Back to Blog

ISO 27001 Certification in 9 Steps

April 8, 2026

ISO 27001

A practical roadmap for implementing ISO 27001 the right way. Avoid checkbox compliance — first the foundation, then the controls.

ISO 27001: Certification in 9 Steps

Most organisations start with the controls — which is the wrong way. Without a solid foundation, you will fail the audit, no matter how many controls you have implemented. You build that foundation through your risk management processes. Controls come after. This roadmap takes you through the certification in the right order.

Step 1 – Define your objectives

ISO 27001 is fundamentally about managing risk. Risks are events that make it harder to achieve your objectives. To know which risks to address, you first need to know what your organisation is trying to achieve. Are you pursuing rapid growth or stability? Continuous innovation or operational efficiency? Reputation or maximum profit?

Once that is clear, you can set your priorities for the ISMS — for example: the privacy of our patients comes first; or: our core systems must always be available; or: in the event of a serious incident, we are back up and running within a day.

Step 2 – Map the context

Risks arise from context — both internal and external. That is why ISO 27001 requires you to map it. What threats exist? Which laws and regulations apply? What developments do you see among your customers, regulators, your workforce, or in technology? Conduct a SWOT analysis and a stakeholder analysis.

Translate this into risks and opportunities, and then into what you need in terms of information management. This context analysis is critical input for the risk assessment in step 6.

Document the steps you took to map the context, and who was involved. The auditor will ask.

Step 3 – Assign responsibilities

A functioning ISMS requires clarity about who is responsible for what, and who makes which decisions. ISO 27001 explicitly names three roles:

  • Top management is ultimately responsible for the policy and operation of the ISMS, and therefore for information security. Execution can be delegated — liability cannot.
  • Risk owners determine whether risks have been reduced sufficiently, or whether additional controls are needed. In practice, these are business managers: their objectives are at stake when information is inadequately protected.
  • Asset owners are responsible for appropriate controls to protect their assets. Asset ownership often sits with the IT function, and in smaller organisations execution is often handled by third-party suppliers.

For the various components of the ISMS, you will need to determine who decides, who advises, who executes, and who is kept informed. Capture this in a RASCI matrix.

Step 4 – Start documenting

ISO 27001 requires activities to be structured, verifiable, and repeatable. That means documenting. It will also help you grow from an organisation that stumbles from incident to incident, to one with the capacity to learn and continuously improve. You document upfront — this is how we will do it — and afterwards — this is what we did, and these were the results. Version and date your documentation, store it in a structured way, and make clear who drafts, reviews, and signs off each type of document. Schedule periodic reviews to check whether documents still reflect reality.

Step 5 – Classify your information

Not all information needs the same level of protection. Some information is highly confidential; other information is public by definition. Inventory the types of information within your organisation and consider how important availability, confidentiality, and integrity are for each type. Indicate this with High, Medium, or Low — or a classification scheme of your own choosing.

This is connected to how much risk your organisation is willing, or able, to carry.

Also describe where the information lives: which servers or suppliers hold it, which software contains it, and where it is used. This indicates where controls need to be applied.

Step 6 – Assess the risks

With the context analysis from step 2, you can now map the risks in detail. Look at four dimensions:

  1. Threat — what could go wrong?
  2. Vulnerability — how exposed are we?
  3. Impact — what are the consequences?
  4. Probability — what is the likelihood?

By scoring probability and impact — for example, 1, 2, or 3 — you can calculate a risk score: R = P x I. This helps you set priorities.

Each risk gets a risk owner. They will need to approve the risk treatment plan in step 7, and after implementation, they determine whether the risk has been reduced sufficiently. It is advisable to agree in advance what risk score is acceptable. Here too, the organisation’s risk appetite is a factor.

Step 7 – Define controls and plan implementation

Now we arrive at the infamous 93 controls of Annex A. The good news is that you are probably already applying a significant number of them — internally or through a supplier. Start by inventorying those controls and documenting them in a way that fits the ISO 27001 framework. What matters is that you link each control to specific risks from step 6, and tie its scope to the information classification from step 5.

For the remaining controls, you will need to find a meaningful place to apply them — or argue why they do not apply to your organisation. This is captured in your Statement of Applicability. You do not need to have all applicable controls fully implemented before certification, provided you have a clearly substantiated implementation plan (see step 8), aligned with your priorities from the risk assessment in step 6.

Step 8 – Implement the controls

For each control, draft a policy that describes how it is carried out. Who is responsible? How often is the control executed or reviewed? What are the success criteria? Document the execution itself as well — an auditor wants to see not only the policy, but evidence that the policy is being followed (see also step 4).

In practice, systems and services are frequently provided by third parties — especially in SMEs, and today almost entirely from the cloud. You need to set requirements for these suppliers in terms of performance and security, and capture them in contracts. The rule of thumb: the standards you hold yourself to, you must also hold your suppliers to. Make these agreements measurable, so you can verify compliance. Document this as policy.

Step 9 – Embed the ISMS in the organisation

To ensure continual improvement — a requirement of ISO 27001 — you need to build a feedback loop. That means measuring the effectiveness of your ISMS processes and controls, and periodically reviewing where improvement is needed or desirable.

ISO 27001 prescribes at least two formal evaluation moments. Top management must conduct a management review at least once a year, assessing the performance of the ISMS and providing direction for improvement. In addition, internal audits must be carried out at planned intervals.

If you want the ISMS to really deliver — a solid, well-organised approach to information security — you need to integrate it with your management cycle. Do that by making the risk owners (business managers, see step 3) accountable for the risk level within their area of responsibility.

In Closing

This roadmap moves through the ISO 27001 implementation at pace — that is its function. It is not rocket science, and it is not a pointless paperwork exercise. ISO 27001 requires time and attention, but in return you get security, manageability, scalability, and adaptability. Need more support? Visit iso27diy.com.