Flow Blog
HomeDocsGet Demo
All posts
ISO 27001ComplianceInformation SecurityISMS Certification

ISO 27001 Compliance Checklist: A Step-by-Step Guide to ISMS Certification in 2026

A practical, step-by-step guide to ISO 27001 compliance and ISMS certification. Covers all management system clauses, the 93 Annex A controls, implementation phases, and common mistakes to avoid.

Flow Team|GRC Insights|January 28, 20264 min read

ISO 27001 remains the gold standard for information security management system (ISMS) certification. Whether you're pursuing certification for the first time or maintaining an existing ISMS, having a clear roadmap makes the difference between a smooth audit and a scramble.

What ISO 27001 Requires

At its core, ISO 27001 requires you to:

  1. Establish an Information Security Management System (ISMS)
  2. Implement controls proportionate to your risk
  3. Monitor and measure effectiveness
  4. Continuously improve the system

The standard is split into two parts: the management system clauses (4-10) and Annex A controls (93 controls across 4 themes in the 2022 revision).

ISO 27001 Management System Clauses

Clause 4: Context of the Organization

  • Define the scope of your ISMS
  • Identify interested parties and their requirements
  • Document internal and external issues that affect information security

Clause 5: Leadership

  • Obtain top management commitment (this is audited — it can't be lip service)
  • Establish an information security policy
  • Assign roles, responsibilities, and authorities

Clause 6: Planning

  • Conduct a formal risk assessment
  • Produce a Statement of Applicability (SoA)
  • Define risk treatment plans with clear ownership and timelines
  • Set measurable information security objectives

Clause 7: Support

  • Allocate resources for the ISMS
  • Ensure competence through training and awareness programs
  • Establish communication channels
  • Control documented information (policies, procedures, records)

Clause 8: Operation

  • Execute your risk treatment plans
  • Implement operational controls
  • Manage outsourced processes and third-party risk

Clause 9: Performance Evaluation

  • Monitor, measure, and analyze ISMS effectiveness
  • Conduct internal audits (at planned intervals)
  • Perform management reviews

Clause 10: Improvement

  • Address nonconformities with corrective actions
  • Drive continual improvement of the ISMS

ISO 27001:2022 Annex A — The 93 Controls

The 2022 revision reorganized controls into four themes:

Theme Controls Examples
Organizational 37 Policies, roles, threat intelligence, cloud security
People 8 Screening, awareness, remote working
Physical 14 Perimeters, equipment, secure disposal
Technological 34 Access control, encryption, logging, secure development

You don't need to implement every control — your risk assessment determines which are applicable. The Statement of Applicability documents your decisions and justifications.

ISO 27001 Implementation Timeline and Checklist

Phase 1: Foundation (Weeks 1-4)

  • Define ISMS scope and boundaries
  • Conduct gap analysis against ISO 27001 requirements
  • Get executive sponsorship documented
  • Establish the information security policy

Phase 2: Risk Assessment (Weeks 5-8)

  • Choose a risk assessment methodology
  • Identify information assets and their owners
  • Assess threats, vulnerabilities, and impacts
  • Produce the risk register with treatment decisions
  • Draft the Statement of Applicability

Phase 3: Implementation (Weeks 9-16)

  • Implement selected Annex A controls
  • Develop required procedures and work instructions
  • Roll out security awareness training
  • Establish incident management process
  • Configure monitoring and logging

Phase 4: Operate and Measure (Weeks 17-20)

  • Run the ISMS for at least one cycle
  • Collect evidence of control effectiveness
  • Track and resolve nonconformities
  • Conduct internal audit

Phase 5: Certification Audit (Weeks 21-24)

  • Perform management review
  • Address internal audit findings
  • Engage certification body for Stage 1 (documentation review)
  • Complete Stage 2 (implementation audit)

ISO 27001 Implementation Tips

Start with what you have. Most organizations already have many controls in place — they just aren't documented or mapped to ISO 27001. A gap analysis usually reveals you're further along than expected.

Automate evidence collection. Auditors want proof that controls operate consistently. A GRC platform that links controls to evidence and tracks effectiveness over time saves enormous effort during audit prep.

Don't over-engineer. The standard requires controls proportionate to risk. A 50-person SaaS company doesn't need the same control environment as a multinational bank. Right-size your ISMS.

Treat it as a business tool, not a checkbox. The best ISMS implementations improve decision-making, reduce incidents, and build customer trust — the certificate is a byproduct.

Frequently Asked Questions

How long does it take to get ISO 27001 certified?
ISO 27001 certification typically takes 5-6 months from start to finish. This includes 4 weeks for foundation (scoping, gap analysis, policy), 4 weeks for risk assessment, 8 weeks for control implementation, 4 weeks for operating and measuring the ISMS, and 4 weeks for the two-stage certification audit. Organizations with existing security controls may move faster since much of the work involves documenting and mapping what's already in place.
What are the ISO 27001 Annex A controls?
ISO 27001:2022 Annex A contains 93 controls organized into 4 themes: Organizational (37 controls covering policies, roles, threat intelligence, cloud security), People (8 controls covering screening, awareness, remote working), Physical (14 controls covering perimeters, equipment, secure disposal), and Technological (34 controls covering access control, encryption, logging, secure development). Your risk assessment determines which controls apply to your organization.
What is a Statement of Applicability in ISO 27001?
The Statement of Applicability (SoA) is a required ISO 27001 document that lists all 93 Annex A controls and states whether each is applicable or not applicable to your organization, with justification. For applicable controls, it documents how they are implemented. The SoA is one of the first documents auditors review and directly links your risk assessment to your control environment.
How much does ISO 27001 certification cost?
ISO 27001 certification costs depend on organization size and complexity. For a small-to-mid-size company (50-250 employees), expect $15,000-50,000 total including: certification body audit fees ($5,000-15,000), consultant or GRC platform costs ($5,000-25,000/year), and internal staff time for implementation. Ongoing annual surveillance audits cost roughly 30-50% of the initial certification audit fee.
What is the difference between ISO 27001 and SOC 2?
ISO 27001 is an international standard requiring a formal ISMS with a defined risk assessment and Annex A controls — it results in a certificate valid for 3 years. SOC 2 is a US-based assurance framework based on Trust Service Criteria (security, availability, processing integrity, confidentiality, privacy) — it results in an auditor's report. Many organizations pursue both: ISO 27001 for international credibility and SOC 2 for US enterprise customers. A GRC platform can map controls to both simultaneously.