NadahWeb
Back to Blog
Compliance 8 min read1 June 2025

ISO 27001 Certification Checklist for SMEs: A Practical Step-by-Step Guide

A no-jargon ISO 27001 implementation checklist for small and medium businesses. Covers gap assessment, documentation, risk treatment, and audit prep.

ISO 27001 is the international standard for Information Security Management Systems (ISMS). Achieving certification demonstrates to clients, partners, and regulators that your organisation takes data security seriously.

This checklist breaks the process into five actionable phases.

Phase 1: Understand the Scope

Before anything else, define the boundaries of your ISMS:

  • Identify assets: What data do you hold? Where does it live? (Servers, cloud, laptops, paper)
  • Define scope statement: Which business units, locations, and services will be included?
  • Identify stakeholders: Who are your internal champions, and who will be the Management Representative?
A common mistake is scoping too broadly on the first attempt. Start with your most critical business process and expand later.

Phase 2: Conduct a Gap Assessment

Compare your current security posture against ISO 27001's 93 controls (Annex A):

  • Document existing policies: What security policies do you already have?
  • Identify gaps: Which controls are missing or only partially implemented?
  • Prioritise: Focus first on high-risk gaps — those with the highest likelihood and impact.
A typical SME gap assessment takes 2–5 days and produces a gap register you can use to plan remediation.

Phase 3: Build Your Documentation

ISO 27001 is documentation-heavy. You'll need at minimum:

  • ISMS Policy — top-level commitment from management
  • Risk Assessment Methodology — how you identify and rate risks
  • Risk Register — all identified risks with owners and treatment plans
  • Statement of Applicability (SoA) — which Annex A controls apply and why
  • Information Asset Inventory — what you hold, who owns it, how it's classified
  • Incident Response Procedure
  • Business Continuity Plan
  • Access Control Policy
  • Acceptable Use Policy
  • Supplier Security Policy

    • Phase 4: Implement Controls

    With documentation in place, implement the technical and organisational controls:

    • Set up multi-factor authentication (MFA) across all systems
    • Configure role-based access control (RBAC)
    • Deploy endpoint protection and patch management
    • Implement encrypted backups with tested restore procedures
    • Conduct security awareness training for all staff
    • Run a vulnerability scan and remediate critical findings

    Phase 5: Internal Audit and Management Review

    Before your certification audit:

    • Internal audit: Independently assess your ISMS against all requirements
    • Management review: Present findings to leadership; document the meeting
    • Corrective actions: Resolve any non-conformities identified

    The Certification Audit

    Certification is a two-stage process:

  • Stage 1 (documentation review): The auditor reviews your ISMS documentation — typically 1 day
  • Stage 2 (implementation audit): On-site or remote verification of actual implementation — typically 2–5 days for an SME
    • Typical timelines: Most SMEs achieve ISO 27001 certification in 4–9 months, depending on their starting position and available resources.

    Need help with ISO 27001 implementation? Contact NadahWeb for a free gap assessment and a realistic project plan.

    ISO 27001 Compliance SME Certification

    Need expert help with Compliance?

    Talk to NadahWeb’s certified security team. Free 30-minute consultation.

    Book Free Consultation