What's Inside

The number of companies that achieve ISO 27001 certification each year is growing as businesses expand to different global markets. However, ISO 27001 comes with its own set of challenges for teams trying to achieve certification for the first time. 

To help get you started, we put together this high-level ISO 27001 checklist covering the main milestones on the way to compliance.

Why ISO 27001?

Before you jump into the process of getting certified, you should understand the “why” behind it. According to the International Organization for Standardization, ISO 27001 enables organizations of any kind to manage the security of assets like financial information, intellectual property, employee details, or information entrusted by third parties.

It builds trust with clients and can protect you from information loss. And in a time when cybersecurity threats are always growing and changing, having this level of credibility can be a great business investment.

ISO 27001 Compliance Checklist

Download our ISO 27001 compliance checklist PDF to help guide you through your ISO 27001 implementation journey. 

8 Critical Steps to ISO 27001 Compliance

Need more information on how to become ISO 27001 compliant? Below, we go into more detail about each of the steps outlined in our checklist. 

1. Develop an Implementation Team and Project Plan

An Information Security Management System (ISMS) defines the overall structure  of how your organization will handle information security matters. You’ll need a team of people to implement the ISMS, including members from various areas of the organization. In smaller organizations, individuals may need to fill multiple roles.

This team may include:

• A project manager

• Representatives involved in the development and implementation of the ISMS (e.g., information security)

• Representatives from technical groups (e.g., network engineers) 

You will also need to involve appropriate members of the leadership team, as ISO 27001 requires formal involvement from top management when it comes to enforcing and monitoring the ISMS.

At this stage, also consider the time it will take to involve these team members in the process and how it will impact your business. This is an important task that requires attention, so you may find that timelines for other projects and priorities will shift.

2. Understand ISO 27001 Requirements

At its core, ISO 27001 requires you to have information security risk management practices, a process for evaluating your efforts, and a way to show improvement for any areas of risk that you identify. This may seem simple, but there are layers beneath these basic requirements.

There are a lot of different clauses you need to meet for certification, which can be overwhelming, but looking at each clause individually can make this process more manageable. There are several clauses, plus Annex A. If you need more detail about each of them, read our ISO 27001 beginner’s guide.

3. Find Your Security Baseline

Before you can make any meaningful changes, you need to understand the state of security in your organization. This requires you to look at three different elements:

• What is currently working, and what processes do you already have in place that will support your certification?  

• What’s not working? Are there any gaps you’re aware of that create security risks?

• Where are you unsure about the state of your security practices?

This is a great opportunity for collaboration between team members, as they’re likely to have valuable insight. Involve them during this step in the process and get their input before taking additional steps. 

4. Define the ISMS Scope 

The scope of your ISMS will determine what you are protecting and what you need to focus on. It should be defined in terms of your organization’s business functions, information processing systems, and information processing environments because the threat environment may vary across these areas. A great way to begin defining your scope is to put yourself in your customer’s shoes and consider what products or services they would expect to be in scope. 

For example, if a pharmaceutical company has two manufacturing plants (one for drug A and one for drug B), then each plant should have a security program that aligns with its specific business needs—even though both plants belong under one umbrella organization.

The same goes for an insurer that uses two different systems to calculate premiums, or an online retailer with two different brands and websites. If a single ISMS covers all aspects without considering unique differences between them, then there may be gaps in protection.

While many components go into scope, there are two that require the most attention. The first is conducting a risk assessment. The second is the creation of your statement of applicability (SoA), which states which Annex A controls were determined to be necessary to treat those risks or apply to the organizations defined scope.

5. Create and Implement an ISMS Plan

Once you work out the scope, it’s time to create a plan document that clearly defines the responsibilities and authority structures within your ISMS. You should also document procedures and processes for handling various security incidents.

This is an important part of achieving certification, but it’s also critical for the organization overall. It ensures all employees have the same understanding of how to protect the company’s data from threats like hackers or malware.

Your ISMS should include policies for managing access control, confidentiality, integrity, and availability of information assets, as well as incident response.

One way you can do this is by following the Plan Do Check Act (PDCA) cycle:

• Plan: Establish the goals of your ISMS and the necessary processes to meet that goal. 

• Do: Implement your ISMS plan. 

• Check: Monitor and evaluate the effectiveness of your security measures. 

• Act: Make continuous improvements and evaluate your entire PDCA process to make necessary changes before you start the cycle again. 

6. Train Employees on Policies and Procedures

Next, you need to train employees on the policies and procedures related to your ISMS and incident response. Best practices also encourage regular information security training to increase employee awareness of common security vulnerabilities. 

7. Conduct an Internal Audit

After you complete all the other phases, it’s time to take a step back and determine whether they are effective. This process is known as an internal audit. 

Sort of like a dress rehearsal for the official audit, the internal audit is where you measure your new systems to ensure controls are working properly before an auditor reviews them. 

ISO 27001 requires the internal audit to be conducted by someone who is both independent and competent. As such, this can be conducted by an internal team or individual that has experience in security or auditing and was not part of setting up and documenting your ISMS. Another option is to bring in an independent external reviewer to lead the internal audit. 

Before you begin the internal audit, ask yourself these questions:

• Have you identified all aspects of security risk?

• Are you properly addressing these risks by implementing effective control measures?

• Is the implementation of these controls working as intended?

• Is your information security management system effectively addressing all aspects of security risk?

If you answered no to any of these questions, there’s a larger question that comes into play: What can you do to improve your efforts going forward? You may find that you need to take corrective action before you can move forward and involve an accredited ISO 27001 certification body.

8. Find an Accredited Auditor to Lead the ISO 27001 Certification Audit

Once you’ve addressed any problems identified in your internal audit, it’s time to seek out an accredited auditor to lead the official ISO 27001 Certification Audit. 

You can search for accredited ISO 27001 auditors online in the official ANSI National Accreditation Board (ANAB) accreditation directory. To find an ISO 27001-specific auditor, filter your search by ISO/IEC 27001, enter your location information, press "search," and you’ll receive a list of independent auditors near you. 

Once you’ve chosen an auditor, they will perform a Stage 1 audit, during which the auditor will review your ISO 27001 documentation and identify any gaps in compliance. 

After feedback from the Stage 1 audit is addressed, your auditor will conduct the Stage 2 audit. This audit will involve testing your controls to ensure they satisfy ISO 27001 requirements and are operating effectively. 

Helpful ISO 27001 Implementation Tips

While our ISO 27001 requirements checklist can help break down the various steps to ISO 27001 compliance, it’s still a fairly complex process. Below, we highlight a few implementation tips to streamline your process. 

• Achieve executive buy-in: Gaining executive buy-in early on in your compliance journey will ensure you have access to the necessary resources to successfully reach ISO 27001 compliance. 

• Document as you go: Make life easier on your team by compiling the necessary documentation of your policies and processes as you create them. 

• Seek out a compliance automation tool: Cut down on the time it takes to document and collect evidence by investing in an ISO 27001 compliance automation tool. Look for a software like Drata that allows you to continuously monitor controls, manage vendors, and keep track of your compliance readiness all in one easy-to-use tool. 

• Evaluate the scope over time: As your organization evolves, your ISMS scope may need to change as well. Conduct annual reviews to ensure all necessary systems are in scope. 

• Stay on top of ISO 27001 updates: Security frameworks frequently undergo updates to adapt to the changing world of security threats. ISO 27001 is no different. The most recent version of the standard was released in 2022 and has key differences from the 2013 version.

How Drata Can Help You Clear the Path to ISO 27001

ISO 27001 certification can help you create better business outcomes, but it can be daunting to take on. Use this ISO 27001 checklist to guide your way. 

If you want to reduce the complexity even further, Drata can streamline your journey to ISO 27001 certification and many other frameworks by eliminating hundreds of hours of manual work.