
ISO 27001 is the international standard for information security management. This checklist guides you through building an ISMS, implementing Annex A controls, and passing your Stage 1 and Stage 2 certification audits.
ISO/IEC 27001 is an internationally recognized standard that provides a framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).
The standard takes a risk-based approach to information security, requiring organizations to identify threats and vulnerabilities, assess their impacts, and implement appropriate controls to mitigate risks.
ISO 27001 certification demonstrates to customers, partners, and stakeholders that an organization is committed to protecting information assets and has implemented a comprehensive set of information security controls.
Annex A Controls
Audit Stages
Cycle
Click each step to expand the details. Work through them in order — each step builds on the previous one.
Establish what your information security management system covers
Define the boundaries of your Information Security Management System by identifying the organizational units, locations, assets, and technologies included. A well-defined scope ensures you focus resources where they matter most and sets clear expectations for the certification body.
Identify and evaluate information security risks
ISO 27001 Clause 6.1.2 requires a formal risk assessment process. Identify threats and vulnerabilities to your information assets, evaluate the likelihood and impact of each risk, and prioritize them to determine which controls are needed.
Decide how to address each identified risk
For every risk above your acceptance threshold, decide whether to mitigate, transfer, avoid, or accept it. The risk treatment plan maps each risk to specific Annex A controls and documents the rationale for your treatment decisions.
Create the mandatory documentation for your ISMS
ISO 27001 requires specific documented information including an ISMS policy, risk assessment records, and operational procedures. These policies form the governance backbone of your security management system and guide day-to-day operations.
Implement the 93 controls from the 2022 standard
Annex A of ISO 27001:2022 contains 93 controls organized into four themes: Organizational, People, Physical, and Technological. Implement each applicable control as specified in your Statement of Applicability, using ISO 27002 as implementation guidance.
Verify your ISMS meets the standard before the certification body arrives
ISO 27001 Clause 9.2 requires an internal audit to evaluate whether your ISMS conforms to the standard and your own requirements. An effective internal audit catches issues early and demonstrates your commitment to continual improvement.
Ensure leadership oversight and continual improvement
Clause 9.3 requires top management to review the ISMS at planned intervals. This review evaluates the overall performance of the ISMS, addresses changes in the risk landscape, and allocates resources for continual improvement.
Achieve ISO 27001 certification through the two-stage audit
The certification audit is conducted in two stages by an accredited certification body. Stage 1 is a documentation review to confirm your ISMS is ready for the full assessment. Stage 2 is an on-site evaluation of how effectively your ISMS operates in practice.
Feeling overwhelmed? You don't have to do this alone.
Transparent cost ranges so you can plan and budget. Costs vary based on organization size, current security posture, and environment complexity.
Including preparation, tooling, and assessment fees
Depending on current maturity and scope
Independent verification of your compliance
Compliance management and evidence collection tools
SIEM, EDR, vulnerability scanning, encryption tools
Hundreds of hours across IT, security, and leadership
Annual reviews, continuous monitoring, recertification
The cost of non-compliance far exceeds the investment in getting certified. Consider what's at stake:
The question isn't whether you can afford compliance — it's whether you can afford not to have it.

Illumen specializes in helping organizations achieve ISO 27001 compliance — from initial assessment through certification. We meet you wherever you are in the journey.
Know exactly where you stand against requirements
Close gaps with expert guidance and support
Policies, procedures, and evidence packages
Common questions about ISO 27001 compliance and certification.