ISO Certification Planning Guide
Follow this proven roadmap to prepare your organization for ISO certification. Each phase builds on the previous one.
The 6 Planning Phases
Project Initiation
Set the foundation for your ISO certification journey.
Key Tasks
- Secure executive sponsorship and budget approval
- Define scope and boundaries of your ISMS
- Identify key stakeholders and form project team
- Set realistic timeline and milestones
- Choose between DIY, consultant, or automation platform
- • Start with a smaller scope — you can expand later
- • Get buy-in from leadership early; their support is critical
- • Document everything from day one
Gap Analysis
Understand where you are vs. where you need to be.
Key Tasks
- Assess current security controls against ISO requirements
- Identify gaps in policies, procedures, and technical controls
- Document existing assets and their classifications
- Review current risk management practices
- Create prioritized remediation roadmap
- • Use our Gap Analysis Tool (unlocks at Level 7)
- • Don't panic if you find many gaps — this is normal
- • Focus on high-impact gaps first
Risk Assessment
Identify, analyze, and prioritize information security risks.
Key Tasks
- Create comprehensive asset inventory
- Identify threats and vulnerabilities for each asset
- Assess likelihood and impact of potential incidents
- Calculate risk levels using your chosen methodology
- Develop risk treatment plan
- • Keep your risk methodology simple and consistent
- • Involve asset owners in the assessment process
- • Document your risk acceptance criteria upfront
Documentation & Controls
Build your ISMS documentation and implement controls.
Key Tasks
- Write information security policy and supporting policies
- Create Statement of Applicability (SoA)
- Develop procedures for required controls
- Implement technical controls and configurations
- Create employee awareness training program
- • Use our policy templates to accelerate documentation
- • Focus on quality over quantity — auditors prefer concise docs
- • Ensure policies reflect what you actually do
Implementation & Training
Roll out controls and train your team.
Key Tasks
- Deploy technical controls across systems
- Train all employees on security awareness
- Train specific roles on their responsibilities
- Conduct tabletop exercises for incident response
- Implement monitoring and logging
- • Make training engaging — gamify it if possible
- • Test controls in staging before production
- • Document evidence of training completion
Internal Audit & Review
Validate your ISMS before the certification audit.
Key Tasks
- Conduct internal audit against ISO requirements
- Document nonconformities and observations
- Implement corrective actions
- Perform management review meeting
- Prepare evidence packages for external audit
- • Consider hiring an independent internal auditor
- • Leave time to fix issues before external audit
- • Practice your audit responses with mock interviews
Automation Platform vs Auditor
Understanding the difference is crucial for planning your certification journey.
Key Insight
Think of it like tax preparation software (automation platform) vs. a licensed CPA (auditor). The software helps you prepare, but only the CPA can sign off on your tax return.
Automation Platforms
Help you prepare for certification
- Policy templates & documentation
- Evidence collection automation
- Control monitoring & alerts
- Gap analysis & remediation tracking
Certification Auditors
Actually issue your certification
- Independent assessment
- Official ISO certification
- Accredited body recognition
- Surveillance & recertification audits
Implementation Checklist
Use this checklist to track your progress through each control category.
Organizational Controls
37 controls
People Controls
8 controls
Physical Controls
14 controls
Technological Controls
34 controls