ISO 27001 Certification Readiness Checklist

What is ISO 27001 readiness?

ISO 27001 readiness means your information security management system (ISMS) is fully implemented, documented, and evidenced — not just designed on paper. Certification readiness requires that your policies, risk treatment, ISO 27001 controls, and internal audit cycle are all operating before you invite an external auditor to assess them.

Many organisations confuse ISMS implementation with certification readiness. Implementation is building the system; readiness is demonstrating it works. Auditors at both the Stage 1 and Stage 2 audit look for evidence of operation, not intention. A policy that exists but is not followed will generate a nonconformity regardless of how well it is written.

This checklist covers the eight areas that external auditors consistently examine. Work through each section, rate your current status, assign owners to open items, and consolidate your evidence before your first audit date.

Complete ISO 27001 readiness checklist

Rate each item: complete, partial, or not started. Partial and missing items become your remediation backlog.

1 Scope and Context

ISMS scope statement defines organisational, geographic, and system boundaries
Internal and external context analysis (clause 4.1) is documented
Interested parties and their relevant requirements (clause 4.2) are identified
Scope exclusions are justified, documented, and defensible to an auditor

2 Leadership and Governance

Top management commitment is evidenced — meeting minutes, email approvals, or policy sign-off
Information security policy is approved, dated, and communicated to all staff
Security roles and responsibilities are assigned with named owners, not just job titles
Information security objectives are measurable and linked to the organisation's risk context

3 Risk Assessment

Risk assessment methodology is documented with defined criteria for likelihood, impact, and acceptance
Risk register covers all assets, processes, or scenarios within the ISMS scope
A risk owner is assigned to each identified risk
Risk treatment plan selects options (treat, tolerate, transfer, terminate) for each risk above the acceptance threshold
Risk treatment plan is reviewed and formally accepted by management

4 Statement of Applicability

All 93 Annex A controls are evaluated — none skipped without documented justification
Each applicable control shows its implementation status: implemented, partially implemented, or planned
Excluded controls carry an auditable justification referencing scope, risk, or legal basis
Statement of Applicability is version-controlled, dated, and signed by authorised management
SoA is aligned with the risk treatment plan — selected controls address the identified risks

5 Annex A Controls

All ISO 27001 controls selected in the SoA are implemented and have supporting policies or procedures
Technical controls — access management, encryption, logging, vulnerability management — are operational
Supplier and third-party security requirements are in contracts and assessed periodically
Security awareness training is completed and records are retained
Incident response and business continuity plans are tested and results documented

6 Internal Audit

An internal audit programme covers the full ISMS scope and all applicable ISO 27001 controls
At least one complete internal audit cycle is finished before the Stage 1 audit
Audit findings and nonconformities are formally recorded in a report
The audit was conducted by someone independent of the area being audited

7 Management Review

A management review meeting has been held and formally minuted
Agenda covered internal audit results, risk status, security objectives performance, and improvement opportunities
Review outputs document decisions on ISMS changes, resource needs, and improvement actions
Minutes are retained as documented information and available for auditor review

8 Corrective Actions

All nonconformities from internal audits have a root cause analysis and corrective action logged
Each corrective action has a named owner and a target closure date
Completed actions are verified for effectiveness before being closed
Corrective action register is current and available for auditor inspection

Common readiness mistakes

These are the gaps most frequently raised as nonconformities during ISO 27001 audit preparation.

Treating the Statement of Applicability as a paperwork exercise

The SoA must reflect the live state of your ISO 27001 controls. Auditors cross-reference it against actual implementations and will raise a nonconformity if controls marked as implemented cannot be evidenced.

No completed internal audit or management review before Stage 1

Both are mandatory requirements. Arriving at the Stage 1 audit without completed records means the auditor cannot confirm your ISMS is operational, and certification will be delayed.

Controls documented in policy but not operating in practice

The most common Stage 2 audit finding. A policy that says "access is reviewed quarterly" must be evidenced by dated access review records. Intention without evidence is a nonconformity.

Risk treatment plan not formally accepted by management

Completing a risk assessment is not enough. ISO 27001 requires that management formally accepts the residual risk and approves the treatment plan. Without a signed or minuted acceptance, clause 6.1 is incomplete.

Internal audit nonconformities left open at Stage 2

Open corrective actions signal that your ISMS improvement cycle is not functioning. Auditors check whether findings have been closed and verified, not just logged.

ISMS scope too broad for available evidence

Organisations sometimes define a wide scope to appear comprehensive, then struggle to produce consistent evidence across all areas. A tightly defined, well-evidenced scope certifies more reliably than a broad scope with evidence gaps.

Stage 1 vs Stage 2 audit preparation

ISO 27001 certification uses a two-stage audit process. Understanding what each stage tests lets you focus your preparation in the right order.

Stage 1 — Documentation review

Typically conducted remotely, the Stage 1 audit confirms your ISMS documentation is complete and your organisation is ready to proceed to the effectiveness audit. Stage 1 findings must be resolved before Stage 2 is scheduled.

Auditors focus on

ISMS scope is clearly defined and appropriate
Statement of Applicability is finalised and signed
Risk assessment and risk treatment plan are documented
Internal audit and management review have been completed
All mandatory ISO 27001 documented information is present

Stage 2 — Controls effectiveness

The Stage 2 audit tests whether ISO 27001 controls are working as intended through staff interviews, process walkthroughs, and evidence sampling. This is where certification is granted or major nonconformities are raised.

Auditors focus on

ISO 27001 controls operate as described in policies and the SoA
Evidence is current, consistent, and traceable to controls
Staff demonstrate awareness of their ISMS responsibilities
Stage 1 nonconformities are fully closed out
Corrective action register shows an effective improvement cycle

FAQ

What is an information security management system (ISMS)?

An information security management system is the set of policies, procedures, and controls that systematically manages information security risks across an organisation. ISO 27001 is the international standard that defines requirements for establishing, implementing, maintaining, and continually improving an ISMS. Certification demonstrates to customers and regulators that your information security management system meets that standard.

How long does ISMS implementation take?

Most ISMS implementation programmes take 8 to 20 weeks from kick-off to Stage 1 audit readiness, depending on scope complexity, existing documentation maturity, and dedicated resource availability. Allow a further four to eight weeks between Stage 1 and Stage 2 for evidence consolidation and remediation of Stage 1 findings.

What is the Statement of Applicability and why does it matter?

The Statement of Applicability is the document that maps all 93 Annex A controls to your organisation, recording which are applicable and implemented, and why any are excluded. It is one of the first documents requested at the Stage 1 audit because it shows the auditor the shape of your ISO 27001 controls landscape. It must be version-controlled, current, and signed by management.

Do we need all 93 Annex A controls?

No, but you must evaluate all 93 ISO 27001 controls and document a justification for any you exclude. Controls are selected based on the risks in your assessment, your legal and contractual obligations, and your operational context. Unjustified exclusions are a common Stage 1 audit finding.

What happens if we fail the Stage 1 audit?

A failed Stage 1 audit means the auditor raised findings that must be resolved before Stage 2 can proceed. Findings can be minor observations, opportunities for improvement, or major nonconformities. Minor issues are closed during the Stage 1 to Stage 2 gap; major nonconformities may require a full re-audit of the affected area and will delay your certification timeline.

Can ISO 27001 ISMS implementation support DORA compliance?

Yes. Policy governance, risk treatment, supplier oversight, and incident management evidence built during ISMS implementation can directly support DORA obligations. The frameworks are complementary: ISO 27001 establishes your information security control baseline while DORA adds digital operational resilience requirements, ICT incident reporting, and third-party oversight specific to financial entities.

ISO 27001 Readiness Checklist