Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

10 steps to ISO 27001 certification

The ISO27001 standard is recognized worldwide as one of the foremost information security frameworks. Adopted by organizations small and large across a wide variety of industries, certification to ISO27001 is increasingly seen as a defacto requirement in competitive tendering situations, and as an assurance to stakeholders that cyber security is taken seriously.

Implementing the ISO 27001 framework can be a complex process, especially if you’re new to the world of Information Security and ISO management systems, so as a starting point we’ve put together 10 key steps to a successful ISO 27001 certification.

1. Implementation project

Starting right is the first step to success, ensure you have management buy-in and an idea of how you’re going to complete the project with what resources and tools. Perform an initial gap analysis to identify your starting point and begin to get familiar with the structure and content of the standard.

2. Scope, context and interested parties

Define what needs to be in the “scope” of the management system and have this documented. Identify your interested parties, both internal and external. Think about the context of the ISMS in terms of what your organization does and how it is affected by internal and external factors such as the economy, technology and legislation.

3. ISMS Policy, and Roles and Responsibilities

Create an ISMS Policy and get it approved and published internally. Define the roles in your management system and what they are expected to do. Identify who will fulfil the roles and any immediate training needs for those people.

4. ISMS Risk, Opportunities and Security Objectives

Define a risk assessment process and get the right people involved to carry it out to produce a risk treatment plan. Produce your Statement of Applicability to show which of the Annex A controls from the ISO27001 standard are relevant to your organization. Don’t forget to consider opportunities too, which may be thought of as “good risks”. Set your objectives for the ISMS so that you’ll be able to tell if it’s having the desired effect.

5. Competence, Awareness and Communication

Evaluate any competency gaps for the people involved in your ISMS and how they might be filled using methods such as training, on the job learning or recruitment. Put in place an awareness training programme, particularly for employees, and define how you will communicate to interested parties about the ISMS.

6. Documented Information

Decide how documented information will be created and controlled within the ISMS. Develop a set of policies, procedures and other relevant documents to support the ISMS and its operation. Make sure your version control and approval methods are fit for purpose and that everyone has access to the documents they need.

7. Operational

Ensure you have the ISMS processes in place and that the interactions between them are fully understood. Manage your risk treatment plan to ensure it is delivering results. Run the ISMS to work towards achieving your objectives, whilst accumulating records that will act as evidence for your certification audit.

8. Performance Review

Make sure you have independent auditing resources in place and put an internal audit programme in place to cover all aspects of the ISMS. Define how nonconformities raised during audit will be addressed and managed through to completion. Hold a management review to assess how your ISMS is performing so far.

9. Update Gap Assessment Plans and Actions

Revisit the gap assessment to see what still needs to be done, and by whom. Check that you have all of the necessary documentation in place and that your ISMS processes are working as intended. Address any remaining areas of nonconformity in preparation for ISO 27001 certification.

10. Plan Your Certification Needs

Choose a certification body to carry out your audits, arrange your Stage One assessment, and check that everything is prepared for their visit. If the certification auditor agrees you’re ready, proceed with Stage Two and achieve certification, addressing any nonconformities raised as soon as possible after the audit.

There you have our 10 steps to ISO 27001 certification, we hope this helped the process seem more achievable. For further guidance, our comprehensive ISO 27001 10 step guide is available to download for free. 

More ISO27001 Resources

CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.

Free ISO27001 Resources

We’ve helped more than 4000 businesses with their compliance


The sample documents are very rich in their scope. Our attorneys have reviewed our edits and can find no fault with what is presented.

Institute for Supply Management

View all Testimonials