Home / Guides / ISO 27001 checklist: 8 steps to certification
Guides

ISO 27001 checklist: 8 steps to certification

You won't earn ISO 27001 certification in an afternoon, but a clear checklist makes the journey manageable. Below are the eight steps from scope to certificate — and how to accelerate each one with private AI.

1. Define the scope and context

Determine which processes, locations and systems fall under your information security management system (ISMS). Map stakeholders, legal requirements and your risk context. A sharp scope prevents unnecessary work later.

2. Carry out a risk assessment

Identify information security risks, assess impact and likelihood, and prioritise them. This is the heart of ISO 27001: controls follow from risks, not the other way around.

3. Draft your Statement of Applicability (SoA)

Decide which of the 93 Annex A controls apply and justify inclusion or exclusion. The SoA is a key document for the auditor.

4. Implement the Annex A controls

Roll out the chosen organisational, people, physical and technological controls. Assign owners and plan delivery with clear deadlines.

5. Document policies and procedures

Record policies, roles and procedures — from access control to incident response. Documentation makes your management demonstrable to the auditor.

6. Train staff and build awareness

Most incidents start with people. Provide awareness training and clear agreements on secure behaviour.

7. Run an internal audit and management review

Test your ISMS internally for effectiveness and have management review the results. Fix nonconformities before the external audit.

8. The certification audit (Stage 1 and 2)

An accredited certification body first reviews your documentation (Stage 1) and then how it works in practice (Stage 2). Annual surveillance audits follow to maintain your certificate.

Faster with private AI

SQwaire automates the hardest steps: the private AI agents draft risk assessments and policies, link controls to evidence and prepare audits — on a private LLM, so your data never leaves your environment. Explore the full ISO 27001 platform or book a demo.