ISO 27001 readiness checklist:how to prepare for certification

What "readiness" actually means

You are ready for an ISO 27001 certification audit when your ISMS exists on paper and in practice: risks are assessed, controls are chosen and operating, policies are approved and followed, and you can show evidence that all of this has been running for long enough to be credible. Certification bodies do not test a fixed checklist of controls; they test whether you run a managed, repeatable process for keeping information secure. The steps below get you there.

The readiness checklist, in order

1. 1Define the scope. Decide which parts of the business, systems, and locations the ISMS covers, and write it down. A tight, honest scope is easier to certify than a vague, sprawling one.
2. 2Secure leadership and assign ownership. ISO 27001 expects management commitment and a named owner for the ISMS. Document roles and responsibilities.
3. 3Run a risk assessment. Identify your information security risks, assess likelihood and impact against a consistent method, and record them in a risk register with owners and treatment decisions.
4. 4Choose controls and write the Statement of Applicability (SoA). For each Annex A control, state whether it applies, how it is implemented, and if excluded, why. The SoA is the spine of your certification.
5. 5Write and approve policies. Information security policy, access control, supplier security, incident response, business continuity, and the others your risks call for. Approved, dated, and version-controlled.
6. 6Implement the controls. Put the technical and organisational measures in place: access reviews, logging, encryption, onboarding and offboarding, vendor due diligence, and so on.
7. 7Collect evidence as you go. Tickets, access-review records, training logs, meeting minutes, and screenshots. Evidence that controls operated over time is what the auditor inspects.
8. 8Run an internal audit. Check your own ISMS against the standard, log nonconformities, and fix them. This is a requirement, not an optional extra.
9. 9Hold a management review. Leadership formally reviews the ISMS, its risks, and its performance, and records decisions.

The two certification audits

An accredited certification body runs the audit in two stages. Stage 1 is a documentation review: the auditor checks that your ISMS, scope, risk assessment, SoA, and policies exist and hang together, and flags gaps to fix. Stage 2 is the main event: the auditor tests whether your controls actually operate, by sampling evidence and interviewing people. Pass Stage 2 and you receive a certificate, normally valid for three years, with lighter surveillance audits in years two and three.

Where teams most often fall short

• Evidence gaps: controls are designed but there is no proof they ran. Start collecting evidence the day you implement a control, not the week before the audit.
• A risk assessment that does not connect to the SoA, so control choices look arbitrary.
• Policies that nobody follows. Auditors interview staff, and a policy contradicted in practice is a finding.
• Scope creep, or a scope so broad you cannot maintain it.
• Skipping the internal audit and management review, both of which are mandatory.

How long it takes and what it costs

For most small and mid-sized teams, first-time ISO 27001 takes somewhere between three and nine months of preparation, depending on how much security maturity you start with, followed by the two-stage audit. Costs fall into two buckets: the certification body fees (which scale with company size and scope) and the internal effort or tooling you use to run the ISMS. The biggest hidden cost is usually the manual work of gathering and maintaining evidence, which is exactly where tooling earns its keep.

How tooling shortens the path

A compliance tool turns the checklist above into a tracked, living system instead of a folder of spreadsheets. It keeps your control register, evidence, and Statement of Applicability in one place, flags gaps and stale evidence, and maps a control you satisfy once across the frameworks it relates to.

Diligio Compliance does this on the same knowledge base that answers your security questionnaires, so the work compounds: an AI agent can propose evidence and control statuses across the framework, a human certifies before anything is attested, and the approved answers also drive your Trust Center and questionnaire responses. It supports ISO 27001 and SOC 2 today, and we run our own ISO programme inside it.