ISO 27001 Certification: 10 Easy Steps

ISO 27001 is an ideal resource for organizations looking to bolster their cybersecurity practices and mitigate the risk of cyber attacks.

The information security standard specifies the requirements for an ISMS (information security management system) to ensure the confidentiality, integrity, and availability of all corporate data, including:

  • Intellectual property
  • Financial information
  • Personally identifiable information
  • Information managed by third parties

You can also certify your ISMS against ISO 27001. This demonstrates your commitment to data security and proves you’re following best practices. In turn, this can help you win new business, particularly larger and more lucrative contracts.

This blog explains how you can achieve ISO 27001 certification in ten easy steps.

1. Prepare

The obvious place to start is with the Standard itself. Become familiar with its requirements by purchasing a copy and reading through it.

IT Governance USA also has a free green paper that offers a complete overview of ISO 27001.

Secure senior management support

No project can be successful without the buy-in and support of the organization’s leadership.

Besides, information security requires a top-down approach. If employees can see management not taking security seriously, they’ll follow suit.

However, the opposite is true too: If staff can see that leadership does take security seriously, they will too.

Gap analysis

A gap analysis, comparing your existing measures against the requirements of ISO 27001, offers a good starting point for any implementation project.

Once you’ve identified your biggest gaps, you can put together a prioritized action plan.

2. Establish the scope, context, and objectives

Every ISO 27001 ISMS must establish the following:


Your ISMS scope can vary from the entire organization to specific business functions or sites.

The important thing is to take into account the context of your organization and its ISMS.


As you establish your ISMS context, consider:

  • Internal and external issues
  • Interested parties and their requirements

A common approach to determining internal and external issues is a PESTLE analysis:

  • Political – e.g. political tensions that can disrupt supply chains
  • Economic – e.g. the risk of a recession that affects your ability to procure appropriate equipment
  • Sociological – e.g. how people might perceive your use of data
  • Technological – e.g. AI developments, new malware, or outdated hardware/software
  • Legal – e.g. cybersecurity and privacy legislation
  • Environmental – e.g. climate change impact

As for interested parties, these can include:

  • Staff
  • Partners
  • Regulators


Your ISMS must meet two sets of requirements:

  1. The Standard’s
  2. Your information security or ISMS objectives

You must establish those security objectives, and plan how you’ll achieve them.

You must also document, communicate, and monitor them.

3. Establish a management framework

The management framework describes the processes you must follow to meet your objectives.

These processes include:

  • A schedule of activities
  • Asserting accountability of the ISMS
  • Regular auditing to support a cycle of continual improvement

Note that continual improvement is a core ISO 27001 requirement, reflecting the rapidly changing threat landscape. To remain secure, organizations must keep up with it and adjust their measures accordingly.

4. Conduct a risk assessment

Risk assessment is fundamental to the Standard – and any effective ISMS. After all, how can you treat your risks if you don’t know what they are?

That said, ISO 27001 doesn’t prescribe a specific risk assessment methodology. It simply expects you to “define and apply” an appropriate process.

This process must establish and maintain risk acceptance criteria, as well as criteria for performing information security risk assessments.

Plus, you must ensure those assessments produce “consistent, valid and comparable results.”

Leverage CyberComply for effortless risk assessment

Keen to reduce errors and improve completeness of your risk assessment process?

Looking to make risk assessments effortlessly repeatable? Look no further than CyberComply.

This SaaS platform simplifies compliance with a range of cybersecurity laws and standards, including ISO 27001.

It allows you to automate, review, and repeat risk assessments:

  • Reduce the time spent on risk assessments by up to 80%
  • Automate the creation of key documents for an ISMS
  • Take advantage of CyberComply’s built-in library of controls to treat risks

5. Implement controls to mitigate risks

After identifying your risks, you must decide how you’ll address them.

Broadly speaking, you have four options:

  1. Modify – implement a control
  2. Avoid – stop the source of the risk
  3. Share – through outsourcing, for example
  4. Retain – actively decide to accept the risk, and justify that decision

However you respond, make sure you document all decisions – with their justifications – as your auditor will be reviewing them during your certification audit.

You must also produce an SoA (Statement of Applicability) and risk treatment plan as evidence of your risk assessment.

6. Conduct training

Clauses 7.2 and 7.3 of ISO 27001 require “competence” and “awareness.”


The people who maintain your ISMS must have the right skills for the job.

Where those skills are lacking, you must take steps to acquire them. This can be done via “appropriate education, training, or experience.”

Certified training courses can help with this.


All staff and contractors must be aware of:

  • Your ISMS and its benefits
  • Your information security policy
  • The implications of not meeting ISMS requirements

ISO 27001 requirements aside, having vigilant staff will only help prevent data breaches and the damage that goes with them.

Rolling out staff awareness elearning is a cost-effective way of improving your security and meeting the Standard’s requirements.

7. Review and update the required documentation

The Standard repeatedly references “documented information.” This means that the documents required by ISO 27001 are subject to specific requirements:

  • Those stipulated in the Standard
  • Those necessary for the ISMS to be effective

The first is self-explanatory – where ISO 27001 specifically requires documented information, you must produce it. You should also expect an auditor to ask to see this vital evidence.

The second is up to your organization to decide. Only you can determine what additional documentation your ISMS needs, though bear in mind:

  • You’ll have to justify your decisions in an audit
  • You must produce core ISMS documents like the SoA and risk treatment plan

The Standard isn’t specific about the format. Word documents and spreadsheets work perfectly well in many cases. That said, other formats are available that can speed up the process.

8. Measure, monitor, and review

A core element of any ISMS is that you continually improve it.

Here’s Alan Calder’s – an ISO 27001 pioneer – take on the matter:

Continual improvement means getting better results for your investment. That typically means one of two things:

  1. Getting the same results while spending less money
  2. Getting better results while spending the same amount of money

In essence, you must look at your objectives and measure your performance against them. Then, ask yourself how well your ISMS is meeting them, and make changes – i.e. improvements – where it falls short.

Be aware that not every improvement needs to be expensive. Often, you shouldn’t be adding things, but taking things out – like cutting out an unnecessary step in a process, or automating some manual work.

9. Conduct an internal audit

To ensure you’re operating and maintaining your ISMS effectively, you must conduct regular internal audits.

These examine the ISMS to verify it’s meeting the ISO 27001 requirements, as well as its own objectives.

ISO 27000 defines an audit as a “systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.”

Though ISO 27001 doesn’t explicitly require you treat the audit process as documented information, the definition implies you should. Besides, audits are certainly ‘necessary for the effectiveness of the ISMS.’

ISO 27001 also requires you to develop an audit program. This must cover all requirements for the ISMS – so those of the Standard and any extra requirements.

To learn how to go about developing such a program, as well as learn how to conduct the audits themselves, any reputable training course should cover this in detail.

10. Certification audits

A certification audit takes a similar approach as an internal audit, but is conducted by an independent registrar accredited by its national accreditation body.

(Here is a list of accredited certification bodies for ISO 27001 in the US.)

The auditor will look for evidence that the ISMS is implemented, functional, and operating effectively. This will likely involve reviewing evidence like:

  • Internal audit reports
  • Policies and procedures
  • Information security controls
  • Monitoring and measurement results
  • The information security objectives and policy

Certification is usually a two-stage process.

The initial audit focuses on whether you have implemented the ISMS correctly and in line with the Standard.

Don’t worry if the auditor discovers nonconformities at this stage – this is common, and the auditor will use them as an opportunity to help you better understand the ISO 27001 requirements and how to apply them.

After the first audit, you’ll have a clear idea of where you’re meeting requirements and where you’re falling short. You can then develop an action plan to implement any necessary changes in preparation for the certification audit.

The certification audit follows a similar process as the initial audit. That said, you should begin the certification audit with confidence your ISMS has no major nonconformities.

You can usually resolve any minor issues noted through your corrective action procedures. However, any major nonconformities identified will likely result in the certification body refusing to issue certification until you’ve resolved those issues to the auditor’s satisfaction.

How long will it take to get certified?

The ISO 27001 implementation process will depend on the size and complexity of the ISMS. The time frame also depends on the amount of resource the organization dedicates to the project.

In many cases, small to mid-sized organizations can expect to complete the process within 6–12 months. This can, however, be brought down to 3 months with our ISO 27001 FastTrack™ 20 package for small organizations.

We originally published a version of this blog in March 2019.

No Responses