If you are a business owner thinking about ISO 27001 certification, you are probably asking the same question we hear all the time: What do I actually need in place before I go for it?
ISO 27001 is the internationally recognised standard for information security management. It helps organisations protect sensitive data, manage risks, and give customers confidence that information is handled properly. While it might sound complex at first, breaking it down into a clear checklist makes it far more manageable.
Here is a practical, plain-English overview of the key ISO 27001 requirements you should have in place before certification.
A clear scope for your ISMS
The first step is defining the scope of your Information Security Management System, often referred to as the ISMS. This sets the boundaries of what ISO 27001 will cover within your business.
For some organisations, the scope might include the entire company. For others, it may focus on specific departments, locations, or services. What matters is that the scope is clearly documented and makes sense for how your business operates.
A well-defined scope helps auditors understand your environment and prevents confusion later in the certification process.
An information security policy
Every ISO 27001 certified business needs an information security policy. This is a high-level document that explains your commitment to protecting information and sets the direction for your security objectives.
It should outline responsibilities, describe how information security supports your business goals, and be approved by top management. Just as importantly, it should be communicated to your team so everyone understands their role in keeping data secure.
Risk assessment and risk treatment plan
Risk management sits at the heart of ISO 27001. You will need a documented process for identifying information security risks, assessing their likelihood and impact, and deciding how to treat them.
This includes:
- Identifying threats and vulnerabilities
- Evaluating risks to confidentiality, integrity, and availability
- Deciding whether to mitigate, transfer, accept, or avoid each risk
Alongside this, you will need a risk treatment plan that clearly shows what controls you have chosen and why.
Statement of Applicability (SoA)
The Statement of Applicability is one of the most important ISO 27001 documents. It lists all the controls from Annex A of the standard and explains which ones apply to your business.
For each control, you must state whether it is implemented, not applicable, or planned, along with a justification. Auditors will pay close attention to this document, so it needs to accurately reflect what is happening in practice.
Documented procedures and records
ISO 27001 does not require excessive paperwork, but certain procedures and records are essential. These typically include areas such as:
- Access control
- Incident management
- Asset management
- Supplier and third-party security
- Backup and business continuity
The key is that procedures are realistic, followed by your team, and kept up to date.
Staff awareness and training
Your systems and policies are only effective if your people understand them. ISO 27001 requires that employees are aware of information security risks and know how to act responsibly.
This does not need to be complicated. Regular training, clear guidance, and simple reminders can go a long way in building a strong security culture across your business.
Internal audits
Before you can be certified, you must carry out internal audits of your ISMS. These audits check whether your processes are working as intended and highlight any gaps that need to be addressed.
Internal audits should be planned, documented, and carried out by someone who is independent of the area being audited. The findings should lead to corrective actions where needed.
Management review
Top management involvement is a core requirement of ISO 27001. A management review brings everything together by reviewing audit results, risks, incidents, and improvement opportunities.
This shows that information security is taken seriously at the leadership level and aligned with the wider business strategy.
Continual improvement mindset
ISO 27001 is not a one-off exercise. Certification is about demonstrating continual improvement. You should have processes in place to identify issues, take corrective action, and improve your ISMS over time.
Auditors want to see that your system is living and evolving, not just written for the sake of passing an audit.
Getting ready for certification
Preparing for ISO 27001 can feel daunting, especially alongside day-to-day business pressures. Having expert support can make the journey clearer, faster, and far less stressful.
With the right preparation and a clear checklist, ISO 27001 becomes a practical framework that strengthens your business, protects your data, and builds trust with your customers.
Request Call Back.
If you need to speak to us about a general query fill in the form below and we will call you back within the same working day.