ISO 27001 compliance and certification checklist

ISO 27001 is the globally recognized best practice for managing your information security and running an ISMS (information security management system).

There are many different ways to benefit from ISO 27001. Some organizations clearly set the goal for certification, which will provide the strongest evidence of compliance. Some organizations are first just looking for a benchmark helping them improve information security according to best practices.

This checklist is designed for organizations pursuing certification, but here's a summary of popular different approaches towards ISO 27001:

• Use ISO 27001 as a benchmark for improvement: Cherry-pick good practices to implement in your own security measures and find good guidance to improve step-by-step.
• Find your ISO 27001 compliance level: Compare your current measures against ISO 27001 to create understanding of how well you currently match to its best practices - so you can set goals for future.
• Get ISO 27001 compliant: Set it as an internal goal to comply with the whole standard, so you're ready to report about your ISO 27001 compliance e.g. towards customers or authorities.
• Get ISO 27001 certified: When you want to have the strongest possible evidence of your ongoing compliance, and ensure you continuously improve your ISMS, you'll get fully compliant, partner up with an accredited auditor and go through a certification audit.

In this article we will mainly focus on going all the way for a certification, and describe you the necessary key steps along the way.

How to reach ISO 27001 certification?

As its core content, ISO 27001 standard includes 22 security management requirements and 93 information security controls. Your end goal is to prove, how you're compliant with the requirements and how you have implemented the relevant controls.

But along the way towards this goal, there's many different kind of information security management steps. Some of which will need different kind of expertise and participation. In this article, we'll explain the key steps in building a certification-ready ISO 27001 compliant ISMS.

This article will present the following ISO 27001 certification steps:

1. Understand the basics of ISO 27001
2. Define the ISMS scope
3. Choose your ISMS building method
4. Establish an ISMS team and assign roles
5. Evaluate your starting information security maturity
6. Create and assign your asset inventory
7. Create personnel guidelines
8. Start work on information security risk management
9. Work on the Statement of Applicability (SoA, ISO 27001 compliance report) to get certification-ready
10. Create and review needed documents / policies / reports
11. Conduct regular management reviews
12. Perform an ISO 27001 internal audit
13. Go through an external audit of ISMS to obtain ISO 27001 certification
14. Plan for running the ISMS and upcoming internal and surveillance audits

1. Understand the basics of ISO 27001

Before you start to actually take the implementation steps for building your ISMS and progressing towards being compliant and certification-ready, you should understand enough about the purpose of ISO 27001 standard and its main contents.

You don't need to get into the details on this part. There's many information security topics that ISO 27001 covers, but basically the structure and types of content is really simple.

ISO 27001 standard includes:

• 22 information security management requirements: These ensure you define your information security program clearly and manage it properly.
  • Requirements cover topics like top management commitment, information security risk management, allocating resources for the security work, monitoring your security performance and continuously improving.
• 93 infromation security controls: These ensure you're taking good care of the confidentiality, integrity and availability of data.
  • Controls cover topics like continuity planning, supplier security, access control, change management, personnel awareness, secure on- and offboarding, encryption, network security, endpoint security, backups, building security, and so on.
  • In ISO 27001, the controls are nowadays grouped to separate categories for organizational, people, physical and technological controls.

Understanding the standard will e.g. help you set goals for the progress and define who needs to be involved in the next parts.

You can understand more about the standard by e.g. reading our detailed What is ISO 27001 blog post or participating on our weekly ISO 27001 webinars.

2. Define the ISMS scope

Defining the scope of the information security management system is an important step in implementing ISO 27001. It determines which parts of your activities (e.g. assets, processes, departments, locations, or technologies) will be covered by the ISMS.

Common approaches to ISMS scope definition include:

• 🌍 Organization-wide approach: Here the ISMS covers all locations, assets, employees, and processes. Best for organizations that don't need to build additional complexity and want to achieve full compliance across all operations.
• 🏢 Department-specific approach: The ISMS focuses on defined specific teams (e.g., IT, finance, R&D).
• ☁️ System or service-specific approach: The ISMS covers defined specific IT systems or applications (e.g., cloud platforms, data centers).

If it just is possible in your operations, taking the organization-wide approach will create compliance that is also a lot easier to communicate towards your stakeholders (e.g. customers and partners). Smart ISMS tools will anyway help you in targeting the implementation by e.g. departments or services.

Taking the organization-wide approach will create compliance that is easier to communicate towards your stakeholders.

3. Choose your ISMS building method

When implementing an ISMS, organizations can use many different tools or other technical methods to manage the information related to needed control implementation, personnel guidelines, risk assessments, other documentation, monitoring and reporting compliance. The choice of tools depends on factors like company size, budget, and compliance needs.

Common ISMS building approaches include:

• 📄 Using Word, Excel, and PDFs (manual, document-based ISMS)
  • Here you create needed security policies, asset listings, risk registers in basic documents and track compliance progress manually.
  • ✔️ Pros: Low-cost, simple to start.
  • ❌ Cons: Time-consuming and difficult to manage (e.g. version control) at scale. Doesn't support teamwork. Requires manual monitoring.

• 📚 Knowledge base or wiki-based ISMS
  • Here you store ISMS documentation, policies, and procedures in a wiki-like tool.
  • ✔️ Pros: Centralized and easy to change. Some support for collaboration, but not delegation and monitoring.
  • ❌ Cons: No structured compliance tracking. Not designed for ISMS maintenance so lots of manual creation work needed, manual control mapping required and no special ISMS tools.

• 🛠 Dedicated ISMS tools (recommended)
  • Here you work towards your selected frameworks (ISO 27001, NIS2, GDPR, etc.) with the help of control implementation tools, example content and templates, risk assessment tools and automated compliance monitoring and reporting.
  • ✔️ Pros: Automates compliance and risk tracking, maps your measures to requirements in multiple frameworks, saves your time and reduces effort required for audits and certification.
  • ❌ Cons: Learning curve in the beginning and additional cost

ISMS app learning curve can be significantly reduced with tools that integrate well with your current collaboration environments (e.g. M365, Slack)

• 🔍 Using GRC (Governance, Risk, and Compliance) tools
  • Here you aim to centralize enterprise risk management to a single system and handle information security aspects there too.
  • ✔️ Pros: Good when a larger enterprise has a robust risk and compliance program already.
  • ❌ Cons: Overkill for many as expensive and often requires significant setup. Focus on risk approach, with limited support for security measure implementation.

You should choose the technical approach especially depending on your organizational size, current needs, budget, and technical maturity.

4. Establish an ISMS team and assign roles

Building an effective ISMS requires a clearly assigned team with roles and responsibilities. Usually you'll find people to fit there roles quite naturally from your current teams, but defining clear choices will help your progress. The ISMS team ensures ISO 27001 compliance progress, while managing risk and improving security measures.

Key roles in an ISMS team often include:

1. ISMS owner / Information security responsible / CISO: Oversees ISMS implementation, confirms controls and main procedures, ensures compliance, and reports to senior management and ensures their commitment.
2. ISMS admin: Manages daily operations, documentation, and audits. Often has a big role in defining and implementing organizational controls.
3. Technical security responsible: Defines and implements technical controls, monitors security incidents, and enforces access controls.
4. Risk manager: Is the main person responsible for initiating risk assessments, evaluates different threats, and prepares possible mitigation strategies.
5. Internal auditor: Reviews ISMS effectiveness, performs audits, and suggests improvements.
6. HR & awareness coordinator: Oversees security awareness training, security guidelines creation and enforces employee compliance.

Team size of course depends on your organization and not all roles are mandatory in the beginning. Even a single person can start the progress but it's good to understand that different expertises are usually needed in different areas of information security.

5. Evaluate your starting information security maturity

All organizations will have some basic information security measures already implemented. When starting ISO 27001 implementation, your organization can get a motivating start by assessing compliance level reached with current security measures.

This can be implemented e.g. in an ISMS tool, that helps you find current measures with suggestions (e.g. if you have malware protection installed, you're already making progress towards implementing some related controls).

This initial analysis helps to

• connect current information security work to ISO 27001 framework's requirements and controls
• identify areas that are currently handled worst (major gaps)
• set realistic goals for the progress
• prioritize efforts to build a working ISMS efficiently

6. Create and assign your asset inventory

An asset inventory is crucial for ISO 27001 compliance because it provides visibility into the organization's overall data processing environment.

Assets can be e.g. categorized into:

• Information assets: Databases, customer records, intellectual property, documents
• Software assets: Applications, cloud services, operating systems
• Hardware assets: Laptops, servers, network devices, IoT devices
• Physical assets: Data centers, office spaces, filing cabinets
• Human assets: Employees, teams, contractors, third-party vendors

An up-to-date asset inventory is a key requirement in ISO 27001, but here are examples of additional important benefits it provides for the security work:

• 🔹 Provides the organization with an overview and understanding of the important information assets that are needed to run its operations
• 🔹 Supports the implementation of many information security controls (e.g. access control, data classification, supplier security) by defining asset ownership, owner responsibilities and priority levels for different assets.
• 🔹 Helps in risk assessments by identifying critical assets, that need to be especially well protected (and require e.g. specific risk assessments).

7. Create information security guidelines for employees

Establishing clear security guidelines for your employees and ensuring their adequate information security awareness are key steps in your ISO 27001 compliance.

Your security guidelines should make it crystal clear for the employees, what are the security expectations for them. The key role of each employee in your information security program can be to know their guidelines and obey them in their everyday work.

Your employee security guidelines should cover topics like:

• Acceptable use of information assets: Rules for e.g. using company-owned devices (laptops, phones, USBs) and work email. Restrictions on personal use of corporate IT resources.
• Access control & authentication: Password management best practices (e.g., complexity, rotation), multi-factor authentication (MFA) requirements, rules for granting access.
• Privacy & data classification: Handling of confidential and sensitive information, data classification levels (e.g., public, internal, confidential, restricted). Secure storage and disposal of data.
• Phishing & social engineering awareness: Recognizing phishing emails, phone scams, and impersonation attempts, How to report suspicious emails or activities
• Remote work guidelines: Locking screens when away from devices, encrypting sensitive data, use of VPN, clean desk guidelines.
• Incident reporting: How to report security incidents (e.g., lost devices, data breaches), whom to contact in case of security concerns
• Physical security: Securing workstations, access badges, and printed documents. Restricted access to sensitive areas (server rooms, data centers). Procedures for visitors.
• Other software usage: Prohibition of unauthorized software installations, use of company-approved cloud services and storage
• General security responsibilities: Employees' role in maintaining information security, excepted compliance with company policies, consequences of security violations

Through your security guidance and awareness processes you will ensure that also those aspects of information security are covered, which are not possible to handle technologically or with key ISMS team's actions.

8. Start work on information security risk management

Key process in ISO 27001 is information security risk management. Risk management should be a key tool for evaluating the implementation of your controls and policies and continuously improving those.

Before your first ISO 27001 certification, you'll need to be able to prove you have a robust procedure for information security risk management and you're implementing it with clear results.

These are the key steps in this process:

• Establish and document a risk management procedure  to ensure the work is being implemented consistently.
• Identify relevant threats through which your data, your data systems, or other services could be compromised.
• Evaluate these risks by defining their likelihood and impact.
• Take highest risks (that are above acceptable risk level) to risk treatment - and define the risk treatment plans to bring these to acceptable levels.

We've written in detail on a separate blog post about our recommended and built-in risk management process in Cyberday.

Risk-driven thinking is important to learn in during the initial ISO 27001 process, but it's importance arguably grows further when your ISMS starts to be more mature - and you're finding the improvements to your security posture after reaching initial compliance.

9. Work on the Statement of Applicability (SoA, ISO 27001 compliance report) to get certification-ready

The controls listing (or Annex A, or ISO 27002 document) is a section of the ISO 27001 standard that lists the security controls that you should implement to be compliant.

With strong justifications, you can decide to categorize some of the controls as "not applicable" for your organization. But this should be done only after a careful risk analysis (see the previous step). And in reality, many of the controls listed in ISO 27001 are so fundamental for information security, that they usually won't be possible to skip.  

A key part of your compliance process is completing a report called the Statement of Applicability (often referred to as SoA) that summarizes:

• which controls you have implemented
• how you have implemented these controls
• for the controls that are seen as not applicable, why this is

With the help of the SoA document (or e.g. the automated ISO 27001 compliance report in Cyberday), you can get an overview of your control implementation and work steadily towards having all controls covered with your answers.

10. Create and review needed documents / policies / reports

In information security, documentation is mainly a mechanism to ensure consistency, accountability, and auditability related to your ISMS. Most of the documentation can be in any format, e.g. descriptions of different tasks in your ISMS. But ISO 27001 standard does specifically define some key documents, which need to be gathered together and be easily shareable e.g. for the auditor.

Key documents you'll usually need to share for on auditor at the start of 27001 certification audit are:

• Statement of Applicability (SoA)
• ISMS description and scope
• Organizational information security policy
• Risk management procedure
• Internal audit procedure + results of previous audit
• Management review procedure + results of previous review
• Personnel awareness procedure

We've written in detail on a separate blog post about the most important documents in an ISO 27001 certification audit.

11. Conduct a first management review

Regular management reviews are a mandatory requirement in ISO 27001 to ensure the ISMS remains effective, aligned with business objectives, and continuously improving.

These reviews, typically conducted annually or semi-annually, involve top management evaluating key aspects of the ISMS, such as:

• ✅ Security risks and incidents: Reviewing risk management and treatment results, reported incidents and lessons learned.
• ✅ Audit results: Evaluating findings from internal and external audits.
• ✅ Policy effectiveness: Assessing whether ISMS policies and controls are achieving objectives.
• ✅ Stakeholder feedback: Providing important feedback on security aspects highlighted and possible trends among stakeholders (e.g. customers, owners, partners).
• ✅ Opportunities for improvement: Identifying most important areas where security measures should be enhanced.

Well-done management reviews demonstrate top management commitment to information security and help the ISMS team in decision-making for security investments and prioritizing improvement ideas.

Before your first ISO 27001 certification audit, you'll need to be able to demonstrate you have a process for conducting management reviews and present the results of at least one management review.

12. Perform an ISO 27001 internal audit

Information security audits are systematic evaluations of organization's information security.

An ISO 27001 internal audit specifically should be used to verify that you can prove your compliance towards the requirements of the standard. Audits investigate that the defined policies and controls are adequate and  the organization is really operating according to their ISMS.

In an ISO 27001 internal audit, the auditing is usually carried out by your chosen competent employees. You can also buy these services from external partners.

To be certification-ready, you'll need to:

• have a clear procedure document available which you follow in carrying out the audits
• have results available of at least one internal audit

By having these, you're showing that you can carry out audits and get meaningful results out of them. Later on, audits will play more and more important role on ensuring continuous improvement, fixing non-conformities and increasing your information security maturity.

13. Go through an external audit of ISMS to obtain ISO 27001 certification

The external audit ISO 27001 certification audit is the step that validates that your ISMS complies with ISO 27001. This audit is conducted by an accredited third-party certification body.

The auditor will ask more details from you, inspect evidence, conduct personnel interviews and otherwise assess whether the defined security measures are appropriate and being followed in daily operations. The external audit takes from few days to few weeks depending directly on your organization's size.

The auditor may spot non-conformities during the audit, which will always refer to some sections of the standard that aren't being complied with. You fix the non-conformities with corrective actions, either instantly (major non-conformities) or in a given timeframe (minor non-conformities).

As the end result of a successful ISO 27001 certification audit, you'll then receive a certificate.

We've written in detail about the ISO 27001 certification audit process in a separate article.

14. Plan for running the ISMS and upcoming internal and surveillance audits

Achieving the ISO 27001 certification is a great step. But in the sense of your overall information security, it's still the beginning. You must maintain your ISMS properly and keep continuously improving it.

Here are some key steps for ensuring your ISMS keeps compliant and improving:

• Monitor and update the ISMS regularly: You should create a rhythm for keeping your ISMS fresh. Without maintenance the ISMS grows outdated through technological updates in your environment, changes in implementing certain policies, or through other errors and changes. This can be driven mostly e.g. through monthly ISMS team meetings and automated reminders.
• Prioritize and implement security improvements: Encourage employee feedback on security improvements. Keep security aligned with business objectives and emerging threats. Adopt new security best practices and innovations to strengthen ISMS maturity
• Do risk management continuously.
• Conduct regular internal audits and management reviews: fix non-conformities, etc.
• Monitor incidents and treat the happened ones: take corrective actions

An ISMS app can help you ensure you’re always ISO 27001 compliant. These tools provide ongoing monitoring to notify you anytime your organization falls out of compliance.

See how Cyberday can ease your ISO 27001 implementation by starting a free trial or requesting a demo.