Skip to main content
Image coming soon

The Chilean ISO 27001 Implementation Workbook for Solo Owners

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Chilean ISO 27001 Implementation Workbook for Solo Owners

Run the full ISO 27001 implementation cycle alone, with every policy, risk register tab and Statement of Applicability row prepared for a Chilean assessor.

The Statement of Applicability tab is half-finished, the risk register has no link back to the Annex A controls, and the external assessor is booked for the end of next quarter.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Running ISO 27001 implementation as the only person responsible for it is a particular kind of work. There is no compliance team to delegate the policy drafting to, no risk function to maintain the register, no internal audit team to run the readiness review. Every artefact the assessor reads, from the Statement of Applicability through the risk treatment plan to the internal audit report, has to be authored by one person who is also doing the day job. The failure pattern is recognisable: the SoA is started, the policies are drafted, the risk register has rows in it, but nothing links to anything else. The assessor opens the SoA, sees an Annex A control marked Applicable with a one-line justification, asks where the risk that drove that selection is recorded, and the answer takes ten minutes to find. The audit conversation never recovers. The workbook removes that failure path. Every artefact is built with the cross-reference already in place, the wording the assessor expects already drafted, the evidence reference already named.

What you walk away with

  • Complete Statement of Applicability with assessor-ready justifications for all 93 Annex A controls.
  • Risk register linked row by row to the SoA, with treatment decisions and residual risk recorded.
  • Twelve mandatory policy documents drafted from working templates in English with bilingual evidence notes.
  • Internal audit schedule, audit checklist, management review pack, and corrective action log ready for the certification cycle.
  • Evidence collection plan that names the artefact, the owner, and the refresh cadence for every clause and Annex A control.

The 12 modules

Module 1. Scoping the ISMS without overcommitting
Decide which products, services, locations, and supporting functions sit inside the management system and which sit outside. Document the scope statement in the exact form the assessor reads. Avoid the common trap of including the whole company when the certification only needs to cover one product line, and the equally common trap of scoping so narrowly that the scope statement reads as evasion. Includes the scope-statement template, the interfaces-and-dependencies register, and the boundary diagram worked example.
Module 2. Context, interested parties, and the issues register
Clause 4 of the standard asks for the internal and external issues that affect the ISMS, the interested parties, and their requirements. Most implementations write a single paragraph here and move on. The assessor will ask how the issues feed the risk assessment and how the interested party requirements appear in the SoA justifications. Module includes the issues register template with examples for fintech, software, and managed services contexts, plus the link sheet that maps each interested party requirement to the controls that address it.
Module 3. The information security policy and the topic-specific policies
Draft the top-level information security policy that the senior accountable person signs, plus the twelve topic-specific policies that Annex A references explicitly. Each policy in the workbook is written as a working document, not as a marketing piece. The acceptable use policy, the access control policy, the cryptographic policy, the secure development policy, the supplier security policy, and the rest are drafted with the operational clauses the assessor will look for, the review cadence, the approval record, and the cross-reference to the Annex A control.
Module 4. Risk assessment methodology that holds up to challenge
Define the risk assessment methodology, the criteria for assessing consequence and likelihood, the risk acceptance criteria, and the documented basis for choosing them. Walk through the risk identification workshop format that works when there is no risk function to facilitate it. Build the first version of the risk register with at least forty risks identified across the scope, each scored against the criteria, and each linked forward to the risk treatment decision in the next module.
Module 5. Risk treatment plan and the Statement of Applicability
Move from the risk register to the risk treatment plan, with one treatment decision per risk. Determine which Annex A controls are selected, modify, transfer, or accept. Then build the Statement of Applicability row by row, with the assessor-expected wording for each of the 93 Annex A controls, the justification for inclusion or exclusion, the implementation status, and the reference back to the risk that drove the selection. This is the document the assessor opens first and the workbook treats it that way.
Module 6. Asset register, classification, and handling
Build the asset register that supports the risk assessment without becoming a separate maintenance burden. Define the classification scheme with three or four levels, the handling rules per classification, the labelling approach for documents and systems, and the disposal procedure. Module includes the asset register template that links to both the risk register and the SoA, the classification scheme as a working policy, and the handling matrix that staff actually reference.
Module 7. Access control, identity, and authentication evidence
Cover the operational controls for joiners, movers, and leavers, the privileged access regime, the authentication standard, and the periodic access review. Build the joiner-mover-leaver workflow as a working document with the owner of each step named. Define the privileged access register, the review cadence, and the evidence the assessor will sample. Includes the authentication standard, the access review record template, and the worked example of a quarterly access review report.
Module 8. Operations security, logging, and incident response
Define the operational baselines for systems, the change management procedure, the backup regime, the malware protection approach, the logging standard, and the vulnerability management cycle. Then build the incident response plan with the classification scheme, the response roles, the communication tree, and the post-incident review template. Module ends with the tabletop exercise format that satisfies the assessor that the plan has been tested without consuming a full day of the team's time.
Module 9. Supplier security and the contract clauses that hold up
Build the supplier security policy, the supplier classification scheme, the due diligence questionnaire that is proportional to supplier risk, and the contract clauses that the assessor will read. Cover the ongoing supplier review cadence, the right-to-audit clause, the incident notification clause, and the offboarding procedure. Includes the supplier register template, the due diligence questionnaire in two depths, and the contract clause library.
Module 10. Secure development, change, and the software supply chain
Cover the secure development lifecycle controls, the separation of development, test, and production environments, the source code protection approach, the dependency management practice, and the application security testing regime. Build the secure development policy as a working document, the change advisory process, the release record, and the evidence the assessor will sample for a recent change. Includes the worked example of a release record that holds up to assessor review.
Module 11. Internal audit, management review, and corrective action
Build the internal audit programme with the schedule, the audit plan template, the audit checklist by clause and by Annex A control, and the audit report template. Then build the management review pack with the inputs the standard requires, the worked agenda, and the minutes template. Close with the corrective action procedure, the nonconformity log, and the root cause analysis template. This is the module that gets the readiness review through certification.
Module 12. Certification audit preparation and the evidence pack
Assemble the full evidence pack the certification body will request, organised by clause and Annex A control. Walk through the stage 1 readiness review the assessor will conduct, the typical findings and how to close them before stage 2. Prepare the staff for the assessor interviews with the questions to expect and the answers that demonstrate operational competence. Includes the evidence pack index, the assessor interview prep guide, and the typical findings register with closure templates.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

The Statement of Applicability tab has three columns filled in and the assessor visit is booked.
The risk register has rows but no link forward to any treatment decision or any Annex A control.
The policies are drafted in Spanish for the team to read but the assessor will read them in English.
The internal audit is overdue and the management review minutes do not exist yet.

What you get with this course

  • Twelve written modules in the Art of Service learning environment, each with downloadable templates and worked examples.
  • Statement of Applicability template with the full 93 Annex A controls and assessor-ready justification examples.
  • Risk register template linked to the SoA and the risk treatment plan.
  • Twelve mandatory policy documents drafted as working templates ready to brand.
  • Internal audit checklist, audit plan template, management review pack, and corrective action log.
  • Certification body evidence pack index organised by clause and Annex A control.
  • Hand-built implementation playbook tailored to the size and sector of the organisation you are running this for.
  • 30-day money-back guarantee if the workbook does not match the implementation you are running.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Modules 1 to 4 form the first two-week block: scope, context, policies, risk methodology.

Modules 5 to 8 form the next two-week block: SoA, asset register, access control, operations.

Modules 9 to 12 form the final two-week block: suppliers, secure development, internal audit, certification preparation.

The full implementation is achievable in six to eight weeks of focused work, or twelve weeks alongside a day job.

Before and after

Before

The implementation is being run alone, the SoA is half-finished, the risk register exists in isolation, the policies are scattered across drafts, and the certification body visit is scheduled for the end of the quarter.

After

The SoA is complete with assessor-ready justifications, the risk register is linked row by row to the controls, the twelve mandatory policies are working documents, and the evidence pack is assembled and indexed by clause and Annex A control.

What happens if you do not address this

The stage 1 readiness visit produces a list of findings that cannot be closed in time for stage 2. The certification body recommends a remediation period of three to six months before reattempting. The customer or partner that triggered the certification project moves on to a competitor that already holds the certificate.

Who it is for

A professional in Chile or the broader Spanish-speaking market who is running an ISO 27001 implementation alone or with a very small team. The organisation might be a fintech preparing for a banking-sector partner audit, a software house chasing an enterprise customer that requires certification, a managed services provider that has had a tender disqualified for not holding ISO 27001, or a consultant being paid to deliver a first certification for a client. The common thread is one person carrying the work, in a language environment where the assessor reads in English but the operational evidence lives in Spanish.

Who this is NOT for. Not for organisations with an existing compliance function and dedicated internal auditors. Not for those seeking a certification body or a consulting engagement. Not for organisations already certified that need a transition workbook to the next revision of the standard.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Six to eight weeks of focused work for a full implementation, or twelve weeks at four to six hours per week alongside a day job. Each module is designed to be completed in a single working session.

Why $199 is the right number

A consulting engagement to deliver the same artefacts runs from 15,000 to 50,000 USD depending on scope and sector. A generic ISO 27001 toolkit costs 200 to 500 USD but does not provide the assessor-expected wording or the link sheets between artefacts. This workbook sits between the two: the structure and the worked artefacts of a consulting engagement, at the price point of a toolkit, with a hand-built implementation playbook tailored to the size and sector of the organisation.

FAQ

Does the workbook cover the current revision of ISO 27001 with the 93 Annex A controls?
Yes. The Statement of Applicability template, the policy library, and the evidence pack are all built against the current revision of the standard, with the 93 Annex A controls organised in the four themes.
Is the content in English or Spanish?
The workbook is in English, which is the language the certification body assessor will read the documents in. Every template carries a bilingual evidence note so the operational evidence collected in Spanish maps cleanly to the assessor's English documentation review.
Will this work for a fintech, a software house, or a managed services provider?
Yes. The worked examples cover all three contexts. The hand-built implementation playbook is tailored to the specific organisation you are running this for, including the sector-specific evidence the assessor will look for.
What if the organisation already has some policies drafted?
The workbook is built to be merged into an existing policy library, not to replace it. Use the link sheets to map your existing policies to the Annex A controls and identify the gaps. The implementation playbook will be tailored to your starting position.
Is there a refund if it does not fit?
Yes. 30-day money-back guarantee. If the workbook does not match the implementation you are running, the purchase is refunded with no further questions.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!