ISO 27001 Compliance Checklist:
How to Get Certified (2026)

Document which parts of your organization, systems, locations, and services are in scope. Scope can be the entire company or a defined subset — but it must honestly reflect where sensitive information lives. Auditors will verify your scope boundary is real.

Document who has a stake in your information security — customers, regulators, employees, suppliers — and what they require. This satisfies Clause 4.2 and shapes your ISMS objectives.

Assess your current state against every ISO 27001 requirement. Document what's in place, what's partial, and what's missing entirely. This gap list becomes your implementation roadmap and helps you estimate effort and timeline accurately.

Create an inventory of information assets within your scope — data, systems, people, processes, and physical assets. Asset ownership must be assigned. This is required by Annex A Control 5.9 and underpins your risk assessment.

Choose an accredited certification body (CB) early — their specific requirements and preferences vary. Confirming your scope and approach with the CB before you've built your ISMS avoids surprises at audit time. Get quotes from at least two CBs.

Document how you identify, analyze, and evaluate risks. ISO 27001 doesn't mandate a specific methodology — but you must have one, apply it consistently, and document it. Most organizations use a likelihood × impact matrix. Auditors will verify consistency of application.

For each asset, identify threats and vulnerabilities that could compromise confidentiality, integrity, or availability. Document the risk owner for each identified risk. This is the core of your ISO 27001 program — everything else flows from it.

Apply your methodology to score each risk. Determine your risk acceptance criteria — what level of residual risk is acceptable without further treatment. Document risks above your acceptance threshold for treatment.

For each unacceptable risk, document how you'll treat it: mitigate (implement a control), transfer (insurance, contract), avoid (stop the activity), or accept. Map each treatment to the relevant Annex A control. This document links your risks directly to your control selection.

The SoA lists all 93 Annex A controls and states whether each is applicable, why, and its implementation status. Controls you exclude must be justified. The SoA is one of the first documents auditors examine — it must align precisely with your risk assessment.

Risk owners must formally accept their residual risks. This demonstrates management engagement and satisfies Clause 6.1.3(e). Document the approval with names, dates, and the specific risks accepted.

A top-level policy signed by senior management stating the organization's commitment to information security, the ISMS objectives, and the framework for setting security objectives. Must be communicated to all staff and available to interested parties.

Detailed policies covering the controls in your SoA — access control, acceptable use, cryptography, supplier security, incident management, business continuity, and others as applicable. These must reflect your actual practices, not aspirational ones.

A formal document defining the boundaries and applicability of your ISMS — which locations, departments, systems, and services are included and excluded, and why.

Document information security roles — ISMS owner, risk owners, asset owners, and the information security function. Clause 5.3 requires these to be assigned and communicated. An org chart alone isn't sufficient.

A procedure describing how ISMS documents are created, reviewed, approved, version-controlled, distributed, and retired. Clause 7.5 requires documented information to be controlled — auditors check that your documents have version numbers, review dates, and approval records.

A documented procedure for planning and conducting internal audits of the ISMS. Must specify audit criteria, scope, frequency, methods, and how findings are reported. Internal audit results are required evidence for Stage 2.

A documented process for identifying nonconformities, determining root causes, implementing corrections, and verifying effectiveness. Required by Clause 10.1 and directly tested during audit when nonconformities are found.

Deploy and configure the technical and organizational controls you've committed to in your Statement of Applicability. Each control needs documented evidence of implementation — not just a policy saying you do it.

Clause 6.3 and Annex A 6.3 require staff to be aware of the information security policy, their contribution to ISMS effectiveness, and the consequences of non-conformance. Document training completion with dates and names.

Annex A Theme 5 includes controls for supplier relationships. Document your supplier inventory, security requirements in contracts, and a process for monitoring supplier compliance. All critical suppliers should have security clauses in their agreements.

Implement and document an information security incident management process covering detection, reporting, assessment, response, recovery, and lessons learned. Annex A 5.26–5.28. Evidence of at least one incident management exercise or real incident handled through the process is expected.

If availability is a concern for your scope, implement business continuity planning, backup procedures, and recovery testing. Document recovery time objectives and evidence of backup testing. Annex A 5.29–5.30.

Run your controls for a minimum of three months before your Stage 2 audit. Auditors will pull samples of access reviews, log monitoring, vulnerability scans, patch records, backup tests, and other control evidence. Evidence must be dated and attributable.

Perform at least one complete internal audit covering all clauses and in-scope Annex A controls before your Stage 2 audit. The auditor must be independent of the area being audited. Document the audit plan, findings, and any nonconformities raised.

Address every finding from the internal audit through your corrective action process — root cause analysis, corrective action, and effectiveness verification. Auditors will check that internal nonconformities were properly resolved, not just noted.

Clause 9.3 requires top management to review the ISMS at planned intervals. The review must cover audit results, risk assessment status, nonconformities, opportunities for improvement, and ISMS objectives. Minutes must be documented and retained.

If your scope, systems, or threat landscape changed materially during implementation, update your risk assessment to reflect the current state. Auditors compare your risk register to your actual environment — stale risk assessments are a common finding.

Typically remote, 1–2 days. The certification body auditor reviews your ISMS documentation — scope, risk assessment, SoA, policies, internal audit results, and management review minutes. The goal is to confirm your ISMS is designed correctly and Stage 2 can proceed. Minor issues at Stage 1 can be addressed before Stage 2.

Resolve any gaps or observations identified in Stage 1 before Stage 2. Common Stage 1 findings: SoA doesn't align with risk assessment, documented procedures don't match actual practice, management review minutes are too thin.

On-site (or remote for some CBs), 2–5 days depending on organization size. Auditors interview staff, observe processes, test controls, and pull evidence samples. They're verifying that your ISMS operates as documented. Prepare your team for interviews — everyone from developers to HR may be spoken to.

Major nonconformities must be resolved before certification is issued. Minor nonconformities and observations are typically addressed within an agreed timeframe post-certification. Have a clear corrective action process ready to respond quickly.

Once the CB is satisfied with your corrective actions, they issue your ISO 27001 certificate. It's valid for 3 years with annual surveillance audits. Add surveillance audit dates to your calendar immediately — missing a surveillance window can result in certificate suspension.