Stage 1 Readiness Worksheet
Introduction
This comprehensive self-assessment worksheet helps you objectively evaluate your Stage 1 readiness. Use it 2-4 weeks before your scheduled Stage 1 audit to identify any gaps that need addressing.
How to Use This Worksheet:
- Be Brutally Honest - This is for YOUR benefit; self-deception helps no one
- Gather Evidence - Don't just check boxes; verify everything exists and is complete
- Score Each Section - Use the provided scoring system
- Calculate Total - Determine your overall readiness score
- Make Go/No-Go Decision - Use the decision criteria to determine if you should proceed
- Address Gaps - Create action plan for any items scored low
- Reassess - Complete this worksheet again after addressing gaps
Scoring System:
For each item, assign a score:
- 2 points = Complete, excellent quality, ready to demonstrate
- 1 point = Exists but needs improvement, or partially complete
- 0 points = Missing, inadequate, or not started
Timing:
- Complete this worksheet 3-4 weeks before Stage 1
- Reassess 1 week before Stage 1 after addressing gaps
Section 1: Core ISMS Documentation
1.1 Scope and Context (Clause 4)
Total Possible: 20 points
| # | Item | Score | Evidence Location | Notes |
|---|---|---|---|---|
| 1 | External issues documented (4.1) | __ / 2 | ||
| 2 | Internal issues documented (4.1) | __ / 2 | ||
| 3 | Interested parties identified (4.2) | __ / 2 | ||
| 4 | Legal/regulatory requirements identified (4.2) | __ / 2 | ||
| 5 | ISMS scope clearly defined (4.3) | __ / 2 | ||
| 6 | Scope boundaries specified (4.3) | __ / 2 | ||
| 7 | Scope justification documented | __ / 2 | ||
| 8 | ISMS processes defined (4.4) | __ / 2 | ||
| 9 | Process interactions documented (4.4) | __ / 2 | ||
| 10 | Context analysis is specific to our organization, not generic | __ / 2 |
Section 1.1 Total: _____ / 20
Quality Check Questions:
- Can you clearly explain why your scope is what it is?
- Would an outsider understand your boundaries?
- Is your context analysis specific to YOUR organization or generic?
- Have you identified all relevant legal/regulatory requirements?
Critical Issues: (score 0 on any item)
Improvement Actions Needed:
1.2 Leadership and Policy (Clause 5)
Total Possible: 16 points
| # | Item | Score | Evidence Location | Notes |
|---|---|---|---|---|
| 11 | Information Security Policy exists (5.2) | __ / 2 | ||
| 12 | Policy is appropriate to organization (5.2) | __ / 2 | ||
| 13 | Policy includes commitment to continual improvement (5.2) | __ / 2 | ||
| 14 | Policy signed/approved by top management (5.2) | __ / 2 | ||
| 15 | Policy has been communicated to all staff (5.2) | __ / 2 | ||
| 16 | Roles and responsibilities documented (5.3) | __ / 2 | ||
| 17 | Real people assigned to roles (5.3) | __ / 2 | ||
| 18 | Management commitment is documented (5.1) | __ / 2 |
Section 1.2 Total: _____ / 16
Quality Check Questions:
- Is the policy signed by your CEO or equivalent?
- Can you prove that all employees have seen the policy?
- Does everyone know their ISMS role and responsibilities?
- Can you demonstrate top management commitment?
Critical Issues: (score 0 on any item)
Improvement Actions Needed:
1.3 Risk Assessment and Treatment (Clause 6)
Total Possible: 28 points
| # | Item | Score | Evidence Location | Notes |
|---|---|---|---|---|
| 19 | Risk assessment methodology documented (6.1.2) | __ / 2 | ||
| 20 | Risk criteria defined (acceptance, evaluation) (6.1.2) | __ / 2 | ||
| 21 | Risk assessment has been CONDUCTED (6.1.2) | __ / 2 | ||
| 22 | Risk assessment results documented (6.1.2) | __ / 2 | ||
| 23 | Risk assessment is specific to OUR organization (6.1.2) | __ / 2 | ||
| 24 | Assets identified in risk assessment | __ / 2 | ||
| 25 | Threats and vulnerabilities identified | __ / 2 | ||
| 26 | Risk treatment plan exists (6.1.3) | __ / 2 | ||
| 27 | Risk owners identified and assigned (6.1.3) | __ / 2 | ||
| 28 | Controls selected for each risk (6.1.3) | __ / 2 | ||
| 29 | Residual risks documented (6.1.3) | __ / 2 | ||
| 30 | Risk owners have accepted residual risks (6.1.3) | __ / 2 | ||
| 31 | Statement of Applicability complete (6.1.3d) | __ / 2 | ||
| 32 | SoA is consistent with risk treatment plan (6.1.3d) | __ / 2 |
Section 1.3 Total: _____ / 28
Quality Check Questions:
- Is your risk assessment based on YOUR actual assets and environment?
- Are risk owners real people who have accepted their risks?
- Does your SoA cover all 93 Annex A controls?
- Is there clear traceability from risks → treatment → SoA → controls?
Critical Issues: (score 0 on any item)
Improvement Actions Needed:
1.4 Information Security Objectives (Clause 6.2)
Total Possible: 10 points
| # | Item | Score | Evidence Location | Notes |
|---|---|---|---|---|
| 33 | Information security objectives established (6.2) | __ / 2 | ||
| 34 | Objectives are documented (6.2) | __ / 2 | ||
| 35 | Objectives are measurable (6.2) | __ / 2 | ||
| 36 | Plans to achieve objectives exist (6.2) | __ / 2 | ||
| 37 | Progress toward objectives is being monitored (6.2) | __ / 2 |
Section 1.4 Total: _____ / 10
Quality Check Questions:
- Are your objectives SMART (Specific, Measurable, Achievable, Relevant, Time-bound)?
- Can you demonstrate progress toward achieving them?
- Are they meaningful for your organization, not generic?
Critical Issues: (score 0 on any item)
Improvement Actions Needed:
1.5 Support Resources (Clause 7)
Total Possible: 18 points
| # | Item | Score | Evidence Location | Notes |
|---|---|---|---|---|
| 38 | Resources for ISMS have been determined (7.1) | __ / 2 | ||
| 39 | Resources have been allocated (7.1) | __ / 2 | ||
| 40 | Competency requirements determined (7.2) | __ / 2 | ||
| 41 | Training provided where needed (7.2) | __ / 2 | ||
| 42 | Evidence of competence exists (7.2) | __ / 2 | ||
| 43 | Awareness program exists (7.3) | __ / 2 | ||
| 44 | Evidence staff are aware of ISMS (7.3) | __ / 2 | ||
| 45 | Communication plan defined (7.4) | __ / 2 | ||
| 46 | Document control process exists and is followed (7.5) | __ / 2 |
Section 1.5 Total: _____ / 18
Quality Check Questions:
- Do you have training records for all employees on information security?
- Can you demonstrate that people are aware of the ISMS and policy?
- Is your document control actually being followed?
- Do you have evidence of competence (certifications, training, experience)?
Critical Issues: (score 0 on any item)
Improvement Actions Needed:
1.6 Operation (Clause 8)
Total Possible: 16 points
| # | Item | Score | Evidence Location | Notes |
|---|---|---|---|---|
| 47 | Operational processes planned (8.1) | __ / 2 | ||
| 48 | Operational processes implemented (8.1) | __ / 2 | ||
| 49 | Operational processes are controlled (8.1) | __ / 2 | ||
| 50 | Changes to operations are controlled (8.1) | __ / 2 | ||
| 51 | Risk assessments performed at planned intervals (8.2) | __ / 2 | ||
| 52 | Risk treatment plan has been implemented (8.3) | __ / 2 | ||
| 53 | Controls from SoA are implemented (8.3) | __ / 2 | ||
| 54 | Outsourced processes are controlled (8.1) | __ / 2 |
Section 1.6 Total: _____ / 16
Quality Check Questions:
- Can you demonstrate that your ISMS processes are actually operating?
- Do you have evidence that changes are being managed?
- Have you performed a risk assessment (not just created the methodology)?
- Are controls from your SoA actually implemented and operational?
Critical Issues: (score 0 on any item)
Improvement Actions Needed:
1.7 Performance Evaluation (Clause 9) - CRITICAL SECTION
Total Possible: 20 points
| # | Item | Score | Evidence Location | Notes |
|---|---|---|---|---|
| 55 | Monitoring and measurement methods defined (9.1) | __ / 2 | ||
| 56 | Monitoring and measurement is being performed (9.1) | __ / 2 | ||
| 57 | Results of monitoring are documented (9.1) | __ / 2 | ||
| 58 | Internal audit program exists (9.2) | __ / 2 | ||
| 59 | CRITICAL: Internal audit has been CONDUCTED (9.2) | __ / 2 | ||
| 60 | Internal audit covered all ISMS areas (9.2) | __ / 2 | ||
| 61 | Internal audit results documented (9.2) | __ / 2 | ||
| 62 | Internal auditor was objective/impartial (9.2) | __ / 2 | ||
| 63 | CRITICAL: Management review has been CONDUCTED (9.3) | __ / 2 | ||
| 64 | Management review includes required inputs (9.3.2) | __ / 2 |
Section 1.7 Total: _____ / 20
⚠️ CRITICAL REQUIREMENTS:
Items 59 and 63 (Internal Audit and Management Review) are MANDATORY for Stage 1.
Score 0 on either item 59 or 63?
- YES → You are NOT ready for Stage 1. STOP. Complete these first.
- NO → Continue assessment
Quality Check Questions:
- Has your internal audit been completed within the last 3 months?
- Did the internal audit cover all clauses (4-10) and all Annex A controls?
- Was the auditor sufficiently independent (didn't audit their own work)?
- Has management review been held with real management participation?
- Do you have minutes/documentation from management review?
Critical Issues: (score 0 on any item)
Improvement Actions Needed:
1.8 Improvement (Clause 10)
Total Possible: 8 points
| # | Item | Score | Evidence Location | Notes |
|---|---|---|---|---|
| 65 | Process for nonconformities defined (10.1) | __ / 2 | ||
| 66 | Process for corrective actions defined (10.1) | __ / 2 | ||
| 67 | Evidence of continual improvement (10.2) | __ / 2 | ||
| 68 | If nonconformities found, they were addressed (10.1) | __ / 2 |
Section 1.8 Total: _____ / 8
Quality Check Questions:
- Do you have a defined process for handling nonconformities?
- If your internal audit found issues, were they addressed?
- Can you point to improvements made to the ISMS?
Critical Issues: (score 0 on any item)
Improvement Actions Needed:
Section 2: Supporting Documentation
2.1 Mandatory Policies and Procedures
Total Possible: 30 points
Based on your SoA, you may need various Annex A policies and procedures. Score each:
| # | Policy/Procedure | Required? | Score | Evidence Location |
|---|---|---|---|---|
| 69 | Access Control Policy | [ ] Yes [ ] No | __ / 2 | |
| 70 | Acceptable Use Policy | [ ] Yes [ ] No | __ / 2 | |
| 71 | Information Classification Policy | [ ] Yes [ ] No | __ / 2 | |
| 72 | Cryptography Policy | [ ] Yes [ ] No | __ / 2 | |
| 73 | Physical Security Policy | [ ] Yes [ ] No | __ / 2 | |
| 74 | HR Security Policy | [ ] Yes [ ] No | __ / 2 | |
| 75 | Supplier Management Policy | [ ] Yes [ ] No | __ / 2 | |
| 76 | Incident Management Procedure | [ ] Yes [ ] No | __ / 2 | |
| 77 | Business Continuity Procedure | [ ] Yes [ ] No | __ / 2 | |
| 78 | Change Management Procedure | [ ] Yes [ ] No | __ / 2 | |
| 79 | Backup and Recovery Procedure | [ ] Yes [ ] No | __ / 2 | |
| 80 | Vulnerability Management Procedure | [ ] Yes [ ] No | __ / 2 | |
| 81 | Data Deletion/Disposal Procedure | [ ] Yes [ ] No | __ / 2 | |
| 82 | Remote Work Policy | [ ] Yes [ ] No | __ / 2 | |
| 83 | Mobile Device Policy | [ ] Yes [ ] No | __ / 2 |
Section 2.1 Total: _____ / 30 (only score items marked "Yes")
Quality Check:
- All policies/procedures marked as "applicable" in SoA exist
- All policies/procedures are approved and version-controlled
- All policies/procedures have been communicated
Critical Issues:
Improvement Actions Needed:
2.2 Records and Evidence
Total Possible: 34 points
| # | Record Type | Score | Evidence Location | Notes |
|---|---|---|---|---|
| 84 | Training records for all staff | __ / 2 | ||
| 85 | Awareness program evidence | __ / 2 | ||
| 86 | Risk assessment records | __ / 2 | ||
| 87 | Risk acceptance records | __ / 2 | ||
| 88 | Internal audit records | __ / 2 | ||
| 89 | Management review records | __ / 2 | ||
| 90 | Access review records | __ / 2 | ||
| 91 | Backup test records | __ / 2 | ||
| 92 | Incident records (or statement if none) | __ / 2 | ||
| 93 | Change management records | __ / 2 | ||
| 94 | Vulnerability scan results | __ / 2 | ||
| 95 | Vendor/supplier assessments | __ / 2 | ||
| 96 | Asset inventory | __ / 2 | ||
| 97 | Monitoring/measurement results | __ / 2 | ||
| 98 | Employee NDA/confidentiality agreements | __ / 2 | ||
| 99 | Background check records (if applicable) | __ / 2 | ||
| 100 | Corrective action records | __ / 2 |
Section 2.2 Total: _____ / 34
Quality Check:
- Records are organized and easily accessible
- Records cover at least 2-3 months of ISMS operation
- Records demonstrate controls are actually operating
- Records are retained according to retention schedule
Critical Issues:
Improvement Actions Needed:
Section 3: Implementation Status
3.1 Control Implementation
Total Possible: 20 points
| # | Assessment Item | Score | Notes |
|---|---|---|---|
| 101 | All "applicable" controls from SoA have been implemented | __ / 2 | |
| 102 | Controls have been operational for at least 2-3 months | __ / 2 | |
| 103 | Each control has supporting evidence of operation | __ / 2 | |
| 104 | Technical controls are configured and active | __ / 2 | |
| 105 | Procedural controls are being followed | __ / 2 | |
| 106 | Physical controls are in place | __ / 2 | |
| 107 | Controls for cloud/SaaS environments implemented | __ / 2 | |
| 108 | Access controls are operational | __ / 2 | |
| 109 | Monitoring and logging is active | __ / 2 | |
| 110 | Backup and recovery controls tested | __ / 2 |
Section 3.1 Total: _____ / 20
Control Implementation Maturity:
For each control category, rate maturity (0 = Not implemented, 1 = Partially, 2 = Fully):
| Control Category | Maturity | Evidence |
|---|---|---|
| Access Control (A.5) | __ / 2 | |
| Cryptography (A.8) | __ / 2 | |
| Physical Security (A.7) | __ / 2 | |
| Operations Security (A.8) | __ / 2 | |
| Communications Security (A.8) | __ / 2 | |
| System Acquisition/Development (A.8) | __ / 2 | |
| Supplier Relationships (A.5) | __ / 2 | |
| Incident Management (A.6) | __ / 2 | |
| Business Continuity (A.8) | __ / 2 | |
| Compliance (A.5) | __ / 2 |
Category Maturity Total: _____ / 20
Quality Check:
- No control is completely unimplemented
- Most controls score 2 (fully implemented)
- Controls scoring 1 have clear implementation plans
- Evidence exists for all implemented controls
Critical Issues:
Improvement Actions Needed:
3.2 ISMS Operational Maturity
Total Possible: 20 points
| # | Maturity Indicator | Score | Evidence |
|---|---|---|---|
| 111 | ISMS has been operational for 3+ months | __ / 2 | |
| 112 | At least one complete risk assessment cycle | __ / 2 | |
| 113 | At least one complete internal audit cycle | __ / 2 | |
| 114 | At least one management review cycle | __ / 2 | |
| 115 | Monitoring and measurement generating regular data | __ / 2 | |
| 116 | Controls are generating operational evidence | __ / 2 | |
| 117 | Staff are following ISMS processes | __ / 2 | |
| 118 | ISMS is integrated into business operations | __ / 2 | |
| 119 | Changes to systems go through ISMS processes | __ / 2 | |
| 120 | Improvements have been made based on ISMS data | __ / 2 |
Section 3.2 Total: _____ / 20
Operational Timeline:
| Milestone | Date Completed | Evidence |
|---|---|---|
| ISMS documentation finalized | __________ | |
| Controls implementation started | __________ | |
| Controls fully operational | __________ | |
| First risk assessment | __________ | |
| First internal audit | __________ | |
| First management review | __________ | |
| Stage 1 audit scheduled | __________ |
Operational Duration: _____ months (minimum 3 months recommended)
Quality Check:
- ISMS has been operational long enough to demonstrate a complete cycle
- Multiple examples of evidence from different time periods
- Staff can articulate ISMS processes from experience, not just training
- The ISMS is part of "how we work," not a separate compliance exercise
Critical Issues:
Improvement Actions Needed:
Section 4: Team Readiness
4.1 Knowledge and Understanding
Total Possible: 18 points
| # | Team Member | Can Explain ISMS? | Knows Their Role? | Score |
|---|---|---|---|---|
| 121 | ISMS Project Lead / Information Security Manager | [ ] Yes [ ] No | [ ] Yes [ ] No | __ / 2 |
| 122 | Executive Sponsor (CEO/CTO) | [ ] Yes [ ] No | [ ] Yes [ ] No | __ / 2 |
| 123 | IT Manager / Infrastructure Lead | [ ] Yes [ ] No | [ ] Yes [ ] No | __ / 2 |
| 124 | Development Manager (if applicable) | [ ] Yes [ ] No | [ ] Yes [ ] No | __ / 2 |
| 125 | HR Manager | [ ] Yes [ ] No | [ ] Yes [ ] No | __ / 2 |
| 126 | Operations Manager | [ ] Yes [ ] No | [ ] Yes [ ] No | __ / 2 |
| 127 | Internal Auditor | [ ] Yes [ ] No | [ ] Yes [ ] No | __ / 2 |
| 128 | Compliance Manager (if applicable) | [ ] Yes [ ] No | [ ] Yes [ ] No | __ / 2 |
| 129 | Key Process Owners | [ ] Yes [ ] No | [ ] Yes [ ] No | __ / 2 |
Section 4.1 Total: _____ / 18
Key Questions Team Should Be Able to Answer:
Test your team with these questions (all key members should know):
Basic ISMS Questions:
- What is our ISMS scope?
- What is our information security policy?
- What are our main information security risks?
- What controls have we implemented?
- What are our information security objectives?
Personal Role Questions:
- What is your role in the ISMS?
- What are your information security responsibilities?
- What ISMS processes do you participate in?
- How do you contribute to information security?
Quality Check:
- All key team members have been briefed on the ISMS
- Everyone knows the audit schedule and their participation
- Team members can confidently discuss their areas
- No one is defensive or uncertain about the ISMS
Team Knowledge Gaps:
Training/Briefing Needed:
4.2 Audit Participation Readiness
Total Possible: 12 points
| # | Readiness Factor | Score | Notes |
|---|---|---|---|
| 130 | All key participants identified | __ / 2 | |
| 131 | Schedules confirmed and blocked | __ / 2 | |
| 132 | Participants briefed on audit process | __ / 2 | |
| 133 | Participants know what to expect | __ / 2 | |
| 134 | Team is confident, not anxious | __ / 2 | |
| 135 | Backup participants identified (if needed) | __ / 2 |
Section 4.2 Total: _____ / 12
Audit Day Roles:
| Role | Person Assigned | Availability Confirmed |
|---|---|---|
| Main point of contact | [ ] Yes | |
| Opening meeting attendee | [ ] Yes | |
| Document review support | [ ] Yes | |
| ISMS interview | [ ] Yes | |
| IT/technical interview | [ ] Yes | |
| Management interview | [ ] Yes | |
| Site tour guide | [ ] Yes | |
| Closing meeting attendee | [ ] Yes |
Quality Check:
- Everyone knows when and where to be
- Everyone knows their role during the audit
- Backups identified in case someone is unavailable
- Team has practiced or rehearsed key elements
Participation Concerns:
Actions Needed:
Section 5: Logistics and Administration
5.1 Audit Logistics
Total Possible: 16 points
| # | Logistics Item | Score | Status |
|---|---|---|---|
| 136 | Audit date confirmed with certification body | __ / 2 | |
| 137 | Audit location confirmed (on-site/remote) | __ / 2 | |
| 138 | Meeting room(s) reserved / video links set up | __ / 2 | |
| 139 | Technology tested (video, screen sharing, etc.) | __ / 2 | |
| 140 | Requested documents submitted to auditor | __ / 2 | |
| 141 | Document submission deadline met | __ / 2 | |
| 142 | Auditor has all access needed (physical or virtual) | __ / 2 | |
| 143 | Refreshments/catering arranged (if on-site) | __ / 2 |
Section 5.1 Total: _____ / 16
For On-Site Audits:
- Guest Wi-Fi credentials prepared
- Parking instructions sent to auditor
- Building access arranged
- Security/reception notified of visitor
- Audit room set up with needed materials
- Name cards/badges prepared
For Remote Audits:
- Video conferencing links tested and sent
- Screen sharing tested
- Document sharing platform accessible
- All participants can access video conference
- Backup communication method arranged
- Virtual meeting backgrounds professional
Quality Check:
- Nothing will prevent the audit from starting on time
- Auditor has everything they requested
- Technology works reliably
- Professional environment prepared
Logistics Concerns:
Actions Needed:
5.2 Document Organization
Total Possible: 14 points
| # | Organization Element | Score | Status |
|---|---|---|---|
| 144 | All documents in one organized location | __ / 2 | |
| 145 | Document index/register provided | __ / 2 | |
| 146 | Documents organized by ISO clause or logical structure | __ / 2 | |
| 147 | Version control clear on all documents | __ / 2 | |
| 148 | Electronic files named clearly and consistently | __ / 2 | |
| 149 | Evidence organized by control or process | __ / 2 | |
| 150 | Can quickly locate any requested document | __ / 2 |
Section 5.2 Total: _____ / 14
Document Folder Structure Example:
ISMS Documentation/
|-- 00-Document Index.xlsx
|-- 01-Context and Scope/
| |-- Context Analysis.docx
| |-- Interested Parties.docx
| `-- ISMS Scope Statement.docx
|-- 02-Leadership/
| |-- Information Security Policy.pdf
| `-- Roles and Responsibilities.docx
|-- 03-Planning/
| |-- Risk Assessment Methodology.docx
| |-- Risk Assessment Results.xlsx
| |-- Risk Treatment Plan.xlsx
| `-- Statement of Applicability.xlsx
|-- 04-Support/
| |-- Policies/
| |-- Procedures/
| `-- Training Records/
|-- 05-Operation/
| `-- Operational Records/
|-- 06-Performance Evaluation/
| |-- Internal Audit Report.docx
| |-- Management Review Minutes.docx
| `-- Monitoring Results/
`-- 07-Improvement/
`-- Corrective Actions/
Quality Check:
- Structure is logical and easy to navigate
- Nothing is missing or difficult to find
- Auditor can access easily (permissions set correctly)
- All cross-references work
Organization Issues:
Actions Needed:
Readiness Score Summary
Section Scores
| Section | Possible | Your Score | Percentage |
|---|---|---|---|
| Section 1: Core ISMS Documentation | |||
| 1.1 Scope and Context | 20 | _____ | ___% |
| 1.2 Leadership and Policy | 16 | _____ | ___% |
| 1.3 Risk Assessment and Treatment | 28 | _____ | ___% |
| 1.4 Information Security Objectives | 10 | _____ | ___% |
| 1.5 Support Resources | 18 | _____ | ___% |
| 1.6 Operation | 16 | _____ | ___% |
| 1.7 Performance Evaluation | 20 | _____ | ___% |
| 1.8 Improvement | 8 | _____ | ___% |
| Section 1 Total | 136 | _____ | ___% |
| Section 2: Supporting Documentation | |||
| 2.1 Policies and Procedures | 30 | _____ | ___% |
| 2.2 Records and Evidence | 34 | _____ | ___% |
| Section 2 Total | 64 | _____ | ___% |
| Section 3: Implementation Status | |||
| 3.1 Control Implementation | 20 | _____ | ___% |
| 3.2 ISMS Operational Maturity | 20 | _____ | ___% |
| 3.2b Category Maturity | 20 | _____ | ___% |
| Section 3 Total | 60 | _____ | ___% |
| Section 4: Team Readiness | |||
| 4.1 Knowledge and Understanding | 18 | _____ | ___% |
| 4.2 Audit Participation Readiness | 12 | _____ | ___% |
| Section 4 Total | 30 | _____ | ___% |
| Section 5: Logistics | |||
| 5.1 Audit Logistics | 16 | _____ | ___% |
| 5.2 Document Organization | 14 | _____ | ___% |
| Section 5 Total | 30 | _____ | ___% |
| OVERALL TOTAL | 320 | _____ | ___% |
Go / No-Go Decision Framework
Critical Showstoppers (Automatic No-Go)
These items MUST score 2 (full points). If any score 0 or 1, you are NOT ready for Stage 1:
Absolute Requirements:
- Item 59: Internal audit has been conducted (Required)
- Item 63: Management review has been conducted (Required)
- Item 21: Risk assessment has been conducted (Required)
- Item 28: Risk treatment plan exists (Required)
- Item 31: Statement of Applicability is complete (Required)
Did ANY of the above score less than 2?
- YES → NO-GO: Do not proceed with Stage 1. Complete these first.
- NO → Continue to readiness assessment
Readiness Assessment by Score
Overall Score: _____ / 320 (_____%)
Decision Criteria:
90-100% (288-320 points) - STRONG GO ✓✓
- Decision: Proceed with Stage 1 with high confidence
- Expectation: Excellent chance of passing Stage 1 with no issues
- Action: Minor polish only, maintain momentum
80-89% (256-287 points) - GO ✓
- Decision: Proceed with Stage 1
- Expectation: Good chance of passing, may have minor observations
- Action: Address items scoring 0 or 1 before Stage 1
70-79% (224-255 points) - CONDITIONAL GO ⚠️
- Decision: Proceed only if critical items are complete
- Expectation: Will likely pass but with improvement areas identified
- Action: Focus on items scoring 0, strengthen items scoring 1
- Risk: May receive minor findings or substantial observations
60-69% (192-223 points) - WEAK GO ⚠️⚠️
- Decision: High risk of "not ready" determination
- Recommendation: Consider delaying Stage 1 by 2-4 weeks
- Action: Address all items scoring 0, improve items scoring 1
- Risk: May not be ready for Stage 2, wasted audit fee
Below 60% (<192 points) - NO-GO ✗
- Decision: Do NOT proceed with Stage 1
- Recommendation: Delay Stage 1 by 4-8 weeks
- Action: Significant work needed across multiple areas
- Risk: Will not be ready, wasted time and money
Section-by-Section Analysis
If your overall score is marginal, analyze by section:
Section 1 (Core ISMS) - Must score 85%+
- Your Score: _____ / 136 (_____%)
- Pass (≥85%) - Core documentation is strong
- Borderline (75-84%) - Address gaps immediately
- Fail (<75%) - Significant documentation gaps, delay Stage 1
Section 2 (Supporting Docs) - Must score 75%+
- Your Score: _____ / 64 (_____%)
- Pass (≥75%) - Supporting documentation adequate
- Borderline (65-74%) - Complete missing items
- Fail (<65%) - Substantial documentation missing, delay Stage 1
Section 3 (Implementation) - Must score 80%+
- Your Score: _____ / 60 (_____%)
- Pass (≥80%) - Good operational evidence
- Borderline (70-79%) - Need more operational evidence
- Fail (<70%) - Not operational long enough, delay Stage 1
Section 4 (Team Readiness) - Must score 70%+
- Your Score: _____ / 30 (_____%)
- Pass (≥70%) - Team is prepared
- Borderline (60-69%) - Additional training/briefing needed
- Fail (<60%) - Team not ready, conduct training
Section 5 (Logistics) - Must score 80%+
- Your Score: _____ / 30 (_____%)
- Pass (≥80%) - Logistics handled
- Borderline (70-79%) - Address logistics items
- Fail (<70%) - Logistics not ready, delay Stage 1
Final Decision
Date of Assessment: _____________________
Stage 1 Scheduled Date: _____________________
Overall Score: _____ / 320 (_____%)
Decision:
- STRONG GO - Proceed with confidence
- GO - Proceed after addressing items scored 0-1
- CONDITIONAL GO - Proceed with caution, address critical gaps
- WEAK GO - High risk, consider delaying
- NO-GO - Delay Stage 1, significant work needed
Critical Gaps to Address:
| Priority | Item # | Description | Target Date | Owner |
|---|---|---|---|---|
| High | ||||
| High | ||||
| High | ||||
| Medium | ||||
| Medium | ||||
| Low |
If Proceeding:
- All "High" priority gaps will be addressed by: _____________________
- Team briefing scheduled for: _____________________
- Final document review scheduled for: _____________________
- Pre-audit confidence level: [ ] High [ ] Medium [ ] Low
If Delaying:
- New target Stage 1 date: _____________________
- Action plan created for addressing gaps
- Responsibilities assigned
- Weekly progress reviews scheduled
- Reassessment date: _____________________
Action Plan Template
Use this template to address identified gaps:
Gap Remediation Plan
Gap #1:
- Item Number: _____
- Current Score: _____
- Description: _______________________________________________________________
- Root Cause: _______________________________________________________________
- Action Required: ___________________________________________________________
- Owner: _____________________
- Target Completion: _____________________
- Evidence Required: _________________________________________________________
- Status: [ ] Not Started [ ] In Progress [ ] Complete
Gap #2:
- Item Number: _____
- Current Score: _____
- Description: _______________________________________________________________
- Root Cause: _______________________________________________________________
- Action Required: ___________________________________________________________
- Owner: _____________________
- Target Completion: _____________________
- Evidence Required: _________________________________________________________
- Status: [ ] Not Started [ ] In Progress [ ] Complete
Gap #3:
- Item Number: _____
- Current Score: _____
- Description: _______________________________________________________________
- Root Cause: _______________________________________________________________
- Action Required: ___________________________________________________________
- Owner: _____________________
- Target Completion: _____________________
- Evidence Required: _________________________________________________________
- Status: [ ] Not Started [ ] In Progress [ ] Complete
(Add more as needed)
Reassessment Schedule
After addressing gaps, reassess your readiness:
First Assessment: _____________________
- Overall Score: _____ / 320 (_____%)
- Decision: _____________________
- Gaps Identified: _____
Second Assessment: _____________________
- Overall Score: _____ / 320 (_____%)
- Decision: _____________________
- Remaining Gaps: _____
- Improvement: _____ points (_____%)
Final Assessment (1 week before Stage 1): _____________________
- Overall Score: _____ / 320 (_____%)
- Decision: _____________________
- Remaining Gaps: _____
- Confidence Level: [ ] High [ ] Medium [ ] Low
Tips for Using This Worksheet
Be Honest and Objective
This worksheet only helps if you're brutally honest. Scoring yourself higher than reality only hurts you during the actual audit.
Red Flags of Over-Scoring:
- Scoring items 2 when you can't immediately show evidence
- Assuming documents are "good enough" without review
- Giving credit for plans rather than completed actions
- Scoring based on what you know should exist, not what you've verified exists
Gather Evidence
Don't score items from memory. Actually pull up the documents and records:
- Can you find it in under 2 minutes?
- Is it complete and current?
- Does it meet the requirement?
- Can you explain it to an auditor?
Involve Your Team
Don't complete this worksheet alone:
- Have process owners verify their sections
- Ask your internal auditor to validate scoring
- Test team knowledge before scoring high on team readiness
- Get a second opinion on documentation quality
Use Multiple Times
Complete this worksheet:
- First Time: 4-6 weeks before Stage 1 to identify gaps
- Second Time: 2-3 weeks before Stage 1 after addressing gaps
- Final Time: 1 week before Stage 1 for final confidence check
Don't Aim for Perfect
Stage 1 doesn't require perfection:
- 85-90% readiness is excellent
- Minor gaps are expected and acceptable
- Observations are learning opportunities
- Some items will improve after Stage 1 feedback
Focus on Critical Items
If time is limited, prioritize:
- Internal audit (must be complete)
- Management review (must be complete)
- Risk assessment and treatment (must be complete)
- SoA completeness
- Core documentation (Clauses 4-6)
- Evidence of operation
- Everything else
Know When to Delay
It's better to delay Stage 1 than to:
- Fail and have to reschedule anyway
- Damage team confidence
- Waste audit fees
- Create adversarial relationship with auditor
- Rush and make mistakes
Delay Stage 1 if:
- Any critical showstopper scores less than 2
- Overall score is below 70%
- Section 1 (Core ISMS) scores below 85%
- You're not confident explaining your ISMS
Conclusion
This readiness worksheet is your honest assessment tool. Use it wisely:
✓ Be honest - Only you suffer from over-optimistic scoring ✓ Gather evidence - Verify everything before scoring ✓ Address gaps systematically - Use the action plan template ✓ Reassess regularly - Track your improvement ✓ Make confident decision - Go only when truly ready
Remember: Stage 1 is designed to verify readiness. If you're not ready, it's better to discover that through this worksheet than during the actual audit.
Your goal: Score 85%+ and proceed to Stage 1 with confidence, knowing you're prepared for success.
Next Lesson: In Lesson 8.5, we'll cover Stage 2 preparation and what to expect during the main certification audit where your ISMS will be thoroughly tested.