Overview
ISO 27001 is the international gold standard for information security management. Getting certified proves to customers, partners, and regulators that your organization takes security seriously enough to build a formal management system around it. This checklist covers the full implementation journey from initial scoping through certification audit, based on the 2022 revision of the standard. It is designed for organizations pursuing certification for the first time and teams preparing for surveillance or recertification audits.
Implementation Phases
- Define the ISMS scope and statement of applicability
- Conduct a comprehensive risk assessment
- Develop or update information security policies and procedures
- Implement Annex A controls applicable to identified risks
- Train staff on their ISMS roles and responsibilities
- Conduct internal audits and management reviews
- Address nonconformities and implement corrective actions
- Schedule and complete the Stage 1 (documentation) and Stage 2 (effectiveness) certification audits
Annex A Control Categories (2022)
| Category | Control count | Examples |
|---|---|---|
| Organizational controls | 37 | Information security policies, threat intelligence, cloud service security |
| People controls | 8 | Screening, awareness training, remote working |
| Physical controls | 14 | Physical entry, equipment maintenance, secure disposal |
| Technological controls | 34 | Access rights, malware protection, logging, data masking, DLP |
Risk Assessment Approach
ISO 27001 does not prescribe a specific risk assessment methodology, but it does require one that is repeatable and produces consistent results. Most organizations use a likelihood-times-impact matrix with a 5x5 scoring grid. Identify threats and vulnerabilities for each information asset, score the risk, and determine whether to treat, transfer, accept, or avoid it. Document risk treatment plans for anything above your risk appetite threshold. The risk assessment drives your Statement of Applicability, which maps each Annex A control to a risk justification.
Common Certification Obstacles
- Scope creep during implementation that expands the ISMS beyond what is manageable
- Incomplete risk assessments that do not cover all in-scope assets and processes
- Policies that exist on paper but are not followed in practice
- Insufficient evidence of management commitment and resource allocation
- Internal audits conducted by personnel who lack auditor training or independence
- Failure to demonstrate continuous improvement between surveillance audits
Maintaining Certification
Certification is not a one-time event. After the initial audit, your certification body will conduct surveillance audits annually and a full recertification every three years. Keep your risk register current. Run internal audits at least once a year covering all ISMS clauses and a sample of Annex A controls. Hold management reviews where leadership discusses ISMS performance, audit findings, and resource needs. Treat certification as a living program rather than a project with a finish line.
Frequently Asked Questions
How long does ISO 27001 certification take?
Typically 9 to 14 months for a first-time certification, depending on organizational size and current maturity. This includes implementation, the observation period, internal audits, and the two-stage certification audit.
Do we need to implement all 93 Annex A controls?
No. You implement the controls that are relevant to your identified risks. The Statement of Applicability documents which controls are included, which are excluded, and the justification for each decision.
What is the difference between ISO 27001:2022 and the 2013 version?
The 2022 revision reorganized Annex A from 14 categories to 4, reduced controls from 114 to 93, and added 11 new controls covering areas like threat intelligence, cloud security, data masking, and monitoring activities.
Can a small company get ISO 27001 certified?
Absolutely. ISO 27001 is scalable. Small organizations often have simpler scopes, fewer assets, and shorter implementation timelines. The standard accommodates organizations of all sizes.
How much does ISO 27001 certification cost?
Costs vary widely based on organization size and scope. Budget for consulting support, tooling, training, and certification body fees. A mid-size company should expect to invest between $50,000 and $200,000 for first-time certification including all associated costs.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.