If you're here, chances are you’re thinking about ISO 27001. Maybe a client’s asked for it, maybe it will give you access to more lucrative contracts, or you’ve had a security scare and want to put things right. Either way, you’re in the right place.

ISO 27001 is the international standard for information security. It’s not just for big corporations or IT firms. Increasingly, it’s expected of anyone who handles sensitive data — from health tech startups to defence suppliers and engineering firms.

So let’s break it down. Here’s how to actually get certified in plain English, no fluff, no jargon!

Step 1: Decide Your Scope and Objectives

Before jumping into policies and checklists, figure out what parts of your business the certification will cover (this is your ISMS Scope). Keep it tight and realistic. You don’t have to boil the ocean.

Tip: If you're new to this, focus on your core business functions that handle sensitive data.

Step 2: Build an ISMS (Information Security Management System)

This is your framework for managing risk. It includes:

• Policies (e.g. information security, access control, supplier risk)

• Processes (e.g. incident response, risk assessment)

• Roles and responsibilities

You don’t need a 100-page policy library. A lean ISMS tailored to how you actually work will be far more effective, and easier to manage.

Step 3: Run a Risk Assessment and Choose Your Controls

ISO 27001 is risk-based. You’ll need to:

• Identify risks to your data and systems

• Decide how to handle each risk (accept, mitigate, transfer, etc.)

• Choose which of the 93 Annex A controls apply

All of this goes into your Statement of Applicability (SoA).

Step 4: Make It Real – Implementation and Awareness

Controls only matter if they’re actually followed. Time to roll them out:

• Configure systems securely

• Set up logging and access controls

• Train your team

• Make sure policies are being applied in real life

Step 5: Monitor, Audit, Improve

Once your ISMS is running, you’ll need to:

• Carry out internal audits

• Fix any issues

• Review how things are performing

• Hold a Management Review to show leadership are on board

Step 6: Choose a Certification Body and Get Audited

You’ll go through:

• Stage 1 Audit: Checks your documentation and readiness

• Stage 2 Audit: Confirms everything’s working properly in practice

If you pass, you’re certified. The certificate lasts for three years, with yearly check-ins called surveillance audits.

Grab our Free Download: ISO 27001 Readiness Checklist

Download Kafico's ISO 27001 Readiness Checklist which lays everything out simply!

No email needed! Just useful stuff - instantly.

Final Thoughts

Getting certified doesn’t have to be overwhelming. But it does need structure. Most companies we help get audit-ready in 8 to 12 weeks if they stick with it. DIY approaches usually take longer, come with more headaches or just fizzle out completely.

Not sure where to begin? Grab the checklist or book a quick call. We’re always happy to help - no pressure!