Our team is initiating our pursuant of ISO 27001.  Any general guidance from those who have recently been through the process and received their certification?

Here are a few key lessons I’ve learned in my past organization:

1. Get leadership on board early - Executive commitment is essential. They need to understand not just the strategic value of ISO 27001, but also the operational implications, like recurring surveillance audits and full recertification every three years. It’s a serious investment, not just a checkbox.

2. Use the standard as your guide - The Annex A controls are your blueprint. Don’t rely solely on templates or external interpretations.

3. Prioritize clarity and usability - Overly complex documentation can hinder adoption. Keep your policies, procedures, and training materials straightforward and aligned with how the business actually operates. The goal is to enable, not obstruct.

4. Choose your Physical and Logical scope wisely

I’m an ISO 27001 Lead Auditor and recently guided a company through a successful certification. From experience, the effort required varies greatly depending on your organization’s context — for example, a publicly traded company will not need the same depth as a mid-sized enterprise, and both industry requirements and IT exposure will heavily influence the scope.

A few tips I’ve found valuable:
1) Secure top management buy-in – Leadership must understand why the certification is valuable, how it supports business objectives, and also the commitments it brings (such as annual surveillance audits and full recertification every three years). ISO27 is not a free process!

2) Work directly with the standard – The Annex provides the full control set. Use it as your checklist and verify that appropriate controls are in place and effective.

3) Keep it simple – Policies, training, and processes should be concise and practical. Excessive paperwork slows down adoption; the goal is always to support the business, not create friction.

Finally, take the time to compare certification bodies. Pricing can vary significantly, as can the flexibility and support auditors provide—choosing the right partner can make the process much smoother.

1. Go through each controls of ISO 27001. Identify a person who can lead this effort. Have the person conduct internal audit against all the controls, document the gaps and find a way to fill the gap. 
2. For each control, have the policy or guidelines documented, internally reviewed, approved and published.  Each document should have last review date. And then collect evidence of use to show the auditor.
3. Do not volunteer additional information other than what has been asked by auditor :-). 

Hope this helps. Happy to help more if you need. All the best for audit and certification.

Before pursuing ISO 27001 certification, the company should first understand the standard and gain executive buy-in to secure resources and support. The next step is defining the ISMS scope, followed by conducting a gap analysis to assess current security posture. A project plan should be created, and a risk assessment carried out to identify and treat risks, culminating in a Statement of Applicability.
Required policies and procedures must be documented, and the ISMS implemented across their company, supported by staff training and awareness. Internal audits and a management review help verify effectiveness before selecting a certification body. An optional readiness review may be conducted prior to the formal certification audit, which is performed in two stages: a documentation review and a full audit of the ISMS.
Key points to call out are:
Ensure staff understand and support the initiative, and that top management have bought into the initiative.
Be prepared for the additional documentation burden, ISO27001 is documentation-heavy.
Be ready for the fact that certification requires continuous improvement and re-certification every 3 years, including annual surveillance audits.
If the business holds other standards then all the standards will need to be integrated (e.g., ISO9001) into an integrated management system.