IT KORR Knowledge Center
ISO 27001 Readiness Workbook
A workbook for scoping the ISMS, running the risk assessment, and preparing for Stage 1 and Stage 2 certification audits.
Step 1 — Scope the ISMS
ISO 27001 certifies an Information Security Management System (ISMS), not an entire company by default. A poorly defined scope either creates unmanageable audit burden or leaves out systems that actually matter to customers.
- Document which business units, locations, systems, and data types are included in the ISMS scope — and explicitly note what is excluded and why.
- Identify interested parties (customers, regulators, employees) and their information security requirements as scope inputs.
- Align scope with what customers actually ask about in security questionnaires, so the certificate answers real sales and contractual needs.
Step 2 — Risk Assessment and Statement of Applicability
- Identify information assets within scope and the risks to their confidentiality, integrity, and availability.
- Assess likelihood and impact for each identified risk, and determine a risk treatment option (mitigate, accept, transfer, avoid).
- Work through the Annex A control set and determine which controls are applicable to your identified risks, and which are justifiably excluded.
- Produce a Statement of Applicability (SoA) documenting every Annex A control, whether it is implemented, and the justification — this is a mandatory certification document.
Step 3 — Implement the PDCA Cycle
- Plan — define the ISMS policy, objectives, risk assessment methodology, and risk treatment plan.
- Do — implement the risk treatment plan, controls, and supporting procedures identified in the SoA.
- Check — conduct internal audits and management reviews to verify the ISMS is operating as designed.
- Act — address nonconformities and drive continual improvement based on internal audit and review findings.
Step 4 — Certification Audit Stages
- Stage 1 (documentation review) — the certification body reviews your ISMS documentation, scope, SoA, and risk assessment for completeness before Stage 2 is scheduled.
- Address any Stage 1 findings before Stage 2 — auditors typically will not proceed if core documentation is missing.
- Stage 2 (implementation audit) — the certification body verifies the ISMS is actually operating as documented, through evidence review, system checks, and staff interviews.
- Following certification, expect annual surveillance audits and a full recertification audit on a three-year cycle.
Related Resources
- ISO 27001 Overview — /knowledge-center/compliance/compliance-governance/iso-27001-overview
- Cybersecurity Maturity Models Compared — /knowledge-center/compliance/compliance-governance/cybersecurity-maturity-models-compared