1. Do you have management commitment and a defined ISMS scope?
2. Have you completed a risk assessment and treatment plan?
3. Are your core security policies documented and actually operating?
4. Do you run access reviews, logging and incident management?
5. Have you done an internal audit and management review?
What ISO 27001 certification takes
It’s a management system
ISO 27001 certifies a working Information Security Management System (ISMS) — leadership, scope and risk-based controls, not just documents.
Risk drives everything
Your risk assessment and Statement of Applicability justify every control. Auditors scrutinise them first.
Stage 1 then Stage 2
Certification is a documentation review (Stage 1) then an operating-effectiveness audit (Stage 2), with annual surveillance after.
