Skip to content

9 steps to prepare for your first ISO 27001 certification audit

Andrew Robinson |

May 13, 2022
9 steps to prepare for your first ISO 27001 certification audit


ISO 27001 overview

ISO 27001 is an information security standard created and regulated by the International Organisation for Standardisation (ISO).

As it isn’t a legally mandated framework, it is not legally enforced. But, it is widely considered the benchmark for businesses and often plays a critical role in securing contracts with larger companies, government organizations, and data-heavy industries.

ISO 27001 is notable because it requires you to develop an Information Security Management System (ISMS) that covers all types of personal data, both electronic and otherwise. It includes everything from HR data security and client data to physical entry controls and delivery areas.

Shifting expectations around information security

These days there is an expectation for organizations to put in the effort to appropriately protect customer information as well as their own business information.

With the risk of data breaches rapidly increasing, some small businesses may be tempted to cut corners on security and skip over preventative measures to try and reduce costs. 

Throughout a business's lifecycle, it will experience swift growth periods followed by slower periods where staff have to continue to adjust to shifting responsibilities related to information security.

This can result in a mismatch between the security tools they use and the amount of staff that needs to access their information.

Companies need to identify, implement and evaluate tools and standards that safeguard customer information. Therefore, the ISO/IEC 27000 family of standards was developed. 

What does the ISO audit procedure entail?



To receive the ISO 27001 certification, businesses must first draft an information security document that details their objectives and controls. After this process is finished, the business then works with a certifier to perform a two-stage audit:

Stage 1 Audit 

A Stage 1 audit is also often called a 'Document Review'. In this type of audit, the certification auditor reviews paperwork to determine whether an organization has the potential to meet ISO 27001 compliance standards based on its current information security management system if one exists at all.

Stage 2 Audit 

Also called a ‘Main Audit,’ Stage 2 checks to make sure the business practices are compliant with both the written documentation and ISO 27001.

Once an audit has been successfully completed, the auditor can certify that the organization has effective and stable security practices at that point in time and adheres to ISO 27001 management standards.

Ready to get started with automating ISO 27001 compliance?  Explore the 6clicks ISO 27001 solution

ISO 27001 audit preparation 

Preparing for an ISO 27001 audit can include everything from updating policies, and physical access control systems to conducting internal audits and identifying notable vulnerabilities. 

So it comes as no surprise that individuals looking to obtain ISO 270001 certification feel easily overwhelmed with the amount of work it entails when starting out.

While there are many ways this can be approached as an individual, involving a bigger team will help more than you might think. Many hands make light work! But, if you don't have the time, you can also employ the help of a third-party consultant.



Here are some useful steps that businesses should take to prepare for their ISO 27001 audit:

1. Decide on the right time for compliance

If you have experienced a data breach, or are merely considering the risks at your organization, committing to ISO 27001 certification is the first and most critical step. 

2. Document everything

Many companies are now focusing on ISO 27001 certification. Documentation is an essential factor in this process, as documented records of all issues and concerns are necessary to maintain a complete view of risks.

3. Familiarize employees with the process

For any organization to obtain ISO 27001 certification, it is important to involve employees in the process as early as possible. Commitment to data security, protecting customer privacy, and improving the health of your business should be highlighted early on for employees and other stakeholders. 

4. Hire or appoint an ISO manager or representative

This role requires several skills to succeed. It can be filled by an internal manager who has experience with ISO and ISMS procedures, or an outside advisor whose focus is ISO risk assessments and certification.  

Regardless, the appointed individual must be a seasoned professional who is capable of overseeing this project through to finalization with success.

5. Conduct periodic management reviews of the management system

There are many points to consider when preparing for ISO certification, beginning with the annual review. Top management should participate in reviewing policies and objectives, updating any regulations that have changed, looking out for potential risks, and identifying areas of concern on which to focus resources.

They can also determine a schedule at this point of more in-depth gaps analysis risk assessment and internal auditing as needed.

6. Perform a gap analysis and a risk assessment

Having a gap analysis - and then a risk assessment - means that you are going to be able to identify the threats, vulnerabilities, and risks to your data. It also helps you determine the scope of implementation or how far it should go. 

Gap analysis and risk assessment evaluations should be done before the initial implementation of a quality management system to help you determine where your business is most vulnerable and where improvements can be made.

7. Conduct an internal ISO 27001 audit

An ISO 27001 internal auditor 'self-assessment' also includes a review of business risks and any security vulnerabilities within your organization's quality management system.

The goal is to find any serious non-conformity issues before beginning an external audit. It gives individuals the opportunity to go over questions concerning the company's ISO assessment, as well as prepare for interviews conducted during the audit process. 

An in-house auditor can do this, but a trusted external auditing firm brings the benefit of experienced, yet impartial, perspectives to the process and will undoubtedly save time for this and future assessments.

Experts Guide to ISO 27001

8. Address the gaps

Once the internal audit has identified recurring non-compliance issues, your team should develop a corrective action plan and follow through. Otherwise, an external audit will find the same problems, delaying certification.

9. Track progress

Each point requires a detailed progress report for the management involved. Be sure to provide information about security team actions toward objectives, findings in the gap analysis, risk assessments, and internal audit procedures. This is important because lawyers require improvement over time to be on point with expectations.


If you are considering the ISO 27001 certification, then you need to be prepared before your first audit so that the process goes smoothly. Doing so can help you save significant time and resources.

The ISO 27001 standard is a globally recognized information security standard that more and more businesses are expected to demonstrate compliance against.

The accompanying ISO 27001 audit is a methodical process of evaluating the security system that has been put in place by your business.

The individual responsible for auditing will assess everything from how well you have implemented data protection to whether or not staff members completed training on information technology and management systems.

Completing such a review will not only help you achieve ISO compliance in the short term, but it will also help improve your IT processes moving forward.

There are several things that you will find useful throughout your ISO certification process, such as core tools require more documentation than you think, established processes and improved communication between departments is a major key to successful risk management and a greater focus on periodic training related to compliance is non-negotiable.

One of the most enticing aspects of achieving an ISO 27001 certification is what it signals to competitors, clients, and partners - that your business prioritizes security and has invested significant time and resources to ensure information security best practices are in place.  

Ready for an ISO 27001 certification? 

If data and information security is a top priority for your business, you should seriously consider completing an ISO 27001 certification.

For your first step towards ISO 27001 compliance, our friendly team can help you get on track. Book some time with them below!


Andrew Robinson

Written by Andrew Robinson

Andrew started his career in the startup world and went on to perform in cyber and information security advisory roles for the Australian Federal Government and several Victorian Government entities. Andrew has a Masters in Policing, Intelligence and Counter-Terrorism (PICT) specialising in Cyber Security and holds IRAP, ISO 27001 LA, CISSP, CISM and SCF certifications.