Skip to main content
IT KORR
IT KORRKeeping Organizations Reliable & Resilient
Compliance & Governance · Download

ISO 27001 Readiness Workbook

A workbook for scoping the ISMS, running the risk assessment, and preparing for Stage 1 and Stage 2 certification audits.

IT KORR Knowledge Center

ISO 27001 Readiness Workbook

A workbook for scoping the ISMS, running the risk assessment, and preparing for Stage 1 and Stage 2 certification audits.

Step 1 — Scope the ISMS

ISO 27001 certifies an Information Security Management System (ISMS), not an entire company by default. A poorly defined scope either creates unmanageable audit burden or leaves out systems that actually matter to customers.

  • Document which business units, locations, systems, and data types are included in the ISMS scope — and explicitly note what is excluded and why.
  • Identify interested parties (customers, regulators, employees) and their information security requirements as scope inputs.
  • Align scope with what customers actually ask about in security questionnaires, so the certificate answers real sales and contractual needs.

Step 2 — Risk Assessment and Statement of Applicability

  • Identify information assets within scope and the risks to their confidentiality, integrity, and availability.
  • Assess likelihood and impact for each identified risk, and determine a risk treatment option (mitigate, accept, transfer, avoid).
  • Work through the Annex A control set and determine which controls are applicable to your identified risks, and which are justifiably excluded.
  • Produce a Statement of Applicability (SoA) documenting every Annex A control, whether it is implemented, and the justification — this is a mandatory certification document.

Step 3 — Implement the PDCA Cycle

  • Plan — define the ISMS policy, objectives, risk assessment methodology, and risk treatment plan.
  • Do — implement the risk treatment plan, controls, and supporting procedures identified in the SoA.
  • Check — conduct internal audits and management reviews to verify the ISMS is operating as designed.
  • Act — address nonconformities and drive continual improvement based on internal audit and review findings.

Step 4 — Certification Audit Stages

  • Stage 1 (documentation review) — the certification body reviews your ISMS documentation, scope, SoA, and risk assessment for completeness before Stage 2 is scheduled.
  • Address any Stage 1 findings before Stage 2 — auditors typically will not proceed if core documentation is missing.
  • Stage 2 (implementation audit) — the certification body verifies the ISMS is actually operating as documented, through evidence review, system checks, and staff interviews.
  • Following certification, expect annual surveillance audits and a full recertification audit on a three-year cycle.

Related Resources

  • ISO 27001 Overview — /knowledge-center/compliance/compliance-governance/iso-27001-overview
  • Cybersecurity Maturity Models Compared — /knowledge-center/compliance/compliance-governance/cybersecurity-maturity-models-compared

This document is a starting-point resource, not legal or compliance advice. Review it against your organization's actual systems before adoption — see the full Compliance & Governance Hub for the reasoning behind each recommendation, or use the Compliance Readiness Assessment for a personalized review.

Build: add8299 | Built: Jul 9, 2026 9:26 PM EDT