
ISO 27001 Checklist: Your 14-Step Roadmap to ISO Certification
Emily Bonnie
Senior Content Marketing Manager
Cavan Leung
Senior Compliance Manager
ISO/IEC 27001 is one of the most widely recognized information security standards in the world. Earning certification is a powerful way to strengthen your security posture and show your commitment to protecting customer data.
But getting certified is not simple. The process can take months of preparation, detailed documentation, and careful coordination across your entire organization.
That is why we created this guide. Below you'll find an interactive checklist that walks you through each step of ISO 27001 certification, along with practical insights and expert advice to help you move through each stage with confidence.
How long ISO 27001 certification takes and what to expect
ISO/IEC 27001 certification is a major milestone, but it is not a quick process. The time it takes depends on your organization’s size, complexity, and how mature your existing security practices are.
For many small and medium-sized businesses, getting audit-ready typically takes about four months, with the certification audit adding another two to three months. Larger organizations or those with complex IT environments may need a year or more.
A typical ISO 27001 certification timeline
- Pre-audit preparation (Months 1–4): Define the scope of your ISMS, perform a risk assessment, design and implement policies and controls, train staff, and gather required documentation. Many organizations also perform an internal audit and remediate findings at this stage.
- Stage 1 audit (Month 5): An accredited auditor reviews your ISMS documentation and ensures your policies and procedures are designed properly.
- Stage 2 audit (Months 6–8): The auditor tests whether your controls and business processes are effectively implemented and aligned with ISO 27001 requirements. Passing Stage 2 results in certification, which is valid for three years.
- Surveillance audits (Years 1–2): Annual reviews confirm your ISMS is still effective and that improvements are being made.
- Recertification audit (Year 3): A full reassessment at the end of your certification term renews your ISO 27001 certificate for another three years.
ISO 27001 certification requirements
Before diving into the checklist, it helps to understand exactly what ISO 27001 certification requires. The standard sets out a framework for building and maintaining an information security management system (ISMS). To earn certification, your ISMS must satisfy the requirements in Clauses 4–10 and address risks through appropriate Annex A security controls.
Clauses 4–10: ISMS requirements
Clauses 4–10 outline the management system requirements that every ISO 27001-certified organization must follow:
- Clause 4: Context of the Organization – Define the purpose, scope, and boundaries of your ISMS.
- Clause 5: Leadership – Demonstrate executive accountability and commitment to information security.
- Clause 6: Planning – Establish a risk management methodology, define ISMS objectives, and plan how to achieve them.
- Clause 7: Support – Provide the resources, training, awareness, and communication channels necessary to operate your ISMS.
- Clause 8: Operations – Put your risk treatment plan and controls into practice, and maintain records of those actions.
- Clause 9: Performance Evaluation – Measure, monitor, and audit your ISMS to evaluate effectiveness and drive improvements.
- Clause 10: Improvement – Take corrective actions to address nonconformities and continually strengthen your ISMS.
Together, these clauses define the “what” of ISO 27001: what you must document, demonstrate, and continually improve to achieve and maintain certification.
Annex A: Security controls
Annex A provides the “how” — 93 security controls you can implement to mitigate the risks identified in your ISMS. These are grouped into four categories in the 2022 update:
- Organizational (37 controls)
- People (8 controls)
- Physical (14 controls)
- Technological (34 controls)
Not every control will apply to your organization. Instead, you’ll select the relevant ones based on your risk assessment and justify your decisions in a Statement of Applicability (SoA).
What changed with ISO/IEC 27001:2022?
The 2022 update introduced important structural updates and clarifications:
- The number of Annex A controls was reduced from 114 to 93 by consolidating overlaps.
- 11 new controls were added, covering areas like threat intelligence, cloud security, secure coding, and data leakage prevention.
- Clauses 4–10 saw only minor wording changes, but new subclauses were added for clarity (such as Clause 6.3 Planning for Changes, and expanded sections for internal audit and management review).
If your organization was certified under ISO 27001:2013, you’ll need to map your old controls to the new 2022 structure, adopt the new controls where applicable, and update your SoA before your next audit. All organizations must complete the transition by October 31, 2025, when ISO 27001:2013 certificates will no longer be valid.
Interactive ISO 27001 checklist: A step-by-step guide
While this checklist serves as an overview of the steps to becoming ISO 27001 compliant, this process will look different for each company. Factors like the size of a company or the maturity of their risk management strategies may affect these steps.
Ready to get started? We’ll walk you through checking off every step of the ISO 27001 checklist below.
ISO 27001 Checklist
Appoint an ISO 27001 team
Build your ISMS
Create and publish ISMS policies, documents, and records
Conduct a risk assessment
Complete a Statement of Applicability (SoA) document
Implement ISMS policies and controls
Train team members of ISO 27001
Gather documentation and evidence
Undergo internal audit
Undergo a Stage 1 audit
Undergo a Stage 2 audit
Implement Stage 2 audit advice
Commit to subsequent audits and assessments
Perform ongoing improvements
ISO 27001 Compliance Checklist PDF
Prefer to download the checklist as an interactive PDF? Download it here to see all the steps you'll need to complete as you prepare for, achieve, and maintain compliance and check off tasks to stay organized and gauge your audit readiness.
How to become ISO 27001 certified
Need a bit more instruction on how to complete the steps above? We'll walk you through each step of the ISO 27001 implementation process below.
1. Appoint an ISO 27001 team
First, gather a dedicated team to oversee and own the ISO 27001 process.
This team will determine the scope of the certification process, create information management practices and policies, gain buy-in from stakeholders, and work directly with the auditor.
Depending on the size of your organization and the scope of the data you manage, you may be able to have just one person lead the project, or you may need a larger team. It can be helpful to appoint one lead project manager to oversee ISO 27001 and let them build a team around them.
Some of the traits to look for in the ideal ISO 27001 project manager are:
- Understanding of IT
- Familiarity with the organization’s business processes
- Background in project management
- Ability to communicate ISO 27001 details effectively
2. Build your information security management system (ISMS)
There’s a good chance your company already has an ad hoc system of information management in place. However, that type of asset management isn’t going to cut it during an ISO 27001 audit.
In short, an information security management system, or ISMS, is the framework a company uses to manage information and risk. An ISMS consists of policies and procedures that spell out exactly how information will be stored and managed.
There are three pillars of an ISMS: people, processes, and technology.
ISO 27001 is the international standard that offers detailed instructions on how to create a best-in-class ISMS and how to meet compliance requirements.
We break down how to determine ISMS scope in three steps:
- Set the scope: Start by asking, “What information needs to be protected?” You’ll need to identify all locations where information is stored. This includes both physical and digital documents and information systems.
- Identify how that information can be accessed: Examine access controls and document every access point, such as an employee’s computer or a file cabinet.
- Determine what’s out of scope: A helpful question to ask is “What parts of the business need to create, access, or process our valuable information assets?” Any department or parties that fall outside of that category may not need to be included in the scope.

After you’ve determined your ISMS scope, you’ll need to create the scope statement of your ISO 27001 certificate. You’ll outline what’s in scope and out of scope related to products and services, locations, departments and people, technology, and networks.
It’s important to note that your ISMS is not static. As your company evolves, new processes and departments may be introduced. When this happens, it’s important to revisit your ISMS and make adjustments as needed.
3. Create and publish ISMS policies, documents, and records
Two big parts of the ISO 27001 process are documentation and sharing those documents internally. Doing so will help keep you accountable and build a foundation for establishing, implementing, maintaining, and continually improving the ISMS.
Here’s a list of ISMS documents you’ll need to compile:
- Scope of the ISMS (Clause 4.3)
- Information Security Policy (Clause 5.2)
- Risk assessment & treatment methodology (Clause 6.1.2)
- Statement of Applicability (SoA) (Clause 6.1.3 d)
- Risk treatment plan & security objectives (Clauses 6.1.3 e, 6.2; results in 8.3)
- Evidence of competence (Clause 7.2)
- Documented information necessary for ISMS effectiveness & processes (Clauses 7.5.1, 8.1)
- Results of risk assessments and treatments (Clauses 8.2, 8.3)
- Monitoring and measurement evidence (Clause 9.1)
- Internal audit program and results (Clause 9.2)
- Management review results (Clause 9.3)
- Nonconformities and corrective actions (Clause 10)
When creating your documents, you can customize policy templates with organization-specific policies, processes, and language.
Include information or references to supporting documentation regarding:
- Information security objectives
- Leadership and commitment
- Roles, responsibilities, and authorities
- Approach to assessing and treating risk
- Control of documented information
- Communication
- Internal audit
- Management review
- Corrective action and continual improvement
- Policy violations
Recommended reading

ISO 27001 Documentation: What's Required for Compliance?
4. Conduct a risk assessment
The next step in your ISO 27001 checklist is to conduct an internal risk assessment. This will identify potential risks to data security and judge the severity of those risks.
Similar to how you identified where all your sensitive data is stored in step two, you’ll do the same for risks your organization faces. After compiling a list of risks, determine the likelihood that these risks could occur.
Then, evaluate the potential impact of all identified risks. Think not only in terms of business continuity but also the financial impact a risk poses to your organization.
Using a risk matrix is a helpful way to identify the most important risks your organization faces. Here's an example of how that process could look
- After identifying risks, you can sort them based on the likelihood that they may happen. For example, you could create a scale of 1-5, with one being unlikely and 5 being likely.
- Next, you’ll measure the potential impact of each risk. You can use another scale of 1-5, with 1 being an insignificant impact and 5 being catastrophic.
- You can then calculate the total risk of each identified threat to help you prioritize the most urgent ones.
After ranking risks, create a risk treatment plan for each. Assign responsibilities to certain employees and track to completion.
5. Complete a Statement of Applicability (SoA) document
Consult ISO 27002 documentation to better familiarize yourself with the 93 controls of Annex A. You can think of Annex A as a collection of all possible security controls so you can find the ones that pertain to your organization.
Once you’ve selected the security measures that best address your identified risks, you can then create a Statement of Applicability (SoA).
The SoA states what ISO 27001 controls and policies are being applied by the organization. This document will outline what actions will be taken to address risks.
Recommended reading

How to Write an ISO 27001 Statement of Applicability: Free Template + Example
6. Implement ISMS policies and controls
After identifying risks and developing risk management processes, you can begin implementing the information security policy. This policy is a high-level overview of how your organization approaches information security. You can download a free information security policy template here.
The ISMS is at the heart of ISO 27001. The standard offers step-by-step instructions for how to protect data from threats and vulnerabilities. Organizations often turn to the Plan-Do-Check-Act (PDCA) method to help them put an ISMS plan in place.
Here’s a look at what the PDCA method looks like in practice:
- Plan: Review current cybersecurity management processes and identify gaps compared to the ISO 27001 ISMS requirements.
- Do: Roll out the new ISMS controls and policies.
- Check: Monitor and review ISMS and make changes as necessary.
- Act: Maintain and improve ISMS over time.
Comb through ISO 27001 clauses 4-10 and the Annex A controls to ensure you’ve met all the requirements. Continue to perform ongoing effectiveness monitoring of your ISMS rollout.
This is also the point at which you should begin informing employees of any new procedures related to the ISMS that may impact their day-to-day duties. Share policies with employees and track that they’re being reviewed.
7. Train team members on ISO 27001
Hold regular trainings for employees to familiarize them with ISO 27001 and the company’s ISMS.
Go over terms related to ISO 27001 that may be new to them and highlight the importance of becoming certified.
This is also a time to define expectations for staff regarding their role in ISMS maintenance. Educate employees on what may happen should the company fall out of compliance with data security requirements.
This will help highlight the importance of your ISMS and plant the seed of security awareness in your team.
8. Gather documentation and evidence
If there’s one word you’ll hear over and over again when it comes to ISO 27001 it’s this: documentation. The more documentation you do prior to the audit stages, the better.
Now is the time to prepare all ISO 27001 required documents and records for reference during the audits.
9. Undergo an internal audit
Once your ISMS is in decent shape, plan an internal audit to see where your company lands on the path to certification.
Choose an independent and objective auditor to perform the internal audit. When the audit is complete, record and remediate the internal audit results before scheduling the Stage 1 audit.
10. Undergo a Stage 1 audit
Select an accredited ISO 27001 auditor to conduct a Stage 1 audit. Within this external audit, they’ll be reviewing documentation required for ISO 27001 certification.
Once they’ve finished going through all the documentation, they will identify any gaps or places where your ISMS fails to meet the ISO 27001 standard.
11. Get a Stage 2 audit
At this point your auditor will perform tests on your ISMS to evaluate its implementation and functionality. They will also see how your ISMS stacks up against applicable Annex A controls.
The point of this audit is to ensure that the processes you began in the stage one audit are being followed company-wide.
12. Implement Stage 2 audit advice
Take all recommendations from the auditor to heart. Once all major nonconformities have been addressed, the auditor will send a draft certificate of ISO 27001 compliance to the organization for review.
The company then makes any minor adjustments before sending it back to the auditor. Then the auditor will publish the certificate, and your ISO 27001 certification is official.

13. Commit to periodic audits and assessments
Becoming ISO 27001 certified isn’t the final step. To maintain continuous compliance with ISO 27001, your organization must commit to ongoing audits and assessments.
An ISO 27001 certificate lasts for three years. During that time, ISO 27001 requires organizations to conduct a surveillance audit each year to ensure a compliant ISMS hasn’t lapsed.
Here are additional steps to take to ensure compliance:
- Hold management reviews at least once per year or on a quarterly review cycle.
- Prepare for first- and second-year surveillance audits.
- Perform annual risk assessments.
- Prepare for the third-year renewal audit.
14. Perform ongoing improvements
Your ISMS will go through changes after ISO 27001 certification. When you change your software providers or you’re working with new suppliers, this may require revising your ISMS.
Your ISO 27001 team should be updating your ISMS as needed and documenting each change. Additionally, any threats to your ISMS that were identified and remediated need to be documented.
This will not only make your next certification process easier, but will highlight nonconformities that may impact the overall security of your data.
Achieve and maintain ISO 27001 compliance with Secureframe
If this process seems a little grueling, that’s because it is.
However, organizations like Secureframe make this process much simpler. Our compliance automation platform streamlines the entire ISO 27001 audit process, saving you hundreds of hours and thousands of dollars.
We have partnerships with dozens of auditors and can match you with an audit firm that’s already well-versed in your industry. We also provide access to ISO 27001 experts who can walk you through all of the intricacies that trip up many businesses on the path to certification.
Simply put, Secureframe has your back throughout every step of the ISO 27001 process. To find out how we can help you, request a demo today.
Use trust to accelerate growth
FAQs
What is an ISO 27001 audit checklist?
An ISO 27001 checklist is a list of requirements organizations have to meet to become ISO 27001 certified. Creating a checklist can help organize your efforts, identify any gaps in your compliance posture, and ensure you’re fully prepared for a certification audit.
What are the 14 domains of ISO 27001?
In the previous ISO 27001:2013 standard, Annex A controls were divided into 14 domains.
In 2022, the ISO 27001 standard was updated and these 14 domains were consolidated and reorganized into 4 clauses:
- Clause 5: Organizational Controls (37 controls)
- Clause 6: People Controls (8 controls)
- Clause 7: Physical Controls (14 controls)
- Clause 8: Technological Controls (34 controls)
What changed in ISO/IEC 27001:2022 compared to 2013?
The biggest change is Annex A: controls were consolidated from 114 to 93 and organized into four themes (Organizational, People, Physical, Technological). Clause text was lightly refined, but the ISMS management framework in Clauses 4–10 remains consistent. If you’re still on 2013, plan your transition now.
When is the deadline to transition from ISO 27001:2013 to ISO 27001:2022?
Certification bodies stop recognizing 2013 certificates after October 31, 2025. New and recertification audits have been conducted to the 2022 edition since May 1, 2024.
How many controls are in ISO 27001:2022?
There are 93 Annex A controls across the four themes: Organizational, People, Physical, and Technological.
What documents are mandatory for ISO 27001:2022?
At minimum: ISMS scope, information security policy, risk methodology, SoA, risk treatment plan and objectives, competence records, monitoring/measurement evidence, internal audit program and results, management review results, and nonconformities with corrective actions.
What’s the difference between Stage 1 and Stage 2 audits?
Stage 1 reviews documentation and readiness; Stage 2 validates implementation and effectiveness through sampling, interviews, and testing
How often does ISO 27001:2022 require risk assessments and management reviews?
At least annually or when significant changes occur; most organizations align reviews with their surveillance audit cadence and product or org changes. (Back up with your internal guidance; standard expects planned intervals and when changes occur.)
Does ISO 27001 certify a specific product, a system, or the whole company?
ISO 27001 certifies whatever is included in your ISMS scope, which can be your whole organization or a defined part. The scope statement on your certificate explains what is covered.
How long does ISO 27001 certification take?
Typical ranges are a few months for smaller, focused scopes and longer for complex, multi-site scopes. Your readiness, documentation quality, and resource availability drive timing. (Avoid hard promises; use this as guidance.)
What is the Statement of Applicability (SoA) and why is it important?
It maps your risk-driven control decisions to Annex A, justifying inclusions or exclusions. Auditors rely on it to evaluate whether your controls are appropriate and implemented.