Free 27001 – GDPR templates

This is our ‘secret’ free template page. If you found this page, you can use these ISO 27001 and GDPR templates.

About these templates

The templates on this page are made by the people of ICT Institute. We use these templates in our training sessions and our advisory work. We decided to make our templates available to anyone with hardly any restrictions. They are provided under the Creative Commons license Attribution license. You can do the following with the templates:

• Share. You can share the templates and any documents made with these templates freely, with any one that you want to share it with.
• Adapt. You can make new documents based on the templates, make changes, add elements or delete elements as much as you want. You can even do this in commercial organisations of for commercial purposes.

Note that the use of these templates is of course at your own risk. We made an effort to include all required items in the template, but when we use these templates we change them to fit the intended use. Note also that the ISO 27001 norm is copyright protected. You must buy a copy of the norm before you can use it.

Note that we also offer 27001 and GDPR templates in Dutch. These are on this page: Nederlandse templates AVG en 27001.

You can find all our templates hosted in our GitHub repository.

GDPR templates

• Data processing agreement – this agreement is needed if you share personal data with another organisation. Read more in the dedicated article.
• Joint controllership agreement – this agreement is needed when two parties collaborate and jointly decide why and how personal data is processed. Read more here.
• Register of data processing activities – this register is mandatory for almost all companies that process personal data. Read how to use the DPA register.
• Data protection impact assessment – if a new activity involves new personal data processing, you will need this template to determine if an impact assessment is required and to do the impact assessment. Read more about the DPIA and check also the Notion template.
• Free template – Project plan. Using project plans is important to meet the “privacy and security” by design requirement from the GDPR. The template offers all basic project plan elements, including a privacy section, risks and information security impact.

Information security templates

• Free template – Information security policy ISO 27001. You must have a main policy and provide it to internal and external stakeholders. This templates works well for both ISO 27001 versions (2017 and 2022).
• Free template – Information security procedures ISO27001-2022. This document is used internally and describes your security measures in detail. This document is ordered based on the latest ISO 27001 2022 version. Mail us for the 2017 version.
• Free template – Statement of applicability ISO27001-2022. This document often abbreviated as SoA is a checklist which security measures you have implemented and why/why not.
• Free template – Asset & Risk register ISO 27001-2022. In this register, you can keep track of your assets and the associated risks. This register is also available as a Notion template.
• Free template – Statement of applicability ISO27001-2017. This is the same document but for the older version ISO 27001 : 2017.
• Free template – Information security rules ISO 27001.You must provide clear rules for all staff on what they can and cannot do to protect information. This templates contains suggestions and references to the standard controls.
• Free template – Incident register, data breaches and non-conformities – tracking incidents, breaches and non-conformities helps resolve and prevent reoccurrences. This excel template can be used for just that, read more in the dedicated article.
• Free template – Authorisation matrix. This an example document that shows how you implement Role-based Access Control (RBAC). You use it to describe which access rights each role gets. As a bonus, we also included a sheet that defines your employee screening policy.
• Free template – ISO 27001 Suppliers register. This templates is use for keeping track of suppliers relevant for information security, your requirements and your assessments whether they meet your requirements
• Free template – Stakeholders and internal & external issues Two of the very first things you need to map for ISO 27001 are your stakeholders and internal- & external Issues. With these two figured out, you have a good picture what the requirements to your ISMS are. This template helps you with both.
• Free template – Summary of laws and regulations. For every organization, no matter the sector you operate in, there are laws and regulations you need to follow. Several of these will have an impact on your ISMS. In this document, you can keep track of them.
• Free template – Business Continuity Management. Disaster scenario’s, man-made or not, are inevitable. You can, however, prepare for them to significantly decrease their impact. This template helps you plan for the worst.
• Free template – AI policy. A comprehensive AI policy template that outlines principles and rules for acceptable use of AI systems. It covers acceptable use principles, privacy aspects and AI Act compliance, AI and coding guidelines, approved AI services, training and awareness requirements, and includes guidelines for assessing AI use.

Other resources

• CISSP study template – An overview of all 2022 CISSP body of knowledge items for people studying for the CISSP certification program.
• For more articles on information security, take a look at our security blog articles.
• For more articles about privacy, visit our page with all privacy articles.

Image credit: @rawpixel via Unsplash