What's Inside
Even if you understand why you should be certified, you may not know how to get started. Consider this post your ISO 27001 checklist.
ISO 27001 Checklist: 12 Easy Steps to Get Started
Even if you understand why you should be certified, you may not know how to get started. Consider this post your ISO 27001 checklist.
Get Started With Drata
The number of companies that achieve ISO 27001 certification each year is growing as businesses expand to different global markets. However, ISO 27001 comes with its own set of challenges for teams trying to achieve certification for the first time.
To help get you started, we put together this high-level ISO 27001 checklist covering the main milestones on the way to compliance.
ISO 27001 is an internationally recognized standard for establishing, implementing, and maintaining an Information Security Management System (ISMS). It provides a framework to help organizations protect sensitive information and reduce the risk of security breaches.
Before you jump into the process of getting certified, you should know why you’re doing it.
Here are three important benefits of getting an ISO 27001 certification:
According to the International Organization for Standardization, ISO 27001 allows companies to manage the security of assets like financial information, intellectual property, employee details, or information entrusted by third parties.
The certification means you approach IT security risk management systematically, minimizing the risk of bad actors exploiting undetected security weaknesses and gaining access to your systems.
ISO 27001 is a globally recognized certification that shows customers you take information security seriously. The certification reassures customers they’re working with a trustworthy organization.
Many industries, especially those handling large volumes of personal or financial data, now expect vendors to have strong security practices. When competing for contracts, an ISO 27001 certification can be a key differentiator and help you beat your competitors.
An ISO 27001 certification builds a strong foundation for information and data security, making it easier for companies to align with SOC 2 and GDPR requirements.
Let’s start with SOC 2. It focuses on five trust service criteria:
Security
Availability
Processing integrity
Confidentiality
Privacy
ISO 27001 covers similar areas—it requires you to implement and maintain an ISMS. Once you meet ISO 27001 standards, it’s usually easier to fulfill SOC 2 requirements.
GDPR focuses on ensuring the privacy and protection of personal data. It covers the following key areas:
Data minimization
Lawful basis for processing personal data
Transparent data handling policies
Rights of individuals, including access and deletion requests
Mandatory breach reporting within strict timeframes
Preparing for an ISO 27001 certification helps you establish the necessary processes and controls to meet GDPR’s strict requirements.
Download our ISO 27001 compliance checklist PDF to help guide you through your ISO 27001 implementation journey.
Need more information on how to become ISO 27001 compliant? Below, we go into more detail about each of the steps outlined in our ISO 27001 compliance checklist.
An Information Security Management System defines the overall structure of how your organization will handle information security matters.
You’ll need a team of people to implement the ISMS, including members from various areas of the organization. In smaller organizations, individuals may need to fill multiple roles.
This team may include:
A project manager
Representatives involved in the development and implementation of the ISMS (e.g., information security)
Representatives from technical groups (e.g., network engineers)
You will also need to involve appropriate members of the leadership team, as ISO 27001 requires formal involvement from top management when it comes to enforcing and monitoring the ISMS.
At this stage, also consider the time it will take to involve these team members in the process and how it will impact your business. This is an important task that requires attention, so you may find that timelines for other projects and priorities will shift.
There are 10 ISO 27001 clauses (core certification requirements). Clauses 0 through 3 cover the introduction, scope, normative references, and terms and definitions related to the certification.
You’ll find mandatory requirements in clauses 4 through 10:
Clause 4: Context of the Organization – Defines the internal and external factors that affect the ISMS and identifies stakeholders' needs.
Clause 5: Leadership – Requires top management to demonstrate commitment to the ISMS by establishing policies, roles, and responsibilities.
Clause 6: Planning – Involves identifying risks and opportunities, and setting information security objectives.
Clause 7: Support – Covers the resources, training, communication, and documentation needed to support the ISMS.
Clause 8: Operation – Focuses on implementing and managing processes to mitigate information security risks.
Clause 9: Performance Evaluation – Requires monitoring and evaluating the ISMS’s performance through audits and reviews.
Clause 10: Improvement – Involves taking actions to improve the ISMS on an ongoing basis.
Non-mandatory requirements are listed in Annex A. It contains 93 security controls for risk mitigation, organized into four control themes: People, organizational, physical, and technological.
Although these controls aren’t mandatory, you do need to identify which ones are necessary for your organization. (We’ll cover this in step 9.)
A gap analysis maps your existing security controls against ISO 27001 to help you understand the state of security in your organization. Specifically, the analysis will highlight areas where your current policies, processes, or systems align with the standard and where they fall short.
Answer the following questions to get started:
What is currently working, and what processes do you already have in place that will support your certification?
What’s not working? Are there any gaps you’re aware of that create security risks?
Where are you unsure about the state of your security practices?
Once you identify missing or outdated information security policies, inadequate procedures, or system weaknesses, document these gaps to create a clear picture of your security controls, and then prioritize them based on risk and their importance to compliance.
This is a great opportunity for collaboration between team members—employees in different departments can alert you to any risks you might’ve overlooked.
The scope of your ISMS will determine what you are protecting and what you need to focus on.
Start by assessing and documenting your assets, data flows, and locations.
Identify critical information assets such as customer data, intellectual property, and financial records. Map out how this data moves through your systems, including storage and processing. Document the locations where you store the data, whether that’s on-premises, in the cloud, or a combination of the two.
Next, define any exclusions and justify them. For example, a specific department might be out of scope if they don’t handle sensitive information.
If this seems confusing, try to define your scope by putting yourself in your customer’s shoes. Consider what products or services they would expect to be in scope.
For example, suppose a pharmaceutical company has two manufacturing plants (one for drug A and one for drug B). In that case, each plant should have a security program that aligns with its specific business needs—even though both plants belong under one umbrella organization.
The same goes for an insurer that uses two different systems to calculate premiums or an online retailer with two different brands and websites. If a single ISMS covers all aspects without considering unique differences between them, then there may be gaps in protection.
How do you find security vulnerabilities that are threatening your organization right now? By doing a risk assessment.
First, list all of your assets, such as data, hardware, software, and personnel. Identify potential threats to each asset. This could be cyberattacks, human error, or physical damage.
Consider the kind of vulnerabilities threat actors could exploit, as well as the impact on your organization if they’re successful.
Assign a risk level to each threat that factors in both its likelihood and potential impact.
A risk treatment plan outlines how you’ll manage identified risks.
It typically includes a list of risks, treatment methods, responsible personnel, deadlines for treating risks, and resource requirements. The benefits of this type of plan are clear—you’ll address risks systematically, align the organization with ISO 27001 requirements, and strengthen your overall security posture.
ISO 27001 allows you to treat risks using one or a combination of these four approaches:
Mitigate by implementing controls to reduce the risk’s impact or likelihood
Avoid by changing processes or systems to eliminate the risk
Accept by identifying low-level risks where the cost of mitigation outweighs the potential impact
Transfer by placing the risk on an insurance provider or another third party
The right approach depends on the nature of the risk, its potential impact, and your resources. For example, a company might mitigate risks tied to sensitive data but accept minor risks related to non-critical systems.
When assigning responsibilities, look to roles like IT managers or information security officers. They are well-positioned to oversee controls and ensure they’re implemented properly.
Set deadlines for implementing risk treatments and allocate sufficient resources—both human and technological—to meet compliance requirements.
Note that your risk treatment plan should align with the controls in Annex A of ISO 27001. This means you need to determine and document the controls that apply to each asset. For example, Section 6 of Annex A is related to people, including their incident reporting responsibilities. We’ll cover Annex A further in step 9.
An ISMS plan document clearly defines the responsibilities and authority structures within your ISMS. It documents procedures and processes for handling various security incidents, so all employees understand how to protect the company’s data from threats like hackers or malware.
Your ISMS should include policies for:
Access control to prevent unauthorized personnel from gaining access to your data.
Incident management so all personnel know what to do in the event of an information security breach, which will minimize damage.
Disaster recovery to define how you’ll respond to events that disrupt your business functions.
One way you can create and implement these policies is by following the Plan Do Check Act (PDCA) cycle:
Plan: Establish the goals of your ISMS and the necessary processes to meet that goal.
Do: Implement your ISMS plan.
Check: Monitor and evaluate the effectiveness of your security measures.
Act: Make continuous improvements and evaluate your entire PDCA process to make necessary changes before you start the cycle again.
Next, you need to train employees on the policies and procedures related to your ISMS and incident response.
This includes teaching them how to handle sensitive data, report security incidents, and follow access control protocols. Training should occur regularly (at least annually) and can take place online, in person, or through a hybrid approach.
Tailor training to each department so employees receive information that’s most relevant to their roles.
For example, customer support teams can focus on handling sensitive customer data, while IT teams might receive advanced training on access management and incident response. To make sessions engaging, include real-world examples, role-specific scenarios, and interactive exercises.
A statement of applicability (SoA) states which Annex A controls you determined necessary to treat information security risks and the ones you excluded.
For example, a car manufacturer with multiple factories will need to add physical access control to their SoA.
The SoA also needs to state the implementation status of Annex A controls and explain how you’re implementing them in your company. In addition, the document has to clarify why you included or excluded specific controls.
When completed, the SoA will simplify audits because it clearly outlines your security program, allowing auditors to verify security measures easily.
Remember to update the SoA annually, especially if there have been major changes in your tech stack, business operations, or regulatory requirements.
After you complete all the other phases, it’s time to take a step back and determine whether they are effective. This process is known as an internal audit.
Think of it as a dress rehearsal for the official audit. The internal audit is a mandatory step where you measure your new systems to ensure controls are working properly before an accredited auditor reviews them.
ISO 27001 requires the person conducting the internal audit to be both independent and competent.
You can assign audit responsibilities to:
An internal team or individual with security and auditing experience, as long as they didn’t participate in the ISMS setup and documentation.
An independent external consultant.
After the internal audit is complete, the auditor will compile their findings, document any non-conformities, and issue corrective actions. Then you can improve your ISMS based on the audit report in preparation for the external audit.
Once you’ve addressed any problems identified in your internal audit, it’s time to seek out an accredited auditor to lead the official ISO 27001 Certification Audit.
You can search for accredited ISO 27001 auditors online in the official ANSI National Accreditation Board (ANAB) accreditation directory. To find an ISO 27001-specific auditor, filter your search by ISO/IEC 27001, enter your location information, press "search," and you’ll receive a list of independent auditors near you.
Once you’ve chosen an auditor, they will perform a Stage 1 audit, during which the auditor will review your ISO 27001 documentation and identify any gaps in compliance.
After feedback from the Stage 1 audit is addressed, your auditor will conduct the Stage 2 audit. This audit will involve testing your controls to ensure they satisfy ISO 27001 requirements and are operating effectively.
The work isn’t done once you get certified. To maintain ISO 27001 compliance, you need to keep monitoring and regularly update your ISMS.
Implement systems that provide 24/7 monitoring of critical controls (such as user access management) to detect and respond to security incidents ASAP.
For example, a Security Information and Event Management (SIEM) system tracks and analyzes security events across your network, flags suspicious activity, and allows you to take immediate action.
All of your ISMS policies, processes, and controls also require ongoing management reviews at least once a year.
Consider using an automation tool to simplify ongoing compliance. For example, Drata’s ISO 27001 solution offers continuous control monitoring to reduce manual workload and provide a clear overview of your security posture.
The ISO 27001 certification process is time-consuming, challenging, and affects the entire organization—it requires full support from leadership.
However, even with leadership buy-in, some challenges frequently come up:
Many organizations struggle with limited internal expertise in managing ISO 27001 requirements.
To implement an ISMS, you must understand complex standards, conduct risk assessments, and apply the correct controls. Without experienced personnel, it’s hard to even know where to start.
As a solution, companies hire external consultants or use compliance platforms like Drata, which guide teams through the process and provide expert support to fill knowledge gaps.
ISO 27001 compliance requires significant time and effort from various departments, including IT, HR, and legal.
Organizations with limited resources could struggle to balance ongoing business operations with compliance efforts. For example, conducting risk assessments can be time-consuming and leave little space for employees’ everyday work.
Address this challenge by prioritizing tasks based on risk and impact. A project management tool can help you track responsibilities and manage deadlines. Additionally, compliance platforms like Drata reduce the manual work needed to create an asset inventory, implement security training, and more.
Inadequate or incomplete documentation is a common obstacle to getting certified. During an internal audit, for example, you might discover some documents are missing.
A document management system helps you store all records in one place so you can handle any documentation gaps well before an audit.
While our ISO 27001 requirements checklist can help break down the various steps to ISO 27001 compliance, it’s still a fairly complex process. Below, we highlight a few implementation tips to streamline your process.
Achieve executive buy-in: Gaining executive buy-in early on in your compliance journey will ensure you have access to the necessary resources to successfully reach ISO 27001 compliance.
Document as you go: Make life easier on your team by compiling the necessary documentation of your policies and processes as you create them.
Seek out a compliance automation tool: Cut down on the time it takes to document and collect evidence by investing in an ISO 27001 compliance automation tool. Look for a software like Drata that allows you to continuously monitor controls, manage vendors, and keep track of your compliance readiness all in one easy-to-use tool.
Evaluate the scope over time: As your organization evolves, your ISMS scope may need to change as well. Conduct annual reviews to ensure all necessary systems are in scope.
Stay on top of ISO 27001 updates: Security frameworks frequently undergo updates to adapt to the changing world of security threats. ISO 27001 is no different. The most recent version of the standard was released in 2022 and has key differences from the 2013 version.
ISO 27001 certification can help you create better business outcomes, but it can be daunting to take on. Use this ISO 27001 checklist to guide your way.
If you want to reduce the complexity even further, Drata can streamline your journey to ISO 27001 certification and many other frameworks by eliminating hundreds of hours of manual work.
Still have lingering questions about ISO 27001 compliance? Below we answer some of the most common queries.
ISO 27001 compliance can take anywhere from 3 to 12 months. It depends on your organization’s size, complexity, and existing security infrastructure.
Small companies with fewer processes complete it faster, while larger organizations typically need more time to document policies, implement controls, and train staff.
If you fail an ISO 27001 certification audit, you’ll get a report detailing the non-conformances and the time to correct them. You won’t be certified until these issues are resolved and verified in a follow-up audit.
Common reasons for failing include insufficient documentation or incomplete implementation of controls.
ISO 27001 compliance costs vary based on your company’s size and use of external help.
A small company with under 50 employees will probably spend less than $15,000 on the initial certification cost. A large organization with over a hundred employees will pay a minimum of $20,000.
You should also plan for ongoing costs like internal audits to maintain your certification. These typically cost between $5,000 to $15,000 for a small- to medium-sized company.
ISO 27001 and SOC 2 both focus on information security but differ in scope and certification.
ISO 27001 is an international standard that requires organizations to build and maintain an ISMS. SOC 2 is a framework designed for service organizations that focuses on security, processing integrity, confidentiality, availability, and privacy.
Organizations can either pass or fail the ISO 27001 certification process, while SOC 2 results in a detailed report issued by an independent auditor.
SOC 2 is also more flexible. It lets companies choose controls and criteria that are relevant to them. ISO 27001 has required controls and specific standards that companies must meet.
Get Started With ISO 27001
Everything you need to know before you pursue ISO 27001 compliance.
Take Your Learning Further
Discover research, playbooks, checklists, and other resources on ISO 27001 compliance.