and audit records.
| Spreadsheets and shared drives | Document toolkits | GRC platforms (Vanta, Drata, ISMS.online) | ISOvault | |
|---|---|---|---|---|
| Typical annual cost | Free, plus significant admin time | £500 to £3,000 one-off | £6,000 to £60,000+ | £1,500 ex VAT |
| Linked records across controls, risks, assets and suppliers | Manual, breaks silently | None | Yes | Yes, automatic |
| Document versioning and read acknowledgement | Filename suffixes | None | Varies by platform | Built in |
| Word document output for auditors | Native, but manual | Templates only | Usually PDF or in-platform | Generated from your data |
| Setup and onboarding | Build it yourself | Adapt templates yourself | Sales-led, onboarding programme | Self-serve, same day |
| Contract | None | One-off purchase | Usually annual | Monthly, cancel anytime |
Costs shown are indicative ranges based on published pricing and market information, and vary by company size and scope. If your business needs continuous cloud-control monitoring across many frameworks, a GRC platform may be the right choice. If you need your ISO 27001 records organised, evidenced and audit-ready, ISOvault does that for a fraction of the cost.
Monthly billing. Cancel anytime. The price you join at is the price you keep, for as long as you remain a customer.
Free templates and plain-English guides for anyone implementing ISO 27001, whether or not you use ISOvault.
Fourteen days, no card, full product. Import your existing documents, run a gap analysis and generate your Statement of Applicability. If it does not save you time, walk away with the Word documents.
Start your free trial