Tools for ISO 27001 controls

💰 The anti-€20k solution

ISO 27001 tech stack for startups

Practical, Cost-Effective tools for each control

Need to implement threat intelligence, error monitoring or endpoint protection without breaking the bank? We get you. This guide maps the 93 ISO 27001:2022 Annex A controls to affordable, practical tools that startups actually use. No enterprise bloatware. No six-figure SIEM platforms. Just effective solutions that get you compliant without breaking the bank.

Control Type Legend

🔧 Technical: Requires specific software/tooling

📋 Procedural: Needs documentation/policy (use Notion/Confluence/Google Docs)

🏢 Physical: Office/hardware related

💰 Cost: Free | Low (< €100/mo) | Medium (€100-500/mo)

A.5 Organizational Controls

37 controls

📋 A.5.1-A.5.4, A.5.8, A.5.10-A.5.15

Policies & Documentation

Type: Procedural 💰 Cost: Free

The One Tool:

Notion (Free for small teams) - Best all-around
Confluence (Free < 10 users)
GitHub Wiki (Free) - Dev-friendly
Google Docs (Free) - But harder to organize

Use for: Information security policies, RACI matrices, acceptable use policies, classification schemes, access control policies, etc.

🔧 A.5.7

Threat Intelligence

Type: Technical 💰 Cost: Free

Startup Stack:

GitHub Dependabot (Free, built-in) - Dependency vulnerabilities
Snyk (Free tier) - Code, dependency & container scanning
CISA Alerts (Free email subscription) - Government threat bulletins
CrowdSec (Free, open-source) - Collaborative threat intelligence

🔧 A.5.9

Asset Inventory

Type: Procedural/Technical 💰 Cost: Free - Low

Startup Stack:

Snipe-IT (Free, open-source, self-hosted) - Best dedicated tool
Airtable/Notion (Free tier) - Good enough for manual tracking
Your MDM - Often includes device inventory (see A.8.1)

🔧 A.5.16

Identity Management (SSO/IdP)

Type: Technical 💰 Cost: Included - Low

Startup Stack:

Google Workspace / Microsoft 365 (Usually already paying) - Built-in IdP
JumpCloud (Free < 10 users/devices) - IdP + MDM combo
Okta (Free < 25 users, developer tier) - Industry standard
Auth0 (Free tier) - Best for customer/app identity
Keycloak (Free, open-source, self-hosted)

🔧 A.5.17 / A.8.5

Authentication / Secure Authentication

Type: Technical 💰 Cost: Free - Low

Password Management:

Bitwarden (€3/user/month) - Best value, open-source
1Password (€6.99/user/month) - Great UX

MFA:

Google Authenticator / Authy (Free) - Basic TOTP
Duo (Free tier available) - More enterprise features
Yubikey (~€45 one-time) - Hardware tokens

🔧 A.5.23

Cloud Security (CSPM)

Type: Technical 💰 Cost: Free - Low

Startup Stack:

Prowler (Free, open-source) - THE tool for AWS/Azure/GCP scanning
AWS Security Hub (Free tier) - Native AWS
Google Security Command Center (Free tier) - Native GCP
Azure Policy (Included) - Native Azure

📋 A.5.24-A.5.28

Incident Management

Type: Procedural 💰 Cost: Free - Low

Incident Response Plan:

Use Notion/Confluence

On-Call/Alerting:

PagerDuty (Free tier available)
Dedicated Slack channel (Free, simple) - #security-incidents

Logging for Evidence Collection:

See A.8.15

A.6 People Controls

8 controls

📋 A.6.1-A.6.2, A.6.4-A.6.6

HR Processes

Type: Procedural 💰 Cost: Free - Low

HR Platform (optional):

Deel / Rippling - If you already use them
Docusign / PandaDoc (Free - Low) - For NDAs, contracts

Documentation:

Screening procedures, employment terms, disciplinary process, offboarding checklists → Notion

🔧 A.6.3

Security Awareness Training

Type: Procedural/Technical 💰 Cost: Free - Low

Startup Stack (Truly User-Friendly):

Riot (€5-10/user/month) - All-in-one: training + data breach alerts + phishing + dark web monitoring
Wizer (Free tier available) - 1-minute videos, microlearning
Guardey (Low cost) - Gamified, weekly lessons
usecure (Low cost) - Risk-based, tailored for SMBs
Gophish (Free, open-source) - DIY phishing simulations
KnowBe4 (Free tools available) - Some free tests/tools

Avoid: KnowBe4 full platform, Proofpoint (too enterprise/expensive for startups)

🔧 A.6.7

Remote Work Security

Type: Technical 💰 Cost: Free - Low

Zero-Trust VPN Alternatives:

Tailscale (Free tier, generous) - Zero-config, mesh VPN
Twingate (Free tier) - Modern Zero Trust access
Cloudflare Zero Trust (Free < 50 users) - Very powerful

Plus: Enforce via MDM (see A.8.1)

📋 A.6.8

Security Event Reporting

Type: Procedural 💰 Cost: Free

Startup Stack:

Slack channel (Free) - #security-events - Dead simple
Google Forms → Sheet (Free) - Anonymous reporting option
Jira Service Desk - If you already use Jira

A.7 Physical Controls

14 controls

🏢 A.7.1-A.7.6, A.7.8, A.7.11-A.7.12

Office Security

Type: Physical 💰 Cost: Varies

For Physical Offices:

Kisi / Latch - Smart access control
Ubiquiti cameras - Affordable CCTV
Building management - Outsource to landlord

For Remote/Cloud-First Startups:

Document "N/A - Fully Remote" policy

🔧 A.7.7 / A.7.9 / A.7.14

Clear Desk/Screen + Off-Premises Security + Secure Disposal

Type: Procedural/Technical 💰 Cost: Included

Policy:

In Notion

Technical Enforcement:

Screen lock → Enforced via MDM (see A.8.1)
Disk encryption (BitLocker/FileVault) → Enforced via MDM
Remote wipe → Via MDM

🔧 A.8.1

Endpoint Management (MDM)

Type: Technical 💰 Cost: Free - Low

Startup Stack (Covers A.7.7, A.7.9, A.7.10, A.7.14, A.8.1):

JumpCloud (Free < 10 users/devices) - Best starter: IdP + MDM combo
ManageEngine MDM (Free < 25 devices)
Miradore (Free < 50 devices) - Mobile-focused
Google Endpoint Management (Free with Google Workspace) - Basic
Jamf / Kandji (€€) - For Mac-heavy teams

What MDMs Do:

Enforce disk encryption (FileVault/BitLocker)
Enforce screen lock settings
Enforce OS updates
Remote wipe capabilities
Device inventory

ISO 27001 Startup Toolkit - Part 2

A.8 Technological Controls

34 controls

🔧 A.8.2 / A.8.3

Privileged Access + Information Access

Type: Technical 💰 Cost: Free - Low

Least Privilege Access:

AWS IAM / Google Cloud IAM (Included)
GitHub Teams/Branch Protection (Included)
Google Groups (Included)
Teleport (Open-source) - For SSH/K8s access
Twingate (Free tier) - Zero Trust

🔧 A.8.6

Capacity Management

Type: Technical 💰 Cost: Free - Low

Auto-Scaling:

AWS Auto Scaling (Pay for what you use)
Datadog / BetterStack (Free - Low) - Monitoring/alerting

🔧 A.8.7

Malware Protection (EDR/AV)

Type: Technical 💰 Cost: Free - Medium

Startup Stack:

Microsoft Defender (Included with Windows) - Actually very good
macOS XProtect (Built-in) - Basic
Enforced via MDM - Ensure they're enabled
Wazuh (Free, open-source) - Can do EDR
CrowdStrike / SentinelOne (€€€) - When you raise Series A and handle sensitive data

🔧 A.8.8

Vulnerability Management

Type: Technical 💰 Cost: Free - Low

Startup Stack:

Snyk (Free tier) - Primary for code/dependencies
GitHub Dependabot (Free) - Built-in
GitHub CodeQL (Free for public repos) - Code scanning
Wazuh (Free, open-source) - Host-based
OpenVAS (Free, open-source) - Network scanning

🔧 A.8.9 / A.8.31

Configuration Management + Environment Separation

Type: Technical 💰 Cost: Free

Infrastructure as Code:

Terraform (Free, open-source) - Multi-cloud IaC
Ansible (Free, open-source) - Configuration automation
GitHub (Free tier) - Version control for configs

Environment Separation:

AWS separate accounts (Free to create)
Terraform workspaces (Free)
GitHub branches (Free) - dev/staging/prod

🔧 A.8.11 / A.8.33

Data Masking + Test Information

Type: Technical 💰 Cost: Free

Startup Stack:

Faker.js (Free library) - Generate test data
PostgreSQL data masking (Built-in functions)
Tonic.ai (Has free tier) - Automated masking

Policy:

"No production data in test" → Notion

🔧 A.8.12

Data Loss Prevention (DLP)

Type: Technical 💰 Cost: Free - Low

Startup Stack:

Cloudflare DLP (Free tier for <50 users)
Google Workspace DLP (Included in Business+)
Nightfall AI (Free tier for Slack/GitHub scanning)

🔧 A.8.13 / A.8.14

Backups + Redundancy

Type: Technical 💰 Cost: Low

Backups:

AWS Backup / RDS automated backups (Low cost)
Backblaze B2 (€0.005/GB) - Cheapest cloud storage
Google Cloud Storage (Cheap with lifecycle policies)

Redundancy:

AWS Multi-AZ deployments (Slightly higher cost)
Cloudflare (Free tier includes load balancing features)

🔧 A.8.15 / A.8.16

Logging + Monitoring

Type: Technical 💰 Cost: Free - Low

Uptime Monitoring:

UptimeRobot (Free tier, 50 monitors)
BetterStack (Free tier, then €10-20/mo)

Application Logs & Metrics:

Datadog (Free < 5 hosts) - Professional observability
AWS CloudWatch / GCP Monitoring (Free tier generous)
Sentry (Free tier) - Application error tracking
Grafana (Free, open-source) - Dashboards

Security SIEM (for compliance/serious needs):

Wazuh (Free, open-source) - Best open-source SIEM/XDR
ELK Stack (Free, open-source) - DIY SIEM (complex to maintain)
Graylog Open (Free, open-source) - Simpler than ELK
Security Onion (Free, open-source) - Network security monitoring

Note: For startups, UptimeRobot + Datadog/BetterStack covers 90% of needs. Only add SIEM for compliance requirements.

🔧 A.8.20 / A.8.22

Network Security (Firewall/WAF) + Network Segregation

Type: Technical 💰 Cost: Free - Low

Web Application Firewall:

Cloudflare (Free tier WAF is excellent) - Just use this
AWS WAF (Pay per use)
pfSense (Free, open-source) - If self-hosting

Network Segmentation:

AWS VPC (Included) - Security Groups, public/private subnets
VLANs - For physical office networks

🔧 A.8.23

Web Filtering / DNS Security

Type: Technical 💰 Cost: Free

Startup Stack:

Cloudflare Zero Trust (Free tier < 50 users) - Best option
NextDNS (Free tier, then €2/mo) - Secure DNS
pfSense (Free, open-source) - Self-hosted firewall

🔧 A.8.24

Cryptography

Type: Procedural/Technical 💰 Cost: Free - Low

Policy:

"Use TLS 1.2+, encrypt at rest" → Notion

Key Management:

AWS KMS (Pay per use, cheap)
Google Cloud KMS (Similar)
HashiCorp Vault (Free, open-source, complex)

📋 A.8.25-A.8.27

Secure Development Lifecycle

Type: Procedural 💰 Cost: Free

Policy Documentation:

Notion/Confluence

Technical Enforcement:

GitHub branch protection (Free) - Require reviews
GitHub PR requirements (Free) - Force code review
OWASP Top 10 checklist (Free) - In Notion

🔧 A.8.28 / A.8.29

Secure Coding + Security Testing

Type: Technical 💰 Cost: Free - Low

Static Analysis (SAST):

Semgrep (Free tier) - Best open-source SAST
GitHub CodeQL (Free for public repos)
Snyk Code (Free tier) - Commercial option

Dependency Scanning (SCA):

Snyk (Free tier) - Already mentioned
GitHub Dependabot (Free)

Dynamic Testing (DAST):

OWASP ZAP (Free, open-source)
Manual pentests (Budget €2-5k/year when you raise funding)

📋 A.8.32

Change Management

Type: Procedural 💰 Cost: Free

Change Process:

Jira / Linear (Free - Low) - Approval workflow
GitHub Pull Requests (Free) - Code changes
Notion (Free) - Change policy

Quick Reference: Must-Have Starter Stack

For a €10-50k ARR startup, this covers 80% of ISO 27001

Control Area	Tool	Cost
Dokumentation	Notion	Kostenlos
Identity	Google Workspace or JumpCloud	Free - €50/mo
Endpoints	JumpCloud or ManageEngine	Kostenlos
Passwords	Bitwarden	€3/user
Training	Riot or Wizer	€5-10/user
Code Security	Snyk + Dependabot	Kostenlos
Monitoring	UptimeRobot + BetterStack	Free - €20/mo
Firewall/WAF	Cloudflare	Kostenlos
Backups	Backblaze B2	€5-20/mo
Remote Access	Tailscale	Kostenlos
Total		€50-150/month for a 5-10 person startup

When to Upgrade to Paid/Enterprise

You probably need to level up when:

You raise Series A+ (€2M+)
You handle sensitive data (health, financial)
You have compliance requirements (SOC 2, HIPAA, PCI-DSS)
You have 50+ employees
You're regularly audited

Then consider:

Commercial SIEM (Datadog Security, Elastic Security)
EDR (CrowdStrike, SentinelOne) instead of just Defender
Commercial training (Full KnowBe4, Proofpoint) instead of Riot
Vulnerability scanning (Qualys, Tenable) instead of OpenVAS
Professional pentests (Annual, €5-15k)

This guide prioritizes:

✅ Free/low-cost options that actually work

✅ Tools startups already use (Google, GitHub, AWS)

✅ Quick setup (< 1 day per tool)

✅ Minimal maintenance overhead

This guide avoids:

❌ €20k GRC platforms

❌ Enterprise-only tools

❌ Complex self-hosted solutions (unless clearly superior)

❌ Tools that require dedicated security engineers

Last updated: November 2024

Maintained by: Better (Better ISMS)