ISO 27001 Checklist: 6 Easy Steps to Get Started

Troy Fine

by Troy Fine

August 05, 2022
Even if you understand why you should be certified, you may not know how to get started. Consider this post your ISO 27001 checklist.

The number of companies that achieve ISO 27001 certification each year is growing as businesses expand to different global markets. However, ISO 27001 comes with its own set of challenges for teams trying to achieve certification for the first time. 

To help get you started, we put together this high-level checklist. 

Why ISO 27001?

Before you jump into the process of getting certified, you should understand the “why” behind it. According to the International Organization for Standardization, ISO 27001 enables organizations of any kind to manage the security of assets like financial information, intellectual property, employee details, or information entrusted by third parties.

In a time where cybersecurity threats are always growing and changing, having this level of credibility can be a great business investment. It builds trust with clients and can protect you from information loss.

6 Critical Steps for ISO 27001 

There are a lot of moving pieces to think about when you’re trying to achieve certification. This list contains key details and an overview of what you can expect as you take steps towards becoming ISO 27001 certified.

1. Develop an Implementation Team and Plan

An ISMS policy is a set of guidelines that govern how your organization will handle information security matters. You’ll need a team of people to implement the ISMS, including members from various areas of the organization. 

This team may include a project manager, representatives involved in the development and implementation of the ISMS (ex: information security), and representatives from technical groups (ex: network engineers). You will also need to involve appropriate members of the leadership team as ISO 27001 requires formal involvement from top management when it comes to enforcing and monitoring the ISMS. Also, consider the time it will take to involve these team members in the process and how it will impact the business. This is an important task that requires attention, so you may find that timelines for other projects and priorities will shift.

2. Understand ISO 27001 Requirements

At its core, ISO 27001 requires you to have information security risk management practices, a process for evaluating your efforts, and a way to show improvement for any areas of risk that you identify. This may seem simple, but there are layers beneath these basic requirements. There are a lot of different clauses you need to meet for certification, which can be overwhelming. Looking at each clause makes this manageable for organizations. There are several clauses, plus Annex A. If you need more detail about each of these, read our ISO 27001 beginner’s guide.

3. Find Your Security Baseline

Before you can make any meaningful changes, you need to understand the state of security in your organization. This requires you to look at three different elements:

  • What is currently working, and what processes do you have in place already that will support your certification?  

  • What’s not working? Are there any gaps that you’re aware of before stepping into this process that create security risks?

  • Where are you unsure about the state of your security practices?

This is a great opportunity for collaboration between team members, as they’re likely to have valuable insight. Involve them during this step in the process and get their input before taking additional steps. 

4. Define the ISMS Scope

The scope of your ISMS will determine what you are protecting, and what you need to focus on. It should be defined in terms of the organization’s business functions, information processing systems, and information processing environments. This is because the threat environment may vary across these areas. For example:

If a pharmaceutical company has two manufacturing plants (one for drug A and one for drug B), then each plant should have a security program that aligns with its specific business needs—even though both plants belong under one umbrella organization.

The same goes for an insurer that uses two different systems to calculate premiums or an online retailer with two different brands and websites. If a single ISMS covers all aspects without considering unique differences between them, then there may be gaps in protection.

While many components go into scope, there are two that require the most attention. The first is risk assessment. The second is the creation of your statement of applicability. This must state which Annex A controls were determined to be necessary to treat those risks.

5. Create an ISMS Plan

Once you work out the scope, it’s time to create a plan document that clearly defines the responsibilities and authority structures within your ISMS. You should also document procedures and processes for handling various security incidents.

This is an important part of achieving certification, but it’s also critical for the organization overall. It ensures that all employees have the same understanding of how to protect the company’s data from threats like hackers or malware.

Your ISMS should include policies for managing access control, confidentiality, integrity, and availability of information assets, as well as incident response.

6. Review Your Efforts

After you complete all the other phases, it’s time to take a step back and determine whether they are effective. In other words, conduct an internal audit to assess progress. Ask yourself these questions:

  • Have you identified all aspects of security risk?

  • Are you properly addressing these risks by implementing control measures?

  • Is the implementation of these controls working as intended?

  • Is our information security management system effectively addressing all aspects of security risk?

  • Are we properly implementing controls based on those risks?

If you answered no to any of these questions, there’s a larger question that comes into play: What can you do to improve your efforts going forward? You may find that you need to take corrective action before you can move forward and involve an accredited ISO 27001 certification body.

Clear the Path to ISO 27001

ISO 27001 certification can help you create better business outcomes, but it can be a struggle to achieve it. Use this ISO 27001 checklist to guide your way. If you want to reduce the complexity even further, Drata can streamline your journey to ISO 27001 certification and many other frameworks by eliminating hundreds of hours of manual work. Schedule a demo to see how we can help.

The Drata Newsletter

Trusted is Drata’s newsletter focused on the world of compliance, security, data privacy, and everything in between.


The Drata Community

Screen Shot 2022-07-13 at 9.45 1
Resources for you
G2 Reports Social LinkedIn 1200x627@3x

Drata Named a Cloud Compliance Leader in G2 Spring 2023 Reports

Media - Drata's Continued Support of Auditor Alliance

Drata’s Declaration of Continued Audit Independence

4 States Cybersecurity Laws

4 States Passed Nearly Half of All New Cybersecurity Laws Enacted Across the US in 2022

Troy Fine
Troy Fine
Director of Risk & Compliance