ISO 27001 is a globally recognized standard for building an Information Security Management System (ISMS). If you’re pursuing certification, the fastest way to reduce rework is to treat implementation like a real project: define scope, assign owners, document decisions, and set a cadence for review and improvement.

This checklist walks through the core steps most teams follow—from roadmap and scoping to risk assessment, Annex A controls, and the external audit.

Related guides:

Key takeaways

Start with scope and ownership: the most common ISO 27001 delays are unclear boundaries and unclear accountability.
Risk drives controls: your risk assessment + risk treatment plan should directly inform your Annex A selections.
Your Statement of Applicability is the “control contract”: it explains what you implemented and why (or why not).
Internal audits and management reviews are not formalities: they’re your chance to find gaps before an external auditor does.
Automation helps sustainability: the win is not just “passing the audit,” it’s keeping evidence and control health continuous.

The ISO 27001 compliance checklist (18 steps)

1. Develop a roadmap for your ISMS implementation and ISO 27001 certification

Implement a Plan, Do, Check, Act (PDCA) process to recognize challenges and identify gaps for remediation.
Consider the costs of ISO 27001 certification relative to your organization’s size and number of employees.
Use project planning tools like project management software, Gantt charts, or Kanban boards.
Define the scope of work from planning to completion (and the definition of “done” for each milestone).

2. Determine the scope of your organization’s ISMS

Decide which business areas are covered by your ISMS and which are out of scope.
Consider additional security controls for processes that require ISMS-protected information to cross a trust boundary.
Communicate the scope of your ISMS to stakeholders (security, IT, engineering, leadership, and affected business teams).

3. Establish an ISMS team and assign roles

Select engineers and technical staff with information security experience to implement the controls you need.
Build a governance team with management oversight.
Incorporate senior leadership and assign responsibility for strategy and resource allocation.
If you have a large team, consider a dedicated project manager to keep execution moving.
Align the team on:
- The planning steps you’ve already taken
- The scope of the ISMS
- Ownership for each major workstream (risk, policies, controls, evidence, audit prep)

4. Conduct an inventory of information assets

Consider all assets where information is stored, processed, and accessible.
Record:
- Information assets: data and people
- Physical assets: laptops, servers, facilities
- Intangible assets: IP, brand, reputation
Assign each asset a classification and an owner responsible for ensuring it is inventoried, protected, and handled appropriately.
Review the inventory with your team to ensure shared understanding.

5. Perform a risk assessment

Establish and document a risk-management framework to ensure consistent scoring.
Identify scenarios in which information, systems, or services could be compromised.
Determine likelihood/frequency and evaluate potential impact to confidentiality, integrity, and availability.
Rank scenarios based on overall risk to the organization’s objectives.

6. Develop a risk register

Record and manage the risks identified during the risk assessment.
For each risk, summarize:
- The scenario and affected assets
- Impact and likelihood
- Current controls (if any)
- Residual risk (after controls)
Rank risks based on overall risk to the organization’s objectives.

7. Document a risk treatment plan

Design a response for each risk (the risk treatment).
Assign an owner to each risk and each mitigation activity.
Establish target timelines and track progress for each treatment task.

8. Complete the Statement of Applicability

Review the controls listed in Annex A.
Select controls relevant to the risks you identified.
Complete your Statement of Applicability (SoA):
- List all Annex A controls
- Justify inclusion or exclusion
- Connect selected controls back to risks and treatments

9. Implement ISMS policies, controls, and continuously assess risk

Assign owners to each security control to be implemented.
Track progress and evidence for each control (who, what, when, and proof).
Establish, implement, maintain, and continually improve the ISMS.
Include documentation (or references) for:
- Information security objectives
- Leadership and commitment
- Roles, responsibilities, and authorities
- Approach to assessing and treating risk
- Control of documented information
- Communication
- Internal audit
- Management review
- Corrective action and continual improvement
- Policy violations
- The Annex A controls you’ve selected

10. Establish employee training and awareness programs

Define expectations for personnel regarding their role in ISMS maintenance.
Train personnel on common threats and response procedures.
Establish disciplinary/sanctions processes for repeated violations of security requirements.
Make security training part of onboarding.
Conduct regular training to cover new policies, tools, and threats.

11. Conduct regular management reviews

Plan reviews at least annually; consider quarterly reviews if infrastructure changes frequently.
Ensure the ISMS and its objectives continue to be effective.
Keep senior management informed and engaged.
Ensure risks or deficiencies can be addressed promptly.

12. Assemble ISO 27001 required documents

Review the ISO 27001 required documents and records list.
Customize policy templates with organization-specific processes and language.
Ensure documents are controlled (versioned, approved, and accessible to the right people).

13. Perform an ISO 27001 internal audit

Examine each Annex A requirement you marked applicable in the SoA and verify it’s implemented.
Use internal auditors who were not responsible for building the ISMS, or hire an independent party.
Share results (including nonconformities) with ISMS owners and senior management.
Address issues before the external audit.

14. Undergo an external audit to obtain ISO 27001 certification

Select an independent ISO 27001 auditor (certification body).
Complete Stage 1 (documentation review) and incorporate feedback.
Complete Stage 2 (implementation effectiveness testing) to validate ongoing operation of controls.

15. Address any nonconformities

Ensure requirements of ISO 27001 are fully addressed.
Verify you’re following the documented processes you defined.
Ensure contractual requirements with third parties are upheld.
Remediate nonconformities identified by the auditor and collect corrective action evidence.

16. Plan for subsequent ISO 27001 audits and surveillance audits

Prepare for a full recertification audit once every three years.
Prepare for surveillance audits in years two and three of the certification cycle.

17. Consider streamlining ISO 27001 certification with automation

Explore tools that reduce manual evidence collection and increase consistency.
Transform point-in-time evidence into continuous monitoring where feasible.
Identify and close gaps quickly with clear ownership and deadlines.

Streamline ISO 27001 readiness with SecureSlate

ISO 27001 gets significantly easier when you can connect controls → owners → evidence → remediation in one place.

SecureSlate helps teams:

Build and map controls so Annex A coverage is clear and auditable
Assign owners and due dates for each control and remediation task
Centralize evidence for faster internal audits and external audit requests
Keep readiness continuous, reducing the “audit scramble” pattern

Get started for free: Create your SecureSlate account

FAQ

How long does ISO 27001 certification take?

It depends on your scope, current maturity, and resourcing. Many teams plan implementation in phases and then schedule Stage 1 and Stage 2 once policies, controls, and evidence are operating consistently.

What is the Statement of Applicability (SoA)?

The SoA lists all Annex A controls and explains which are included in your ISMS (and why), and which are excluded (and why). It’s one of the most important artifacts auditors will review.

Can we scope ISO 27001 to one product or business unit?

Yes. Many organizations start with a scoped ISMS (for example, one product or one environment) and expand over time—so long as scope is defined, communicated, and consistently operated.

Disclaimer (legal note)

SecureSlate is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.

The ISO 27001 compliance checklist: 18 steps to plan, implement, and get certified