The ISO 27001 Checklist: Every Step from Gap Analysis to Certification
ISO 27001 certification proves to customers, partners, and regulators that your organisation takes information security seriously. For Australian businesses, achieving ISO 27001 certification means following a structured process that includes gap analysis, risk assessment, documentation, internal audit, and external certification audits. This iso 27001 checklist breaks down each step so you know exactly what needs to happen and when.
Most organisations take six to twelve months from starting the process to receiving certification. The timeline depends on your current security posture, how much documentation already exists, and how quickly you can implement the required controls. Understanding the full checklist helps you plan realistically and avoid delays.
Start with Gap Analysis
A gap analysis is the first step in the ISO 27001 certification process. It compares your current information security practices against the requirements of ISO 27001:2022, including the 93 controls in Annex A. The goal is to identify what you already have in place and what needs to be built, documented, or improved.
During a gap analysis, you define the scope of your Information Security Management System (ISMS), which determines which parts of your organisation will be certified. You do not need to certify your entire organisation. Many businesses limit the scope to specific departments, systems, or locations that handle sensitive data.
You also review existing policies, procedures, risk assessments, and technical controls. This includes identity and access management, incident response plans, backup and recovery procedures, change management, and vendor security practices. Each control is rated based on whether it meets the standard, partially meets it, or is missing entirely.
The output is a prioritised action plan that identifies high-impact gaps requiring immediate attention and lower-priority items that can be addressed later. This plan becomes your roadmap for the next phase.
If you are not sure where your organisation stands or what gaps exist, a professional gap analysis is a good starting point. Siege Cyber offers gap analysis as a standalone service, helping you understand what needs to be done before committing to the full certification process. Visit siegecyber.com.au/services/iso-27001 to see how we support Australian businesses through every stage of ISO 27001 certification.
Build Your ISMS and Implement Controls
Once the gap analysis is complete, you move into the build phase. This is where you create or update policies, procedures, and technical controls to meet ISO 27001 requirements. The standard is structured around ten clauses that cover leadership, planning, support, operation, performance evaluation, and improvement.
You need to document an information security policy, define roles and responsibilities, and establish measurable security objectives. You also perform a formal risk assessment that identifies threats to your IT infrastructure, assigns risk scores based on impact and likelihood, and defines treatment measures.
The Statement of Applicability (SoA) is a required document that maps your controls to the 93 items in Annex A of ISO 27001:2022. The SoA explains which controls you are implementing and why you have excluded any controls that do not apply to your organisation. The 2022 version of the standard groups controls into four categories: organisational, people, physical, and technological.
Implementation involves putting technical safeguards in place, training staff on security policies, and establishing processes for monitoring, incident response, and continuous improvement. This phase typically takes three to six months, depending on how much needs to be built from scratch.
Conduct an ISO 27001 Internal Audit
Before you engage an external auditor, you must conduct at least one internal audit. The iso 27001 internal audit verifies that your ISMS is documented properly, that controls are implemented as described, and that staff understand their security responsibilities.
Internal audits review each clause of the standard and check for evidence that policies and procedures are being followed. This includes testing access controls, reviewing incident logs, checking backup and recovery procedures, and confirming that risk assessments are current. The audit also verifies that the SoA is complete and that all required documentation exists.
Findings are classified as major nonconformities, minor nonconformities, or observations. Major nonconformities are critical gaps that must be resolved before the external audit. Minor nonconformities are smaller issues that need attention but do not block certification. Observations are improvement suggestions.
The internal audit report includes corrective actions, assigns responsibility for fixing each issue, and sets deadlines. You must close all major nonconformities and verify that corrective actions are effective before moving to the external audit phase.
Prepare for the Stage 1 Audit
The external certification audit happens in two stages. Stage 1 is the documentation review, also called the readiness audit. The auditor reviews your ISMS documentation to confirm that it is designed properly and aligns with ISO 27001 requirements.
During Stage 1, the auditor checks that your ISMS scope is clearly defined, that your information security policy and objectives are documented, that risk assessments and risk treatment plans are complete, and that your SoA maps correctly to Annex A. They also verify that you have conducted at least one internal audit and a management review.
Stage 1 does not evaluate whether your controls are working in practice. The focus is on verifying that the documentation exists and that it meets the standard’s requirements. If the auditor finds significant gaps, they will identify these as nonconformities that must be resolved before Stage 2.
Most Stage 1 audits are conducted remotely or with a short site visit. The auditor produces a report that lists any issues and provides recommendations for Stage 2 preparation.
Pass the Stage 2 Audit for Certification
Stage 2 is the main certification audit. This is where the auditor validates that your ISMS is operating effectively and that controls are implemented as documented. Unlike Stage 1, which focuses on documentation, Stage 2 evaluates real-world application and effectiveness.
The auditor conducts on-site visits or remote assessments to observe how your organisation operates. They test controls, review evidence of implementation, interview staff, and assess how risks are managed day-to-day. Expect them to review operational controls like access management, incident response, backup and recovery, supplier management, and security monitoring.
The auditor also checks that employees understand and follow security policies, that risk management processes are active, and that you are monitoring and improving the ISMS through internal audits and management reviews.
If the auditor identifies nonconformities during Stage 2, you must address them before certification is granted. Once all requirements are satisfied, the certification body issues your ISO 27001 certificate, which is valid for three years.
Maintain Ongoing Compliance
ISO 27001 is not a one-time achievement. After certification, you must conduct annual surveillance audits to demonstrate that your ISMS remains effective. These audits are shorter than the initial Stage 2 audit but verify that controls are still operating and that the ISMS is being continuously improved.
You also need to perform internal audits at least annually, conduct regular management reviews, update risk assessments as your business changes, and address any incidents or nonconformities that arise. Every three years, you undergo a full recertification audit.
What ISO 27001 Certification Costs in Australia
ISO 27001 certification Australia costs vary based on your organisation’s size, complexity, and how much work is required to close gaps. For Australian businesses, expect total costs between $20,000 and $70,000 for the initial year. This includes audit fees, consulting or advisory support, compliance tools, staff training, and any technical work needed to implement controls.
Certification body fees typically range from $10,000 to $25,000, depending on the scope and number of employees. Consulting support adds $10,000 to $40,000 depending on whether you use a full-service consultant, a compliance platform, or a DIY approach. Internal audits, penetration testing, and training can add another $5,000 to $15,000.
Annual surveillance audits cost $5,000 to $15,000. Smaller organisations with simpler environments will sit at the lower end of the range, while larger businesses with complex IT infrastructure will spend more.
Siege Cyber offers fixed-price ISO 27001 packages that cover the entire certification process with no hourly billing or surprises. Our packages include gap analysis, policy and procedure templates, implementation support, internal audit services, and a guarantee that you will pass your certification audit. Visit siegecyber.com.au/#compliance-pricing to see detailed pricing and what is included.
Why Australian Businesses Pursue ISO 27001
ISO 27001 is recognised globally as the leading information security standard. For Australian organisations, certification demonstrates compliance with local regulations like the Privacy Act and APRA CPS 234, which requires financial services entities to maintain robust information security capabilities.
ISO 27001 also meets customer expectations, particularly in industries like SaaS, cloud services, professional services, and managed IT. Enterprise buyers often require ISO 27001 as part of procurement processes, and the certificate provides assurance that your organisation manages data securely.
The process of achieving certification strengthens your security posture by formalising risk management, documenting controls, and creating a culture of continuous improvement. Even if customers do not ask for the certificate, the work involved makes your organisation more secure and resilient.
Getting Started with ISO 27001
If you are considering ISO 27001 certification, start with a gap analysis to understand where you currently stand and what needs to be done. This allows you to plan the timeline, budget, and resources required to achieve certification without surprises.
Siege Cyber specialises in ISO 27001 certification for Australian businesses. We provide end-to-end support including gap analysis, ISMS implementation, policy development, internal audits, and readiness preparation for Stage 1 and Stage 2 audits. As an official partner of Vanta and Drata, we also help businesses that have adopted compliance platforms but need expert guidance to complete the certification process.
Siege Cyber works with businesses across Brisbane, Sydney, and throughout Australia to deliver audit-ready penetration tests that satisfy ISO 27001 requirements. We’ve helped numerous organisations achieve certification, and every single one has passed their audit on the first attempt.
Siege Cyber has been helping businesses across Australia with penetration testing, compliance, and cyber risk for over 20 years. If you’d like to discuss what type of testing makes sense for your organisation, or if you’re preparing for an ISO 27001 or SOC 2 audit and need testing as part of that process, get in touch.
You can reach us at siegecyber.com.au or email [email protected] directly. We’re based in Brisbane but work with clients across the country.