ISO 27001 can look intimidating because it comes with its own vocabulary — ISMS, SoA, Stage 1 and Stage 2. Strip away the terminology and it’s a sensible, repeatable way to manage information security. Here’s the roadmap.
What you’re actually building: an ISMS
ISO 27001 certifies an Information Security Management System (ISMS) — the governance system around your security program. The standard’s management clauses (roughly clauses 4–10) define that system: understand your context, get leadership commitment, assess risk, set objectives, provide resources, operate controls, evaluate performance, and improve. Annex A provides the catalogue of controls you choose from.
Certification means an accredited body audits your ISMS and, if it conforms, issues a certificate valid for three years with annual surveillance audits.
Step 1: Define scope and context
Decide what the ISMS covers — which products, teams, locations, and information. Document the internal and external issues and the interested parties (customers, regulators) relevant to your security. A tight, honest scope keeps the whole program manageable.
Step 2: Secure leadership and policy
Leadership has to visibly own the ISMS: approve the information security policy, assign roles, and commit resources. This isn’t a formality — auditors look for genuine management engagement.
Step 3: Run a risk assessment
Identify information security risks, analyze and evaluate them, and decide how to treat each one (mitigate, accept, transfer, or avoid). This risk assessment drives everything else — the controls you implement should trace back to risks you’ve identified.
Step 4: Select controls and write the Statement of Applicability
Based on your risk treatment, select controls from Annex A (and any others you need). The Statement of Applicability (SoA) lists each Annex A control, whether it applies, and why. The SoA is a cornerstone document the auditor will scrutinize.
Step 5: Implement and operate
Put the controls to work: access control and reviews, cryptography, operations security, supplier management, incident management, and so on. Set measurable objectives and start generating records — the ISMS has to actually run, not just exist on paper.
Step 6: Internal audit and management review
Two ISO-specific requirements people often overlook:
- Internal audit — periodically audit your own ISMS for conformity and effectiveness, and log findings.
- Management review — leadership formally reviews the ISMS at planned intervals, considering audit results, risks, objectives, and improvements.
Both produce records the certification auditor expects to see.
Step 7: The certification audit
Certification happens in two stages:
- Stage 1 — the auditor reviews your documentation and readiness (ISMS scope, policies, SoA, risk assessment).
- Stage 2 — the auditor tests whether your ISMS operates effectively in practice.
Pass both and you’re certified, subject to closing any nonconformities. Annual surveillance audits keep it live, with recertification every three years.
How it overlaps with SOC 2
The control fundamentals — access, encryption, monitoring, vendor risk, incident response — are shared with SOC 2. If you’ve done SOC 2, you’re well along toward ISO 27001; the main additions are the ISMS governance layer (risk assessment, SoA, internal audit, management review). Map controls once and satisfy both. (See ISO 27001 vs SOC 2.)
How Keel helps
Keel ships an ISO 27001 model with the management clauses and Annex A controls, one-click starter controls, a risk register that feeds your risk treatment, policy templates, and access reviews — all crosswalked so the same work counts toward SOC 2 and others. Internal audit, management review, and a formal SoA workflow are on our roadmap as dedicated modules.
Start free and map your posture against ISO 27001 today.