Our team is initiating our pursuant of ISO 27001.  Any general guidance from those who have recently been through the process and received their certification?

We focused on our IT systems, DRP, procedures ... learned the hard way that physical access to buildings is also important :-)

Congrats on kicking off your ISO 27001 journey! That’s a big step, and one that’s definitely worth the effort.

From my experience, the best thing you can do early on is get super clear on your ISMS and run a proper gap analysis before diving into implementation. That’ll help you see where you stand and what needs attention. Make sure your policies, risk assessments, and controls are well-documented. Auditors love that stuff.

My biggest piece of advice would be not to go through the process alone if you can avoid it. Bringing in ISO 27001 compliance specialists like Scytale can save you so much time and confusion. They’ll automate and help you handle the most tedious parts, making sure you’re audit-ready and stay compliant long after you’re certified.

Here are a few key lessons I’ve learned in my past organization:

1. Get leadership on board early - Executive commitment is essential. They need to understand not just the strategic value of ISO 27001, but also the operational implications, like recurring surveillance audits and full recertification every three years. It’s a serious investment, not just a checkbox.

2. Use the standard as your guide - The Annex A controls are your blueprint. Don’t rely solely on templates or external interpretations.

3. Prioritize clarity and usability - Overly complex documentation can hinder adoption. Keep your policies, procedures, and training materials straightforward and aligned with how the business actually operates. The goal is to enable, not obstruct.

4. Choose your Physical and Logical scope wisely

I’m an ISO 27001 Lead Auditor and recently guided a company through a successful certification. From experience, the effort required varies greatly depending on your organization’s context — for example, a publicly traded company will not need the same depth as a mid-sized enterprise, and both industry requirements and IT exposure will heavily influence the scope.

A few tips I’ve found valuable:
1) Secure top management buy-in – Leadership must understand why the certification is valuable, how it supports business objectives, and also the commitments it brings (such as annual surveillance audits and full recertification every three years). ISO27 is not a free process!

2) Work directly with the standard – The Annex provides the full control set. Use it as your checklist and verify that appropriate controls are in place and effective.

3) Keep it simple – Policies, training, and processes should be concise and practical. Excessive paperwork slows down adoption; the goal is always to support the business, not create friction.

Finally, take the time to compare certification bodies. Pricing can vary significantly, as can the flexibility and support auditors provide—choosing the right partner can make the process much smoother.

1. Go through each controls of ISO 27001. Identify a person who can lead this effort. Have the person conduct internal audit against all the controls, document the gaps and find a way to fill the gap. 
2. For each control, have the policy or guidelines documented, internally reviewed, approved and published.  Each document should have last review date. And then collect evidence of use to show the auditor.
3. Do not volunteer additional information other than what has been asked by auditor :-). 

Hope this helps. Happy to help more if you need. All the best for audit and certification.