ISO 27001 Readiness Checklist

Key Takeaways

• ISO 27001:2022 is fully in effect, and all certified organizations must transition by October 31, 2025.
• A readiness assessment is not a formal audit.
• Use a self-assessment checklist to evaluate documentation, scope, risks, and your Statement of Applicability.
• This blog’s 9-step checklist prepares you to pass ISO 27001:2022 Stage 1 and move into full implementation.
• ISO 27001:2022 Stage 2 is about proving controls work.

Every year, thousands of organizations go through the same ISO 27001 compliance process. Some want to prove to customers they take security seriously. Others are driven by contracts, regulations, or insurance requirements. And many are simply trying to formalize what they’ve already been doing informally for years.

Understanding ISO 27001 Certification in 2025

ISO/IEC 27001 is the international gold standard for establishing an Information Security Management System (ISMS).

Here’s what’s especially relevant right now:

• The 2022 version of the standard is now in full effect. Organizations certified under ISO 27001:2013 must transition by October 31, 2025.
• Cyber insurance providers and B2B clients increasingly expect formal certification- especially in sectors like finance, SaaS, healthcare, and defense.
• ISO 27001 isn’t just about IT. It brings information security into governance, operations, HR, vendor management, and strategic planning.

Certification demonstrates that you have developed a system to manage and enhance them. It’s important to remember that ISO 27001 certification is not about being perfect; it’s about being systematic.

Is a Readiness Assessment the Same as a Stage 1 Audit?

No, a readiness assessment is not the same as the formal Stage 1 audit.

When we discuss ISO 27001 readiness, we refer to everything that occurs before you invite a certification body to assess your organization. An ISO 27001 self-assessment checklist (which can be conducted internally, by a consultant, or through a GRC platform) serves as your internal audit before the Stage 1 audit. 

It checks:

• Do you have all the required documentation in place?
• Is your scope well-defined?
• Do your risk assessments align with your controls?
• Can you walk someone through your SoA and explain each decision?

Begin with a simple ISO 27001 self-assessment to determine how closely you align with ISO 27001 requirements checklist.

The 9-Step ISO 27001 Readiness Checklist

This process follows the Plan-Do-Check-Act (PDCA) cycle, which is the foundation of ISO 27001. Think of it as an ongoing cycle of improvement.

1. Initiate the Project

This step sets the foundation. (Warning: Get this part wrong, and everything else becomes harder.)

• Assign ownership. Appoint a project lead (often the CISO or compliance officer) and build a cross-functional team.
• Get leadership support. ISO 27001 requires top management involvement. Without buy-in, policies don’t stick and budgets don’t get approved.
• Define goals. Are you certifying the whole organization or a specific business unit? Cloud-only or hybrid environments?
• Set your timeline. Certification typically takes 6 to 12 months. Build in time for risk remediation, documentation, internal audits, and team training.

2. Define Scope & Context

ISO 27001 doesn’t assume one size fits all.

• Determine your ISMS scope. This defines what’s in and what’s out (systems, processes, teams, physical locations).
• Understand your business context. Identify regulatory obligations, customer requirements, and operational realities.
• Map stakeholders. Who owns the data? Who uses the systems? Who will audit or enforce this?
• Document exclusions carefully. You can’t just say, “We’re not covering this system.” You need to justify why it’s out of scope.

3. Conduct a Gap Analysis

This is your diagnostic checkup.

• Compare your current practices against the ISO 27001:2022 standard. Focus on both the main clauses (4–10) and Annex A controls.
• Document findings. Where are your policies missing? Where are controls informal or inconsistent?
• Use this to prioritize. Build an implementation roadmap with clear owners and deadlines. This also helps justify resource needs to leadership.

4. Build Core Documentation

Documentation is a critical piece of ISO 27001-readiness. But it’s not about paperwork for the sake of it.

• Create your main ISMS policies. These include the Information Security Policy, Risk Management Procedure, Access Control Policy, Incident Response Plan, etc.
• Develop your Statement of Applicability (SoA). This lists which Annex A controls apply to your environment- and why.
• Create supporting documents. Risk register, asset inventory, user role definitions, security objectives, and metrics.

Remember: only document what you can maintain. Review cycles and version control are just as important as the docs themselves.

5. Perform Risk Assessment & Treatment

This is the engine of your ISMS.

• Identify your information assets. Think beyond servers and laptops- include databases, source code, customer data, employee records, etc.
• Assess threats and vulnerabilities. Use a consistent method (e.g., qualitative risk matrix). ISO doesn’t prescribe one- choose what works for you.
• Evaluate existing controls. Are they effective? Are they documented?
• Define treatment options. For each risk, will you mitigate, accept, transfer, or avoid it?
• Update your SoA accordingly. Every control listed must tie back to a risk or business requirement.

6. Implement Controls

The rubber is meeting the road now.

• Roll out technical, organizational, and physical controls from Annex A (now grouped into 4 domains: Organizational, People, Physical, Technological).
• Train your people. Awareness training is a formal requirement- and it’s also essential to build buy-in.
• Document evidence of implementation. Screenshots, meeting notes, logs, policies- all will be needed during the audit.

7. Monitor and Review

This phase proves you’re in it for the long run.

• Run internal audits. These should be independent and cover the full scope. Findings should be logged and followed up.
• Hold a management review. This is a formal, documented meeting where leadership reviews the ISMS performance.
• Track KPIs and incidents. Are there recurring issues? Are controls being bypassed?
• Apply corrective actions. This is your PDCA in motion.

8. Undergo Certification Audit

• Stage 1 Audit: The external auditor will review your ISMS documents and assess your readiness. Gaps will be noted.
• Stage 2 Audit: The auditor will conduct in-depth testing, interviews, and sampling to ensure controls are working in practice.
• Nonconformities? You’ll be given time to fix them and submit evidence.

Once passed, you’ll receive your ISO 27001 certificate- valid for three years, with annual surveillance audits.

9. Maintain & Improve

Certification isn’t the end. It’s part of a cycle.

• Schedule annual surveillance audits. These are less intensive but still review your ISMS effectiveness.
• Update your risk register and SoA regularly. Especially after major changes (new tech, vendors, or markets).
• Refine documentation and controls. Use incidents and audit feedback to guide improvements.

What Stage 1 Auditors Are Looking For

Stage 1 of the ISO 27001 audit is often misunderstood. It’s not a casual review, but it’s not a certification stamp either. It’s the point where an external auditor evaluates whether you’ve laid the groundwork to move on to Stage 2. If you’re a startup or lean team, this can be especially nerve-wracking, but knowing what to expect can make all the difference.

Here’s what auditors have shared about what gets flagged at the Stage 1 ISO 27001 audit:

The Statement of Applicability (SoA) is under a microscope.

Expect detailed questions, especially if you’ve excluded any controls. You’ll need to:

• Show clear justifications for applied and excluded controls.
• Mark each control’s implementation status accurately.
• Align your SoA with your actual risk treatment plan and control environment.

Policies must exist and be owned. 

Auditors will check for:

• Assigned owners for each policy.
• Version numbers and last review dates.
• Consistency between policies and the rest of your ISMS.

Risk methodology must be concrete.

Vague language like “we use a qualitative approach” won’t cut it. You should be able to explain:

• Your process for identifying and assessing risks.
• How treatment decisions are made.
• How does this tie back to your objectives and SoA?

Policies must match reality.

If you claim to follow a process in writing, be prepared to demonstrate it. Auditors will test alignment.

Internal audits and management reviews must be completed.

These aren’t optional, and they must follow ISO 19011 guidance. Ideally, do these 1–2 months before the Stage 1 audit.

Documented Information is key.

That phrase is scattered throughout the standard. Whenever ISO says something must be “documented,” expect the auditor to ask for it.

Avoid overcommitting.

Don’t write policies or procedures you can’t actually follow yet. This will come back to haunt you during Stage 2.

Don’t treat Annex A like an ISMS ISO 27001 Audit Checklist.

Controls should be selected based on risk, not just included because “everyone else has them.”

Senior leaders must be familiar with ISO 27001.

It’s surprising how often this gets missed. If executives cannot articulate their role in the ISMS, it will raise red flags.

What’s New in ISO 27001:2022?

If you’re transitioning from ISO 27001:2013, here’s what’s changed:

• Annex A controls were reorganized into 4 domains (vs 14).
• The number of controls was reduced from 114 to 93- but with more clarity and better categorization.
• New controls were added, including:
  • Threat intelligence
  • Physical security monitoring
  • Data masking
  • Web filtering
  • Secure coding practices

Organizations with mature ISMS programs will still need to re-map risks and update documentation.

Centraleys Gets You To ISO 27001 Readiness

ISO 27001 certification is achievable, but it’s not a quick win. It requires planning, effective communication, and a genuine commitment to enhancing how your organization manages sensitive information.

The good news? You don’t have to do it all at once- and you don’t have to do it alone.

Thousands of organizations have taken this journey. You’re not behind. You’re right on time.

If you want a platform to help manage your risk register, policies, controls, and Statement of Applicability, consider using Centraleyes to streamline your ISO 27001 journey and build a more resilient, audit-ready ISMS.

FAQs

What’s the difference between a readiness assessment and Stage 1?

A readiness assessment is an internal review done before any external audit. Stage 1 is conducted by your certification body to formally assess your documentation and ISMS design.

Do I need a readiness assessment?

Yes, especially if this is your first time seeking ISO 27001 certification. It’s about catching gaps early and avoiding delays during the audit.

What kind of evidence do auditors expect to see?

Policies with version history, meeting notes, risk assessments, proof of training, access control settings, SoA justifications, and live demonstrations of control effectiveness.

Do auditors really check every control?

Not all in detail. Auditors employ a risk-based sampling approach; however, all controls must be thoroughly documented, justified, and traceable.

Can I automate parts of ISO 27001 prep?

Yes. Tools like Centraleyes can help automate documentation tracking, control mapping, evidence collection, and audit readiness.