Illustration of an ISO 27001 checklist and an ISO 27001 shield in front of a light purple background

ISO 27001 Checklist: Your 14-Step Roadmap for Becoming ISO Certified

  • December 06, 2023

Emily Bonnie

Senior Content Marketing Manager at Secureframe


Cavan Leung

Senior Compliance Manager at Secureframe

As one of the most respected frameworks internationally, ISO/IEC 27001 is an optimal certification for companies looking to bolster their information security and build customer trust. 

However, getting ISO 27001 certified isn’t exactly a walk in the park. 

There are many hours and weeks ahead of you as you begin your certification process. The things worth having don’t always come easy, right?

To help make preparing for an ISO 27001 certification easier, and thus your job, easier, we’ve created a step-by-step, interactive ISO 27001 checklist. It includes all the major and minor tasks you’ll need to complete as you seek certification. 

Interactive ISO 27001 checklist: A step-by-step guide

While it would be nice to snap your fingers and become ISO 27001 certified, the certification process requires a good deal of time. 

The certification timeframe will depend on the size of your company and the complexity of the data you keep. 

A small- to medium-sized business can expect to be audit-ready in about four months, then through the audit in six months. Larger organizations might require more than a year.

While this checklist serves as an overview of the steps to becoming ISO 27001 compliant, this process will look different for each company. Factors like the size of a company or the maturity of their risk management strategies may affect these steps. 

Ready to get started? We’ll walk you through checking off every step of the ISO 27001 checklist below.

ISO 27001 Checklist

Appoint an ISO 27001 team

Build your ISMS

Create and publish ISMS policies, documents, and records

Conduct a risk assessment

Complete a Statement of Applicability (SoA) document

Implement ISMS policies and controls

Train team members of ISO 27001

Gather documentation and evidence

Undergo internal audit

Undergo a Stage 1 audit

Undergo a Stage 2 audit

Implement Stage 2 audit advice

Commit to subsequent audits and assessments

Perform ongoing improvements

How to become ISO 27001 certified

Need a bit more instruction on how to complete the steps above? We'll walk you through each step of the ISO 27001 implementation process below. 

Blue rectangle with white text reading: Download your ISO 27001 checklist

1. Appoint an ISO 27001 team

First, gather a dedicated team to oversee and own the ISO 27001 process. 

This team will determine the scope of the certification process, create information management practices and policies, gain buy-in from stakeholders, and work directly with the auditor. 

Depending on the size of your organization and the scope of the data you manage, you may be able to have just one person lead the project, or you may need a larger team. It can be helpful to appoint one lead project manager to oversee ISO 27001 and let them build a team around them. 

Some of the traits to look for in the ideal ISO 27001 project manager are:

  • Understanding of IT
  • Familiarity with the organization’s business processes
  • Background in project management
  • Ability to communicate ISO 27001 details effectively

2. Build your information security management system (ISMS)

There’s a good chance your company already has an ad hoc system of information management in place. However, that type of asset management isn’t going to cut it during an ISO 27001 audit.

In short, an information security management system, or ISMS, is the framework a company uses to manage information and risk. An ISMS consists of policies and procedures that spell out exactly how information will be stored and managed. 

There are three pillars of an ISMS: people, processes, and technology. 

ISO 27001 is the international standard that offers detailed instructions on how to create a best-in-class ISMS and how to meet compliance requirements. 

We break down how to determine ISMS scope in three steps:

  • Set the scope: Start by asking, “What information needs to be protected?” You’ll need to identify all locations where information is stored. This includes both physical and digital documents and information systems.
  • Identify how that information can be accessed: Examine access controls and document every access point, such as an employee’s computer or a file cabinet. 
  • Determine what’s out of scope: A helpful question to ask is “What parts of the business need to create, access, or process our valuable information assets?” Any department or parties that fall outside of that category may not need to be included in the scope. 

Text describing how to determine an ISMS scope next to an illustration of a man in a blue shirt contemplating his data and how to manage it

After you’ve determined your ISMS scope, you’ll need to create the scope statement of your ISO 27001 certificate. You’ll outline what’s in scope and out of scope related to products and services, locations, departments and people, technology, and networks.

It’s important to note that your ISMS is not static. As your company evolves, new processes and departments may be introduced. When this happens, it’s important to revisit your ISMS and make adjustments as needed. 

3. Create and publish ISMS policies, documents, and records 

Two big parts of the ISO 27001 process are documentation and sharing those documents internally. Doing so will help keep you accountable and build a foundation for establishing, implementing, maintaining, and continually improving the ISMS. 

Here’s a list of ISMS documents you’ll need to compile:

  • Clause 4.3: Scope of the ISMS
  • Clause 5.2: Information security policy
  • Clause 5.5.1: Any documented information the organization sees as necessary to support ISMS
  • Clause 6.1.2: Information security risk assessment process/methodology
  • Clause 6.1.3: Information security risk treatment plan and Statement of Applicability (SoA)
  • Clause 6.2: Information security objectives
  • Clause 7.1.2 and 13.2.4: Defined security roles and responsibilities
  • Clause 7.2: Evidence of competence
  • Clause 8.1: Asset inventory, acceptable use of assets, and operational planning
  • Clause 8.2 and 8.3: Results of the information security risk assessment and information security risk treatment
  • Clause 9.1: Access control policy, evidence of ISMS monitoring and tracking metrics
  • Clause 9.2: A documented internal audit process and completed internal audit reports
  • Clause 9.3: Results of management reviews
  • Clause 10.1: Evidence of any non-conformities and corrective actions taken
  • Clause 12.4: User activity, exceptions, and security incident logs

When creating your documents, you can customize policy templates with organization-specific policies, processes, and language. 

Include information or references to supporting documentation regarding:

  • Information security objectives
  • Leadership and commitment
  • Roles, responsibilities, and authorities
  • Approach to assessing and treating risk
  • Control of documented information
  • Communication
  • Internal audit
  • Management review
  • Corrective action and continual improvement
  • Policy violations

4. Conduct a risk assessment

The next step in your ISO 27001 checklist is to conduct an internal risk assessment. This will identify potential risks to data security and judge the severity of those risks.

Similar to how you identified where all your sensitive data is stored in step two, you’ll do the same for risks your organization faces. After compiling a list of risks, determine the likelihood that these risks could occur. 

Then, evaluate the potential impact of all identified risks. Think not only in terms of business continuity but also the financial impact a risk poses to your organization. 

Using a risk matrix is a helpful way to identify the most important risks your organization faces. Here's an example of how that process could look

  • After identifying risks, you can sort them based on the likelihood that they may happen. For example, you could create a scale of 1-5, with one being unlikely and 5 being likely. 
  • Next, you’ll measure the potential impact of each risk. You can use another scale of 1-5, with 1 being an insignificant impact and 5 being catastrophic. 
  • You can then calculate the total risk of each identified threat to help you prioritize the most urgent ones. 

After ranking risks, create a risk treatment plan for each. Assign responsibilities to certain employees and track to completion. 

5. Complete a Statement of Applicability (SoA) document 

Consult ISO 27002 documentation to better familiarize yourself with the 114 controls of Annex A. You can think of Annex A as a collection of all possible security controls so you can find the ones that pertain to your organization. 

Once you’ve selected the security measures that best address your identified risks, you can then create a Statement of Applicability (SoA). 

The SoA states what ISO 27001 controls and policies are being applied by the organization. This document will outline what actions will be taken to address risks. 

6. Implement ISMS policies and controls 

After identifying risks and developing risk management processes, you can begin implementing the information security policy. This policy is a high-level overview of how your organization approaches information security. You can download a free information security policytemplate here.

The ISMS is at the heart of ISO 27001. The standard offers step-by-step instructions for how to protect data from threats and vulnerabilities. Organizations often turn to the Plan-Do-Check-Act (PDCA) method to help them put an ISMS plan in place. 

Here’s a look at what the PDCA method looks like in practice: 

  • Plan: Review current cybersecurity management processes and identify gaps compared to the ISO 27001 ISMS requirements. 
  • Do: Roll out the new ISMS controls and policies.
  • Check: Monitor and review ISMS and make changes as necessary. 
  • Act: Maintain and improve ISMS over time. 

Comb through ISO 27001 clauses 4-10 and the Annex A controls to ensure you’ve met all the requirements. Continue to perform ongoing effectiveness monitoring of your ISMS rollout. 

This is also the point at which you should begin informing employees of any new procedures related to the ISMS that may impact their day-to-day duties. Share policies with employees and track that they’re being reviewed.  

7. Train team members on ISO 27001 

Hold regular trainings for employees to familiarize them with ISO 27001 and the company’s ISMS. 

Go over terms related to ISO 27001 that may be new to them and highlight the importance of becoming certified. 

This is also a time to define expectations for staff regarding their role in ISMS maintenance. Educate employees on what may happen should the company fall out of compliance with data security requirements. 

This will help highlight the importance of your ISMS and plant the seed of security awareness in your team. 

8. Gather documentation and evidence 

If there’s one word you’ll hear over and over again when it comes to ISO 27001 it’s this: documentation. The more documentation you do prior to the audit stages, the better. 

Now is the time to prepare all ISO 27001 required documents and records for reference during the audits. 

9. Undergo internal audit

Once your ISMS is in decent shape, plan an internal audit to see where your company lands on the path to certification.

Choose an independent and objective auditor to perform the internal audit. When the audit is complete, record and remediate the internal audit results before scheduling the Stage 1 audit.

10. Undergo a Stage 1 audit 

Select an accredited ISO 27001 auditor to conduct a Stage 1 audit. Within this external audit, they’ll be reviewing documentation required for ISO 27001 certification. 

Once they’ve finished going through all the documentation, they will identify any gaps or places where your ISMS fails to meet the ISO 27001 standard.

11. Get a Stage 2 audit 

At this point your auditor will perform tests on your ISMS to evaluate its implementation and functionality. They will also see how your ISMS stacks up against applicable Annex A controls. 

The point of this audit is to ensure that the processes you began in the stage one audit are being followed company-wide. 

12. Implement Stage 2 audit advice 

Take all recommendations from the auditor to heart. Once all major nonconformities have been addressed, the auditor will send a draft certificate of ISO 27001 compliance to the organization for review. 

The company then makes any minor adjustments before sending it back to the auditor. Then the auditor will publish the certificate, and your ISO 27001 certification is official.    

Text describing the differences between a major and minor nonconformity. The minor nonconformity is depicted as an error message on a sheet of paper and the major nonconformity is depicted as a broken lock.

13. Commit to subsequent audits and assessments  

Becoming ISO 27001 certified isn’t the final step. To maintain continuous compliance with ISO 27001, your organization must commit to ongoing audits and assessments.

An ISO 27001 certificate lasts for three years. During that time, ISO 27001 requires organizations to conduct a surveillance audit each year to ensure a compliant ISMS hasn’t lapsed. 

Here are additional steps to take to ensure compliance: 

  • Hold management reviews at least once per year or on a quarterly review cycle. 
  • Prepare for first- and second-year surveillance audits.
  • Perform annual risk assessments.
  • Prepare for the third-year renewal audit.

14. Perform ongoing improvements 

Your ISMS will go through changes after ISO 27001 certification. When you change your software providers or you’re working with new suppliers, this may require revising your ISMS. 

Your ISO 27001 team should be updating your ISMS as needed and documenting each change. Additionally, any threats to your ISMS that were identified and remediated need to be documented. 

This will not only make your next certification process easier, but will highlight nonconformities that may impact the overall security of your data.

Achieve and maintain ISO 27001 compliance with Secureframe

If this process seems a little grueling, that’s because it is. 

However, organizations like Secureframe make this process much simpler. Our compliance automation platform streamlines the entire ISO 27001 audit process, saving you hundreds of hours and thousands of dollars. 

We have partnerships with dozens of auditors and can match you with an audit firm that’s already well-versed in your industry. We also provide access to ISO 27001 experts who can walk you through all of the intricacies that trip up many businesses on the path to certification.

Simply put, Secureframe has your back throughout every step of the ISO 27001 process. To find out how we can help you, request a demo today. 

Use trust to accelerate growth



What is an ISO 27001 audit checklist?

An ISO 27001 checklist is a list of requirements organizations have to meet to become ISO 27001 certified. Creating a checklist can help organize your efforts, identify any gaps in your compliance posture, and ensure you’re fully prepared for a certification audit. 

What are the 14 domains of ISO 27001?

In the previous ISO 27001:2013 standard, Annex A controls were divided into 14 domains. 

In 2022, the ISO 27001 standard was updated and these 14 domains were consolidated and reorganized into 4 clauses: 

  • Clause 5: Organizational Controls (37 controls)
  • Clause 6: People Controls (8 controls)
  • Clause 7: Physical Controls (14 controls)
  • Clause 8: Technological Controls (34 controls)