ISO 27001
ISO 27001 Certification Checklist (2026): 12 Steps to Certified
June 24, 2026 · 9 min read
Everything you need to take an organization from zero to ISO 27001 certified — as a checklist you can actually work through.
ISO/IEC 27001 certification proves your Information Security Management System (ISMS) meets an international standard. The path is well defined, but the documentation and evidence burden is where most teams stall. This checklist walks the full journey in 12 steps — and shows where the work can be automated.
The 12-step ISO 27001 certification checklist
1. Secure leadership buy-in and assign an owner
Clause 5 requires top-management commitment. Name an ISMS owner (often a CISO, security lead, or vCISO), agree a budget and target certification date, and document the information security policy that leadership signs off.
2. Define your ISMS scope
Decide which products, teams, locations, and systems the ISMS covers. A tight, defensible scope keeps the audit manageable. Document scope boundaries and any exclusions with justification.
3. Run a risk assessment
Identify assets, threats, and vulnerabilities, then score likelihood and impact. Clause 6 requires a repeatable methodology. A ready-made ISO 27001 risk assessment template gives you a scoring matrix and Annex A mapping to start from.
4. Build a risk treatment plan
For each risk, choose to treat, tolerate, transfer, or terminate. Map treatments to Annex A controls and record residual risk after treatment.
5. Select Annex A controls
ISO 27001:2022 has 93 Annex A controls across four themes (Organizational, People, Physical, Technological). Decide which apply based on your risk treatment plan.
6. Write the Statement of Applicability (SoA)
The SoA is the cornerstone audit document. It lists all 93 controls, marks each applicable or excluded, justifies the decision, and records implementation status. Auditors review it first.
7. Implement controls and policies
Stand up the required policies (access control, cryptography, incident response, supplier security, and more) and the technical controls behind them — MFA, logging, encryption, vulnerability management.
8. Collect evidence
Auditors want proof controls operate over time, not just on paper. This is the most time-consuming step manually. ISO 27001 compliance automation harvests evidence continuously from AWS, GitHub, and Jira so there is no audit-season scramble.
9. Train your people and run awareness
Security awareness training, acceptable-use acknowledgements, and role-based training satisfy the People controls and reduce your largest risk surface.
10. Run an internal audit
Clause 9.2 requires an internal audit before certification. Find and fix nonconformities now, while they are cheap to close.
11. Hold a management review
Leadership reviews ISMS performance, audit results, and risks (Clause 9.3), and records decisions and actions.
12. Stage 1 and Stage 2 certification audits
A certification body reviews your documentation (Stage 1), then tests that controls operate in practice (Stage 2). Close any findings and you are certified for three years, with annual surveillance audits.
How long does ISO 27001 certification take?
Manually, most organizations take 6–12 months. With ISO 27001 compliance automation — pre-built Annex A controls, automated evidence, and a generated SoA — teams reach audit-ready in weeks. See the cost breakdown and, if you are weighing frameworks, ISO 27001 vs SOC 2.
Automate the checklist end-to-end
See ISO 27001 automation →Frequently asked questions
- What are the main steps to ISO 27001 certification?
- Secure leadership buy-in, define ISMS scope, run a risk assessment and treatment plan, select Annex A controls, write the Statement of Applicability, implement controls and policies, collect evidence, train staff, run an internal audit and management review, then pass Stage 1 and Stage 2 certification audits.
- How many controls are in ISO 27001:2022?
- ISO 27001:2022 has 93 Annex A controls across four themes: Organizational, People, Physical, and Technological. The 2013 version had 114 controls across 14 domains.
- How long does ISO 27001 certification take?
- Typically 6–12 months manually. With compliance automation that pre-builds controls, harvests evidence continuously, and generates the Statement of Applicability, organizations can reach audit-ready in weeks.