Skip to main content
Resources
GuideISO 27001

The ISO 27001 Compliance Checklist: From Scoping to Certification

Nine phases covering ISMS design, Annex A control implementation, risk treatment, internal audits, and the Stage 1 & 2 certification process. Built for security and IT teams pursuing ISO 27001:2022 certification.

Huduku Compliance Team22 min read9 Phases · 60+ Action Items

On this page

ISO 27001 is the international gold standard for information security management. Unlike compliance frameworks that focus on specific control checklists, ISO 27001 requires you to build and operate a complete Information Security Management System (ISMS) — a structured approach to identifying, assessing, and managing information security risks across your entire organization.

The 2022 revision modernized the standard with new controls for cloud security, threat intelligence, data masking, and secure development — reflecting how organizations actually build and deploy technology today. But the core principle remains unchanged: ISO 27001 is a risk-based framework where every decision, from which controls you implement to which you exclude, must be traceable to a documented risk assessment.

This guide walks you through the entire certification journey in nine phases — from defining your ISMS scope through the Stage 1 and Stage 2 audits to ongoing surveillance and continual improvement. Whether you are a 50-person startup pursuing your first certification or a multinational preparing for recertification under the 2022 revision, this checklist will keep you organized and help you avoid the mistakes that delay audits and drain resources.

The Audit Process

Stage 1 vs. Stage 2: How Certification Works

ISO 27001 certification involves a two-stage external audit conducted by an accredited certification body. Understanding the difference is essential for timeline planning.

Stage 1 (Documentation Review)

1-2 days on-site or remoteISMS design and documentation adequacy

The Stage 1 audit is a readiness check. Your certification body reviews your ISMS documentation — scope, risk assessment methodology, Statement of Applicability, policies, and management commitment — to determine whether your organization is prepared for the Stage 2 assessment. Non-conformities found here must be resolved before Stage 2 can proceed.

Purpose

Confirming your organization has the foundational documentation, scope definition, and management commitment in place before the full assessment begins

Stage 2 (Implementation Assessment)

3-10 days depending on scope sizeOperating effectiveness of the entire ISMS

The Stage 2 audit is the full certification assessment. Auditors interview staff, observe processes, sample evidence, and test controls across every applicable Annex A domain. They evaluate whether your ISMS is not just documented but genuinely embedded in how the organization operates. This is where certification is earned or deferred.

Purpose

Demonstrating that the controls and processes documented in your ISMS are actually implemented, operating, and producing evidence of effectiveness

The Control Framework

Annex A: 93 Controls Across Four Domains

The 2022 revision reorganized Annex A into four thematic domains. Controls are selected based on your risk assessment — not applied uniformly.

Organizational Controls (A.5)

37 controls

Governance-level controls covering information security policies, roles and responsibilities, threat intelligence, supplier relationships, and cloud service management. These controls set the strategic direction for your entire security program.

Key controls: Security policies, segregation of duties, contact with authorities, threat intelligence, information security in project management, cloud services

People Controls (A.6)

8 controls

Controls addressing the human element of security — from pre-employment screening through employment and termination. People are consistently the largest attack surface, and these controls ensure security is woven into every stage of the employee lifecycle.

Key controls: Screening, terms of employment, security awareness training, disciplinary process, post-employment responsibilities, remote working

Physical Controls (A.7)

14 controls

Protection of physical premises, equipment, and media. Even for cloud-native organizations, physical controls apply to offices, employee devices, secure areas, and how physical media is handled and disposed of.

Key controls: Security perimeters, entry controls, securing offices, physical security monitoring, equipment maintenance, secure disposal, clear desk policy

Technological Controls (A.8)

34 controls

Technical safeguards for systems, networks, and data. This domain covers the controls most engineering teams are familiar with — access management, cryptography, secure development, vulnerability management, and logging.

Key controls: User endpoint devices, privileged access, access restriction, secure authentication, capacity management, malware protection, logging, network security, secure coding, data masking

The Checklist

Nine Phases to ISO 27001 Certification

Work through each phase sequentially. Every item maps to something your auditor will evaluate during the Stage 1 or Stage 2 assessment.

Phase 01

Scope Definition & Context Analysis

Establish the boundaries of your Information Security Management System and understand the internal and external factors that shape your security requirements.

  • Define the organizational scope — which business units, locations, systems, and data will be governed by the ISMS
  • Identify internal context factors: organizational structure, culture, capabilities, contractual obligations, and existing governance frameworks
  • Identify external context factors: regulatory requirements, industry expectations, customer contractual obligations, and threat landscape
  • Determine the needs and expectations of interested parties — customers, regulators, employees, partners, and shareholders
  • Document the ISMS scope statement with clear boundaries, exclusions (with justification), and interfaces with out-of-scope systems
  • Obtain formal management commitment including resource allocation, executive sponsorship, and a signed information security policy
How Huduku AI Accelerates This Phase
  • Automatically maps your infrastructure, data flows, and third-party integrations to suggest ISMS boundaries
  • Cross-references regulatory requirements from your industry to identify mandatory scope elements

Phase 02

Risk Assessment & Risk Treatment

Identify, analyze, and evaluate information security risks, then determine how each risk will be treated. This is the backbone of ISO 27001 — every control selection must be justified by risk.

  • Define and document your risk assessment methodology — including criteria for risk identification, analysis, evaluation, and acceptance thresholds
  • Build an asset inventory covering information assets, supporting systems, infrastructure, people, and third-party services within scope
  • Identify threats and vulnerabilities for each asset, considering both intentional and accidental scenarios
  • Assess the likelihood and impact of each risk scenario using your defined criteria — quantitative, qualitative, or semi-quantitative
  • Evaluate risks against your risk acceptance criteria and prioritize those requiring treatment
  • For each unacceptable risk, select a treatment option: mitigate (apply controls), transfer (insurance or outsourcing), avoid (eliminate the activity), or accept (with documented justification and management sign-off)
  • Produce a risk treatment plan with control selections traceable to specific risks, assigned owners, implementation timelines, and resource requirements
How Huduku AI Accelerates This Phase
  • Scans your cloud environment and SaaS tools to auto-generate an asset inventory with classification suggestions
  • Maps identified risks to applicable Annex A controls and generates a draft Statement of Applicability

Phase 03

Statement of Applicability & Gap Analysis

Produce the Statement of Applicability (SoA) — the central document that connects your risk treatment decisions to specific Annex A controls — and identify what needs to be built or improved.

  • Create the Statement of Applicability listing all 93 Annex A controls, stating for each whether it is applicable or excluded, with justification for every exclusion
  • For each applicable control, document its current implementation status: fully implemented, partially implemented, planned, or not implemented
  • Map existing controls, policies, and technical safeguards to their corresponding Annex A references
  • Identify gaps where controls are missing, partially implemented, or lack evidence of effectiveness
  • Prioritize gap remediation based on risk severity, audit timeline, and implementation complexity
  • Assign remediation owners and establish target completion dates for each gap, ensuring the timeline aligns with your planned certification date
How Huduku AI Accelerates This Phase
  • Auto-maps your existing security tools and configurations to Annex A controls, highlighting coverage and gaps
  • Generates a prioritized remediation roadmap with effort estimates and dependency mapping

Phase 04

ISMS Documentation Framework

Build the mandatory documented information that ISO 27001 requires. Auditors will review these documents in Stage 1 before they ever look at a technical control.

  • Establish an Information Security Policy signed by top management that sets the strategic direction and commitment for the ISMS
  • Document information security objectives that are measurable, aligned with business goals, communicated to relevant personnel, and reviewed periodically
  • Create the risk assessment methodology document describing how risks are identified, analyzed, evaluated, and treated
  • Produce the risk assessment report and risk treatment plan documenting current risk status and planned actions
  • Develop operational procedures for each applicable Annex A domain — access management, incident response, change management, supplier management, and business continuity
  • Establish a document control procedure governing how ISMS documentation is created, reviewed, approved, distributed, and retired
  • Define roles, responsibilities, and authorities for the ISMS — including the information security manager, risk owners, control owners, and internal auditors
  • Ensure every document has version control, an approval record, a review schedule (at minimum annual), and a defined owner
How Huduku AI Accelerates This Phase
  • Generates policy drafts tailored to your organization's size, industry, and technology landscape
  • Cross-references documentation against ISO 27001 mandatory requirements to flag missing or incomplete items

Phase 05

Control Implementation

Implement the organizational, people, physical, and technological controls identified in your risk treatment plan and Statement of Applicability.

  • Implement identity and access management controls — enforce least privilege, role-based access, multi-factor authentication, and regular access reviews across all in-scope systems
  • Deploy cryptographic controls — encryption at rest and in transit for sensitive data, key management procedures, and certificate lifecycle management
  • Establish change management processes covering change requests, risk assessments, testing, approval gates, and rollback procedures for all in-scope systems
  • Implement network security controls — segmentation, firewall rules, intrusion detection, remote access policies, and secure configuration baselines
  • Deploy vulnerability management — regular scanning, patch management with defined SLAs (e.g., critical within 14 days), and a process for handling zero-day disclosures
  • Establish logging, monitoring, and alerting — centralize security event logs, define retention periods, configure alerts for anomalous activity, and protect log integrity
  • Implement business continuity and disaster recovery controls — documented BCP/DR plans, defined RPO and RTO targets, and regular testing including tabletop exercises
  • Address supplier and third-party security — onboarding assessments, contractual security requirements, ongoing monitoring, and a process for handling supplier incidents
How Huduku AI Accelerates This Phase
  • Continuously monitors cloud configurations against your defined baselines and alerts on drift
  • Auto-collects evidence of control operation from AWS, Azure, GCP, identity providers, and SaaS tools

Phase 06

Security Awareness & Competence

Ensure everyone within the ISMS scope understands their security responsibilities and has the competence to fulfill their role. ISO 27001 explicitly requires awareness, training, and competence records.

  • Develop a security awareness program covering the information security policy, acceptable use, social engineering threats, incident reporting, and data handling
  • Deliver awareness training to all employees within 30 days of joining and at least annually thereafter — with tracked completion rates
  • Provide role-specific training for personnel with elevated responsibilities: developers (secure coding), administrators (hardening), incident responders (IR procedures)
  • Maintain competence records demonstrating that personnel performing ISMS-critical functions have the necessary skills and qualifications
  • Conduct periodic phishing simulations and measure response rates to validate the effectiveness of your awareness program
  • Establish a disciplinary process for security policy violations and ensure all personnel acknowledge the policy and their responsibilities in writing
How Huduku AI Accelerates This Phase
  • Tracks training completion rates across the organization and generates compliance-ready reports with gap analysis
  • Delivers customized training modules based on role, department, and access level

Phase 07

Performance Evaluation & Internal Audit

Measure ISMS effectiveness, conduct internal audits, and hold management reviews. These activities generate the evidence that your ISMS is functioning as a management system — not just a set of controls.

  • Define information security metrics and KPIs that measure control effectiveness, risk posture changes, incident trends, and objective achievement
  • Establish a monitoring and measurement program that specifies what is measured, methods used, frequency, and who analyzes the results
  • Plan and execute an internal audit program covering the full ISMS scope at least annually — audit plans must address all clauses and applicable Annex A controls
  • Ensure internal auditors are independent of the areas they audit — they should not audit their own work or direct responsibilities
  • Document internal audit findings with non-conformities classified by severity, root cause analysis, corrective actions, and target resolution dates
  • Conduct a management review at least annually — covering audit results, risk status, metrics, interested party feedback, opportunities for improvement, and resource adequacy
  • Retain documented records of management review outputs including decisions and actions related to continual improvement
How Huduku AI Accelerates This Phase
  • Generates real-time ISMS dashboards showing control health, risk posture, and metric trends against defined targets
  • Automates evidence collection for internal audit and flags areas where control evidence is aging or missing

Phase 08

Stage 1 & Stage 2 Certification Audits

Engage your certification body and work through the two-stage audit process. Preparation and responsiveness at this stage determine whether certification is granted on the first attempt.

  • Select an accredited certification body (CB) — verify their accreditation, industry experience, auditor availability, and familiarity with your technology stack
  • Complete the Stage 1 audit — provide all mandatory ISMS documentation including scope, SoA, risk assessment, policies, and management review records
  • Resolve any Stage 1 non-conformities before the Stage 2 audit date — common findings include incomplete risk treatment plans, missing scope justifications, and undocumented procedures
  • Prepare for Stage 2 by briefing control owners, organizing evidence packages, and ensuring all personnel can articulate their security responsibilities
  • During Stage 2, facilitate auditor access to staff, systems, and evidence — respond to information requests within 24 hours to maintain audit momentum
  • Address any Stage 2 non-conformities within the timeframe specified by the CB — major non-conformities require resolution before certification is granted
  • Review the draft audit report for factual accuracy and provide management responses for any noted findings
  • Upon successful completion, receive your ISO 27001 certificate — valid for 3 years with annual surveillance audits
How Huduku AI Accelerates This Phase
  • Provides auditors with a read-only compliance portal showing real-time ISMS status, control evidence, and metrics
  • Simulates audit questioning scenarios to help control owners prepare for auditor interviews

Phase 09

Surveillance, Recertification & Continual Improvement

ISO 27001 certification is not a destination — it is a three-year cycle with annual surveillance audits and a full recertification at the end. Continual improvement is a fundamental requirement of the standard.

  • Prepare for annual surveillance audits by maintaining continuous evidence collection, current risk assessments, and up-to-date documentation throughout the year
  • Track and remediate all non-conformities and observations from previous audits with documented root cause analysis and verified corrective actions
  • Execute your internal audit program annually, covering different areas each cycle to ensure full ISMS coverage over the three-year certification period
  • Conduct management reviews to evaluate ISMS performance, resource adequacy, and strategic alignment — auditors will check that these happen on schedule
  • Monitor changes to ISO 27001 and related standards — the 2022 revision restructured Annex A significantly, and future updates will require transition planning
  • Feed lessons from incidents, near-misses, industry developments, and audit findings back into your risk assessment and control improvement pipeline
  • Plan recertification at least 6 months before certificate expiry — the recertification audit covers the full ISMS scope and is equivalent in rigor to the initial Stage 2
How Huduku AI Accelerates This Phase
  • Continuous compliance monitoring ensures controls never degrade between surveillance audits
  • Automated alerts when periodic activities (access reviews, policy reviews, training) are overdue or evidence gaps emerge

Learn from Others

Five Mistakes That Derail ISO 27001 Certification

These are the patterns we see repeatedly across organizations pursuing ISO 27001 — and every one of them is preventable with the right approach.

Building the ISMS in isolation from business operations

An ISMS that exists only on paper — or only within the security team — will not survive a Stage 2 audit. Auditors interview operational staff and expect them to describe how security practices apply to their daily work. If the ISMS is disconnected from how the business actually operates, auditors will identify non-conformities and, more importantly, the ISMS will not protect the organization. Integration into real business processes is the entire point.

Treating the Statement of Applicability as a checkbox

The SoA is the most important document in your ISMS. Every control inclusion must be justified by a traceable risk, and every exclusion must be justified with a clear rationale. Organizations that bulk-mark controls as applicable without linking them to specific risks produce SoAs that auditors immediately question. The SoA should tell a story about your risk landscape and how you have chosen to address it.

Under-investing in risk assessment quality

ISO 27001 is a risk-based standard — the entire control selection and ISMS design flows from your risk assessment. A shallow or template-driven risk assessment that does not reflect your actual threat landscape, asset inventory, and business context will produce a control set that is either over-engineered (wasting resources) or under-scoped (leaving real risks unaddressed). Invest the time to make your risk assessment genuine.

No evidence of management commitment

Clause 5 of ISO 27001 requires demonstrable top management commitment — not just a signature on a policy. Auditors look for evidence that management allocates resources, reviews ISMS performance, makes decisions based on risk data, and actively participates in management reviews. If your CISO cannot produce evidence of executive engagement, it signals that the ISMS lacks organizational authority.

Confusing compliance with security

ISO 27001 is a framework for managing information security risk — not a guarantee that your organization is secure. Organizations that implement controls purely to pass the audit, without considering whether those controls genuinely reduce risk in their specific context, end up with a certificate that provides false assurance. The standard is a floor, not a ceiling. Build your ISMS to protect your business, and certification will follow naturally.

Common Questions

ISO 27001 Frequently Asked Questions

How long does ISO 27001 certification take?

For most organizations, the implementation phase takes 6 to 12 months, depending on the maturity of existing security practices. After implementation, the Stage 1 and Stage 2 audits typically span 2 to 4 weeks combined. Organizations with mature security programs and existing frameworks like SOC 2 can often accelerate this to 4 to 6 months.

What is the difference between ISO 27001:2013 and ISO 27001:2022?

The 2022 revision restructured Annex A from 114 controls across 14 domains to 93 controls across 4 themes: Organizational, People, Physical, and Technological. Eleven new controls were added, including threat intelligence, cloud security, data masking, and monitoring activities. The core management system clauses (4-10) had minor wording changes but no structural overhaul. Organizations certified to the 2013 version had until October 2025 to transition.

Do I need to implement all 93 Annex A controls?

No. Annex A is a reference set, not a mandatory checklist. You select controls based on your risk assessment and document your decisions in the Statement of Applicability. If a control is not relevant to your risk landscape, you exclude it with justification. However, exclusions must be defensible — auditors will challenge exclusions that appear to dodge material risks.

How does ISO 27001 relate to SOC 2?

ISO 27001 is an international standard focused on establishing and maintaining an Information Security Management System. SOC 2 is a US-based attestation focused on demonstrating controls around Trust Services Criteria. There is significant overlap in control areas (access management, monitoring, incident response), but ISO 27001 places greater emphasis on management system operation, risk methodology, and continual improvement. Many organizations pursue both to satisfy different customer and regulatory requirements.

What is the cost of ISO 27001 certification?

Costs vary significantly based on scope, organization size, and existing security maturity. Certification body fees for Stage 1 and Stage 2 audits typically range from $15,000 to $50,000 for small to mid-size organizations. Implementation costs — tooling, consulting, staff time, and control deployment — can range from $30,000 to $200,000+ depending on the gap between current state and requirements. Annual surveillance audits are approximately 30-40% of the initial audit cost.

ISO 27001 Automation Platform

Build Your ISMS With Confidence, Not Spreadsheets

Huduku AI maps your infrastructure to Annex A controls, auto-generates your Statement of Applicability, and keeps evidence fresh year-round. Stop building your ISMS in documents — run it as a living system.

Book a Free ISMS AssessmentView All Frameworks

93

Annex A Controls Mapped

9

Phases Fully Tracked

365

Days of Continuous Monitoring

Related Resources

Continue learning about compliance and certification.

Checklist

The SOC 2 Compliance Checklist

Read MoreChecklist

The HITRUST Certification Checklist

Read MoreStrategy

SOC 2 vs. HITRUST: Which Certification Does Your Company Actually Need?

Read More