How to Structure Your ISO 27001 Certification Project in 6 Months
Key steps, pitfalls to avoid and resources needed for a successful ISO 27001 certification — a concrete project plan for Canadian organizations.
ISO 27001 certification is a structuring project that requires rigor, management commitment and dedicated resources. Six months is an ambitious but achievable timeline for organizations that start with an existing documentation base. Here is a proven project plan.
6-month project plan
Scoping and management commitment
- Obtain formal management mandate (sine qua non)
- Define the ISMS scope (systems, processes, sites covered)
- Assemble the project team (CISO, DPO, business representatives)
- Choose the certification body (BSI, Bureau Veritas, SGS, etc.)
- Conduct an initial gap analysis to assess maturity level
An overly broad or poorly defined scope is the leading cause of failure.
Risk analysis and treatment plan
- Choose and document the risk assessment methodology
- Complete the information asset inventory
- Identify threats, vulnerabilities and impacts
- Assess and prioritize risks according to defined appetite
- Draft the Statement of Applicability (SoA)
The SoA is the central document of the audit — do not neglect it.
Controls implementation
- Implement priority controls from Annex A
- Draft or update security policies
- Train staff on policies and procedures
- Implement security incident management
- Document key operational procedures
Prioritize high-impact controls — implementing everything in 6 months is unrealistic.
Internal audit and management review
- Conduct a full ISMS internal audit
- Document non-conformities and open corrective action plans
- Hold the formal management review with results
- Validate that all required records are in place
- Conduct an incident or business continuity simulation exercise
The internal audit must be conducted by someone independent of the audited process.
Certification audit (Stage 1 + Stage 2)
- Document review (Stage 1): verification of policies and SoA
- Correct minor gaps identified during Stage 1
- On-site audit (Stage 2): verification of effective implementation
- Address any non-conformities within the allotted time
- Obtain the certificate (valid 3 years, annual surveillance audits)
Between Stage 1 and Stage 2, allow 2 to 4 weeks for corrections.
The 5 most common pitfalls
Treating ISO 27001 as an IT project only
Certification concerns the entire organization, not just IT. Management and business units must be involved.
Underestimating the documentation workload
ISO 27001 requires substantial documentation: policies, procedures, records, audit results. Plan the necessary human resources.
Copy-pasting generic policies
Policies must reflect your organization's reality. An experienced auditor immediately detects unapplied policies.
Neglecting staff training
Annex A requires staff to be security aware. Without documented training, non-conformities are inevitable.
Forgetting surveillance audits
Certification lasts 3 years with annual surveillance audits. The ISMS must be continuously maintained and improved.
Manage your ISO 27001 certification in CapGRC
Risk register, Statement of Applicability, action plans, internal audits — everything needed for your ISMS, integrated into your GRC program.