Skip to content
AuditFront

Free Compliance Templates

Download production-ready templates built from real audit experience. Fill them in, then import into AuditFront for dashboards, AI analysis, and professional reports.

ISO 27001

iso-27001 xlsx

ISO 27001 Gap Analysis Spreadsheet

Preparing for ISO 27001 certification starts with understanding where you stand today. This comprehensive gap analysis spreadsheet maps every control from ISO 27001:2022 Annex A and helps you systematically evaluate your organization's current security posture against each requirement. Rather than hiring expensive consultants for an initial assessment, this template empowers your team to conduct a thorough internal review and identify exactly which controls are fully implemented, partially implemented, or missing entirely. The spreadsheet covers all 93 controls across the four ISO 27001:2022 categories: Organizational Controls (37 controls), People Controls (8 controls), Physical Controls (14 controls), and Technological Controls (34 controls). For each control, you will find the control reference number, control title, a plain-language description of what the control requires, fields to document your current implementation status, evidence of compliance, identified gaps, and recommended remediation actions with priority levels and estimated effort. The built-in scoring system automatically calculates your overall readiness percentage and breaks it down by category, giving you a clear visual dashboard of where your strengths and weaknesses lie. This is invaluable for communicating compliance progress to leadership, prioritizing remediation work, and estimating the effort required to reach certification readiness. Whether you are a startup pursuing your first ISO 27001 certification or an established company preparing for a recertification audit, this gap analysis template provides the structured framework you need to turn compliance from an overwhelming project into a manageable, step-by-step process.

Download Free
iso-27001 docx

Incident Response Plan Template

When a security incident strikes — a data breach, ransomware attack, or unauthorized access to sensitive systems — the difference between a manageable event and a catastrophic one often comes down to whether your team has a clear, practiced plan to follow. This incident response plan template provides a comprehensive, ready-to-customize framework for detecting, responding to, containing, and recovering from information security incidents, aligned with ISO 27001:2022 requirements and industry best practices from NIST and SANS. The template covers the complete incident response lifecycle: preparation (roles, responsibilities, communication channels, escalation criteria), identification (detection mechanisms, initial triage, severity classification), containment (short-term and long-term containment strategies), eradication (root cause analysis, threat removal procedures), recovery (system restoration, verification, monitoring), and lessons learned (post-incident review, process improvement). Each phase includes detailed procedures, decision trees for common scenarios, and pre-formatted communication templates for internal and external stakeholders. Beyond the core response procedures, the template addresses the regulatory reporting requirements that many organizations overlook until an incident occurs. It includes notification timeline checklists aligned with GDPR (72-hour supervisory authority notification), NIS2 (24-hour early warning, 72-hour notification), and other frameworks. It also provides templates for data breach notifications to affected individuals, board reporting formats, and media communication guidelines. For ISO 27001 certification specifically, auditors will verify that your incident response plan exists, is communicated to relevant personnel, and has been tested — this template helps you satisfy all three requirements. The included tabletop exercise scenarios allow you to practice your response procedures with your team, generating the evidence of testing that auditors expect to see.

Download Free
iso-27001 docx

ISO 27001 Information Security Policy Template

Every ISO 27001 implementation starts with policies — and for most organizations, writing information security policies from scratch is one of the most daunting parts of the certification journey. This comprehensive policy template provides professionally written, ready-to-customize policy documents covering the core information security policy and supporting policies required by ISO 27001:2022. Instead of staring at a blank page or paying a consultant thousands of euros to draft boilerplate policies, you can start with battle-tested templates and adapt them to your organization's specific context. The template pack includes the overarching Information Security Policy (required by ISO 27001 Clause 5.2) along with supporting policies that address the most commonly audited Annex A control areas. Each policy document follows a consistent professional structure: purpose and scope, applicable roles and responsibilities, policy statements with clear requirements, exceptions process, compliance and enforcement provisions, and review and update procedures. The language is deliberately practical rather than legalistic — auditors want to see policies that your employees can actually understand and follow, not dense legal documents that sit unread in a shared drive. Critically, each policy includes implementation notes explaining what the auditor expects to see, common pitfalls to avoid, and guidance on what evidence you should maintain to demonstrate that the policy is not just documented but actively implemented. This bridge between documentation and implementation is where many organizations fail during certification audits — they have impressive policies but cannot demonstrate that those policies are followed in practice. These templates help you avoid that trap by building implementation awareness into the documentation process itself.

Download Free
iso-27001 xlsx

Vendor Risk Assessment Questionnaire

Your organization's security is only as strong as your weakest vendor. Supply chain attacks, third-party data breaches, and vendor security failures have become some of the most common and devastating attack vectors in recent years — from SolarWinds to MOVEit, the pattern is clear. ISO 27001 and NIS2 both require organizations to assess and manage the security risks posed by their suppliers and service providers. This vendor risk assessment questionnaire provides a structured, professional framework for evaluating the security posture of your vendors before onboarding them and periodically throughout the relationship. The questionnaire covers the critical security domains that matter when entrusting a vendor with your data or integrating their services into your operations: organizational security governance, access control and identity management, data protection and encryption, network and infrastructure security, application security, business continuity and disaster recovery, incident management, compliance and regulatory adherence, and personnel security. Each domain includes targeted questions with multiple-choice response options, follow-up prompts for deeper investigation, and a risk scoring methodology that produces an objective vendor risk rating. What makes this template particularly practical is its tiered assessment approach. Not every vendor needs the same level of scrutiny — your cloud hosting provider handling customer data warrants a more thorough assessment than your office supply vendor. The template includes a vendor classification matrix that helps you categorize vendors by the criticality of data or systems they access, then tailors the assessment depth accordingly. Critical vendors receive the full questionnaire; low-risk vendors receive an abbreviated version. This risk-based approach ensures thoroughness where it matters while avoiding unnecessary overhead. The template also includes a vendor risk register for tracking assessment results across your entire vendor portfolio, identifying trends, and prioritizing follow-up actions for vendors that fall below your acceptable risk threshold.

Download Free
iso-27001 xlsx

ISO 27001 Risk Assessment Template

Risk assessment is the backbone of ISO 27001 — it is the process that determines which controls you implement, how you prioritize your security investments, and how you justify your Statement of Applicability to auditors. Yet many organizations struggle with risk assessment methodology, producing either overly simplistic assessments that auditors reject or impossibly complex matrices that no one maintains. This template strikes the right balance: rigorous enough to satisfy certification auditors, practical enough for a small team to complete and maintain. The spreadsheet implements a structured risk assessment methodology aligned with ISO 27001:2022 Clause 6.1.2 and ISO 27005 guidance. It walks you through the complete risk assessment lifecycle: asset identification, threat identification, vulnerability assessment, likelihood and impact scoring, risk level calculation, risk treatment decisions (mitigate, accept, transfer, avoid), and control selection with mapping to ISO 27001:2022 Annex A controls. The scoring system uses a clear 5x5 matrix with defined criteria for each likelihood and impact level, eliminating the subjectivity that often undermines risk assessment quality. What makes this template particularly valuable is the pre-populated threat catalog. Rather than starting from scratch, you begin with a comprehensive list of common information security threats relevant to technology companies — from ransomware and phishing to cloud misconfiguration and insider threats — and assess which are relevant to your organization. This approach ensures thoroughness while saving significant time. The template also includes a risk treatment plan worksheet that links directly to your risk register, creating a clear audit trail from identified risks through treatment decisions to implemented controls. This traceability is exactly what auditors look for during certification assessments.

Download Free

NIS2

nis2 xlsx

NIS2 Compliance Checklist

The NIS2 Directive represents the most significant overhaul of EU cybersecurity regulation in years, dramatically expanding the scope of organizations that must meet strict cybersecurity requirements. With fines reaching EUR 10 million or 2% of global annual turnover for essential entities — and personal liability for management bodies — the stakes for non-compliance are higher than ever. This NIS2 compliance checklist provides a structured approach to evaluating your organization's readiness against the directive's requirements as transposed into national law across EU member states. The checklist is organized around NIS2's core requirement areas as defined in Article 21: cybersecurity risk management measures, incident handling, business continuity and crisis management, supply chain security, security in network and information systems acquisition and development, vulnerability handling and disclosure, cybersecurity risk assessment practices, cryptography and encryption, human resources security and access control, and multi-factor authentication. For each requirement area, the template provides a clear explanation of the obligation, practical guidance on what constitutes compliance, a status assessment field, and space to document your current implementation and planned remediation actions. Beyond the technical requirements, the checklist addresses NIS2's governance and reporting obligations: management body accountability and training requirements, incident reporting timelines (24-hour early warning, 72-hour notification, one-month final report), registration with national competent authorities, and cooperation with CSIRTs. These procedural requirements are often overlooked but are critical for compliance — having strong technical controls means little if you cannot demonstrate proper governance or meet reporting deadlines during an incident.

Download Free

GDPR

gdpr xlsx

GDPR Compliance Checklist

GDPR compliance is not optional for any organization that processes personal data of EU residents — and the penalties for getting it wrong are severe, reaching up to EUR 20 million or 4% of global annual turnover. Yet many companies, particularly startups and SMBs, struggle to understand exactly what GDPR requires of them and where their current practices fall short. This comprehensive GDPR compliance checklist translates the regulation's dense legal language into practical, actionable items that any team can work through. The checklist covers all key GDPR requirements organized into logical categories: Lawful Basis for Processing, Data Subject Rights, Data Protection by Design and Default, Data Processing Agreements, International Data Transfers, Data Protection Impact Assessments (DPIAs), Breach Notification Procedures, Records of Processing Activities (ROPA), Data Protection Officer Requirements, and Employee Training. For each requirement, the template provides a clear explanation of what the regulation demands, practical examples of how to comply, a status field to track your current compliance level, and action items for closing identified gaps. What makes this checklist particularly valuable is its focus on practical implementation rather than legal theory. Instead of quoting GDPR articles verbatim, it explains what each requirement means for your day-to-day operations: how your website forms need to work, what your privacy policy must include, how to handle data subject access requests, what contracts you need with your SaaS vendors, and how to respond if you discover a data breach. For companies operating across multiple EU member states, the checklist also highlights areas where national implementations may add requirements beyond the base GDPR regulation.

Download Free

SOC 2

soc-2 xlsx

SOC 2 Readiness Checklist

A SOC 2 audit is one of the most significant compliance investments a growing company makes — and walking into an audit unprepared is one of the most expensive mistakes. This readiness checklist helps you systematically evaluate your preparedness across all five Trust Services Criteria before you engage an auditor, ensuring you spend audit fees on validation rather than discovery of gaps. The checklist is organized around the AICPA's Trust Services Criteria: Security (CC1-CC9, always required), Availability (A1), Processing Integrity (PI1), Confidentiality (C1), and Privacy (P1). For each criterion, the template breaks down the specific control objectives, lists the evidence an auditor will typically request, and provides a clear yes/no/partial status field to track your readiness. This is not a generic overview — it reflects the actual evidence requests and control expectations that CPA firms evaluate during SOC 2 engagements. Beyond the checklist itself, the template includes a pre-audit preparation timeline with recommended milestones, a stakeholder assignment matrix so you can distribute evidence collection across your team, and an evidence inventory worksheet to track which documents, screenshots, and configurations you have already gathered. For companies preparing for their first SOC 2 audit, this template transforms what can feel like an opaque and intimidating process into a concrete, step-by-step project plan. For companies preparing for annual re-audits, it serves as a structured reminder to refresh evidence and verify that controls have been maintained since the last audit period.

Download Free

Tech DD

tech-dd docx

Pre-Acquisition Technology Assessment Report

When acquiring a technology company or investing in one, the quality and sustainability of the technology is often the most critical — and most misunderstood — factor in the deal. Financial due diligence has well-established methodologies, but technology due diligence remains ad hoc at many firms, leading to costly surprises post-acquisition: hidden technical debt, scalability limitations, security vulnerabilities, key-person dependencies, and licensing issues that can cost millions to remediate. This pre-acquisition technology assessment report template provides a structured, professional format for documenting a comprehensive technology evaluation. The report template covers the full spectrum of technology due diligence dimensions: technology strategy alignment, architecture and infrastructure assessment, codebase quality and technical debt, security posture and vulnerability assessment, team capability and organizational structure, development processes and DevOps maturity, intellectual property and licensing review, scalability and performance analysis, data management and privacy compliance, and vendor and third-party dependency evaluation. Each section includes specific evaluation criteria, a standardized scoring rubric, space for detailed findings, and a risk classification system (Critical, High, Medium, Low, Informational) that helps decision-makers quickly understand the severity of identified issues. What distinguishes this template from a simple checklist is its focus on producing a professional deliverable. The report format includes an executive summary designed for non-technical stakeholders (board members, investors, M&A attorneys), a detailed findings section for technical review, a risk register summarizing all identified issues with estimated remediation costs, and a recommendation section that ties technical findings to deal-relevant business decisions. Whether you are a PE firm evaluating a potential portfolio company, a corporate acquirer assessing a target, or a startup preparing to present your technology in the best possible light during due diligence, this template ensures that the assessment is thorough, consistent, and professionally presented.

Download Free
tech-dd xlsx

Tech DD Code Review Checklist

Technology Due Diligence is increasingly critical in M&A transactions, investment rounds, and strategic partnerships — yet most companies approach code reviews ad hoc, missing critical issues that surface months or years later. This structured code review checklist provides a systematic framework for evaluating a technology organization's codebase, development practices, and technical architecture, whether you are assessing your own company's readiness or evaluating an acquisition target. The checklist covers the dimensions that experienced technical acquirers and investors evaluate: code quality and maintainability, architecture and scalability, security practices, testing and quality assurance, deployment and DevOps maturity, technical debt assessment, dependency management, documentation quality, and regulatory compliance considerations. Each dimension includes specific evaluation criteria, scoring guidance, and red-flag indicators that signal potential risks requiring deeper investigation. What sets this template apart from generic code review checklists is its focus on business-relevant technical assessment. Every evaluation criterion is tied to its business impact — how code quality affects development velocity, how architecture choices impact scaling costs, how security practices affect regulatory risk, and how technical debt influences future investment requirements. This business-context framing makes the template equally valuable for technical evaluators conducting the review and for non-technical stakeholders (investors, board members, M&A teams) who need to understand the findings. The scoring system produces a summary report that translates technical findings into business language, making it an effective communication tool between technical and business teams.

Download Free

Already filled in a template?

Import your completed spreadsheet into AuditFront and upgrade from rows to dashboards, AI analysis, and board-ready reports.

Import your template