ISO 27001 is a management system standard — not a security checklist.
ISO/IEC 27001:2022 is an international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). The key word is system. Not a list of controls. Not a penetration test. A documented, risk-driven management process that your organisation can demonstrate and defend.
The 2022 revision reorganised Annex A from 114 controls across 14 domains into 93 controls across four themes: Organisational, People, Physical, and Technological. Organisations certified to the 2013 standard have a transition deadline — if you're still referencing the old structure, your SoA needs reviewing.
What certification actually means: An accredited Certification Body has audited your ISMS against the standard's requirements and concluded that it conforms. It means your management system for information security was operating and documented at the time of the audit. It does not mean you are impenetrable, unbreachable, or immune to risk.
What the audit bodies and consultants don't tell you.
Before you invest in certification, you need to hear some things that most ISO 27001 consultants won't say — because their business model depends on telling you it's straightforward.
Certification is not the same as being secure. Many organisations achieve ISO 27001 certification while having material security weaknesses. The ISMS conformed to the standard. The risks were documented. The controls were implemented. And yet the environment remained genuinely vulnerable in ways the ISMS didn't adequately address. Certification is a credibility signal and a management discipline — it is not a security guarantee.
Things worth knowing before you start
The scope decision is the most important decision you'll make. A narrowly scoped ISMS that achieves certification quickly and cheaply may actually reduce your credibility with sophisticated buyers who notice the exclusions. A scope that's too broad will consume your team and take years. Getting the scope right — honest about your environment, credible to your market, achievable for your organisation — is harder than it sounds.
Documentation will consume more time than you expect. The ISMS requires policies, procedures, risk assessments, risk treatment plans, Statements of Applicability, internal audit records, and management review evidence. For a medium-sized organisation attempting certification without dedicated resource, documentation alone typically takes 3–6 months. If you're relying on a part-time internal resource, double that estimate.
Risk assessment is not a one-time exercise. The standard requires a repeatable methodology, documented risk criteria, and evidence that risk treatment decisions are connected to control selection. Many organisations document risk once, pass the audit, then let the risk register stagnate. This creates a surveillance audit problem — and an actual security problem.
Management commitment must be real, not nominal. The standard requires evidence of leadership commitment — policy endorsement, resource allocation, ISMS objectives integrated into business planning. Auditors look for this. A policy signed by a CEO who has never engaged with the ISMS is a finding. The C-suite needs to genuinely understand and support what they're signing.
Pre-certification in six honest phases.
Most organisations take 9–18 months from project initiation to Stage 2 certification. The variables are scope complexity, existing security maturity, internal resource availability, and the quality of external support. Here's what each phase actually involves.
Understand where you are before you plan where you're going. A structured gap analysis maps your existing controls, documentation, and practices against ISO 27001 requirements — identifying what's absent, what's partial, and what's already in place.
- Review existing policies, procedures, and security controls
- Interview key stakeholders across IT, HR, Legal, Operations
- Map existing practices to ISO 27001 Annex A controls
- Identify critical gaps and estimate remediation effort
- Produce prioritised gap report and roadmap
Define the boundaries of your ISMS — what's included, what's explicitly excluded, and why. The scope statement must be specific enough to be defensible and broad enough to be credible to your target market.
- Define organisational boundaries (legal entities, sites, functions)
- Identify interfaces and dependencies with out-of-scope systems
- Document the rationale for inclusions and exclusions
- Validate scope against market expectations and regulatory requirements
The core of ISO 27001. A documented, repeatable methodology that identifies information security risks, evaluates their likelihood and impact, and determines treatment options — mitigate, accept, transfer, or avoid.
- Define risk assessment methodology and risk acceptance criteria
- Identify information assets and associated risks
- Evaluate and score risks against agreed criteria
- Produce Risk Treatment Plan with control selections
- Obtain management sign-off on risk acceptance decisions
Build the mandatory ISMS documentation set and implement the controls selected in your Risk Treatment Plan. This is typically the longest phase and the one most organisations underestimate.
- Author mandatory policies (IS Policy, Acceptable Use, Access Control, etc.)
- Produce Statement of Applicability
- Implement technical and organisational controls from Annex A
- Build ISMS document management system
- Establish security objectives and measurement framework
Before Stage 2, you need evidence that your ISMS is operating. An internal audit identifies non-conformities before the certification body does. Management review documents leadership engagement.
- Conduct internal audit against ISO 27001 requirements
- Document findings, nonconformities, and corrective actions
- Hold formal management review with documented outputs
- Close identified nonconformities before Stage 2
- Compile Stage 2 evidence package
The certification body conducts a Stage 1 documentation review (can be remote), then a Stage 2 on-site implementation audit. Major Nonconformities must be closed before certification is issued.
- Stage 1: Submit documentation for CB review (typically 1–2 days remote)
- Address any Stage 1 findings before Stage 2
- Stage 2: On-site audit of ISMS implementation (1–5 days depending on scope)
- Respond to any nonconformities with corrective action evidence
- Certification issued within 2–4 weeks of successful Stage 2
Gap analysis: what to look for before engaging a certification body.
Use this checklist to self-assess your readiness across the mandatory clauses of ISO 27001:2022 (Clauses 4–10). Tick off what's genuinely in place — not what's planned or partially implemented.
- Context of the organisation (Clause 4)Documented internal and external issues affecting information security. Interested parties (regulators, customers, suppliers) identified with their requirements. ISMS scope defined and documented.Medium effort to establish
- Leadership & commitment (Clause 5)Executive team actively demonstrates commitment to the ISMS. Documented information security policy endorsed at the highest level. Roles and responsibilities formally assigned and communicated.High effort — requires genuine executive engagement
- Risk assessment methodology (Clause 6)Documented, repeatable risk assessment process with defined risk criteria. Risks identified, assessed, and evaluated. Risk treatment plan connects treatment decisions to control selection in Annex A.High effort — core ISMS discipline
- ISMS objectives (Clause 6.2)Measurable information security objectives consistent with the security policy. Integrated into business planning, resourced, and monitored.Medium effort
- Resource, competence & awareness (Clause 7)Evidence that personnel with IS responsibilities are competent. Security awareness training with documented completion records. Communication of IS policy and objectives evidenced.Medium effort
- Statement of Applicability (Clause 6.1.3 / Annex A)SoA produced listing all 93 Annex A controls with inclusion/exclusion decisions and documented rationale for exclusions. Signed off by management and version-controlled.High effort — non-negotiable audit document
- Operational controls (Clause 8)Controls in your risk treatment plan implemented. Documented procedures for change management, access control, incident management, supplier management, and business continuity.High effort — implementation phase
- Performance evaluation (Clause 9)Monitoring, measuring, and evaluating ISMS performance against defined objectives. Evidence of an internal audit programme. Management review conducted with documented outputs.High effort — must precede Stage 2
- Continual improvement (Clause 10)Documented process for handling nonconformities. Evidence of corrective actions raised, investigated, and closed. Mechanism for identifying improvement opportunities beyond nonconformities.Lower effort — but must demonstrate operating history
Getting scope right — the decision that determines everything else.
The scope of your ISMS determines which assets, processes, locations, and people are covered by certification. It directly affects certification cost, timeline, and credibility. Most organisations get this wrong in one of two ways: scoping too broadly (creating an unmanageable implementation) or too narrowly (creating a certification that sophisticated buyers don't trust).
Scope variables to consider
Organisational scope: Which legal entities, business units, or functions are in scope? If you have subsidiaries or joint ventures with different IT environments, clarify their inclusion or exclusion explicitly.
Physical scope: Which sites and facilities are included? Auditors will sample evidence across all in-scope locations. Remote and hybrid work arrangements complicate this — think carefully about how home working environments are addressed.
Technology scope: Which systems, applications, and infrastructure are included? Scoping around specific systems (e.g., "the systems supporting our managed security services") is common and defensible — but interfaces with out-of-scope systems must be documented.
The market credibility question: Before you finalise scope, ask yourself — "If a procurement manager from a bank or government agency saw this scope statement, would they consider our certification meaningful?" If the answer is uncertain, revisit the scope. ISO 27001 certification has credibility value precisely because sophisticated buyers understand what it covers.
The Statement of Applicability — what it is and why it matters.
The Statement of Applicability (SoA) links your risk treatment decisions to the 93 controls in Annex A. It is, in practice, one of the most audited documents in your ISMS — and one of the most commonly misunderstood.
For each of the 93 Annex A controls, your SoA must state: (a) whether the control is included or excluded, (b) the justification for that decision, and (c) the implementation status if included.
Controls can be excluded only if there is documented justification — typically that no relevant risk requires the control, or that it's not applicable to your scope. Auditors will probe exclusions. "We don't have physical premises" is legitimate. "It's too expensive to implement" is not.
Common SoA mistake: Declaring controls as "implemented" when they're partially implemented or planned. Auditors will test implementation against your SoA declarations. A control declared "implemented" with no evidence is a nonconformity — and potentially a Major NC that delays certification.
The seven mistakes that delay or devalue ISO 27001 certification.
These are the patterns we see most consistently — across organisations of every size, every sector. None of them are inevitable. All of them are avoidable with honest planning.
- ✕ Treating certification as the objectiveOrganisations that pursue certification as an end goal — rather than as evidence of a well-managed ISMS — tend to build compliant documentation over genuine controls. The result is a certification that doesn't reflect actual security posture and an ISMS that stagnates after audit.Build your ISMS to manage actual information security risk. Certification will follow.
- ✕ Underresourcing the projectISO 27001 for a mid-sized organisation requires significant internal time — typically 0.5–1.0 FTE for 9–12 months, plus senior management time for governance. Assigning it to an already-overloaded IT manager alongside BAU consistently blows out timelines.Allocate dedicated resource before you begin. Estimate generously. Approval gaps are the top delay cause.
- ✕ Copying policy templates without customisationGeneric ISO 27001 policy template packs are widely used. Auditors recognise them immediately. A policy that doesn't reflect your actual environment, systems, and organisational structure is worse than no policy — it demonstrates that management hasn't engaged with its own ISMS.Every mandatory document must reflect your actual organisation. Templates are a starting point, not a deliverable.
- ✕ Scoping to avoid hard workOrganisations sometimes narrow scope specifically to exclude their most complex or least-controlled systems. Auditors — and sophisticated buyers — recognise when a scope has been drawn to minimise audit exposure rather than to genuinely represent the organisation's information security perimeter.Scope should reflect the boundaries that matter to your stakeholders. If you're excluding significant systems, document why honestly.
- ✕ Letting the risk register stagnate post-certificationISO 27001 requires continual improvement and evidence of an ongoing risk management process. Many organisations treat risk assessment as a one-time pre-certification exercise. When the surveillance auditor arrives 12 months later and finds an unchanged risk register with no review evidence, it's a finding.Schedule risk review as a recurring management activity — quarterly for high-risk environments, half-yearly for stable ones.
- ✕ Ignoring supplier management (Annex A 5.19–5.22)In cloud-heavy environments, a significant portion of your information security risk is held by third parties — cloud providers, SaaS vendors, managed service providers. ISO 27001 requires supplier relationships to be managed with IS requirements specified in contracts and monitored throughout.Build a supplier register, assess each supplier's security posture proportionately, and ensure contracts include IS requirements.
- ✕ Choosing the cheapest certification bodyNot all accredited certification bodies are equal in rigour or market recognition. A certificate from a body with limited industry recognition may not satisfy your target clients — particularly in financial services and government. Research which CBs your key customers and regulators recognise before committing.Identify your target clients' preferred CBs before you select. JAS-ANZ accreditation is the Australian benchmark.
What the Cliffside approach to ISO 27001 readiness actually looks like.
We hold ISO/IEC 27001:2022 certification ourselves. That's not incidental — it means we've been through the process, we understand what auditors actually look for, and we can tell the difference between an ISMS that will hold up under scrutiny and one that's documentation theatre.
Our approach starts with the Lighthouse Assessment — a comprehensive, multi-specialist evaluation of your current information security posture against ISO 27001 requirements. The output is a prioritised gap analysis you can use to plan your certification journey — with any provider you choose, including ones we don't work with.
We don't run a template-driven certification factory. We'll tell you honestly:
- →Whether you're ready to begin, or whether you have 6 months of foundation work first
- →What scope makes sense for your market, not just what minimises audit effort
- →Which controls are genuinely implemented vs. documented-but-not-real
- →Whether you should pursue 27001 now or whether APRA CPS 234 or Essential Eight takes precedence for your regulatory situation
- →How long this will realistically take with your available resources
If the honest answer is "you're not ready and here's why," we'll say that. We've turned down engagements where we didn't think the organisation was ready to build a genuine ISMS — because the alternative is helping produce a certificate that doesn't reflect reality.