Achieving ISO 27001 certification from your ISMS requires five structured phases: defining scope and mapping assets, selecting standards and ambition level, implementing and cross-mapping controls, generating a live Statement of Applicability, and establishing a continuous internal audit cycle. Organisations that use a dedicated GRC platform like NorthGRC significantly reduce manual documentation effort and maintain year-round audit readiness — rather than scrambling in the weeks before an external audit.
For most compliance teams, the path to ISO 27001 certification looks the same: a shared drive full of half-finished spreadsheets, a frantic four-week sprint before the external audit, and a creeping fear that when your CISO leaves, so does all the institutional knowledge.
The standard itself is rigorous and well-designed. The problem is rarely the framework — it is the tooling, or the lack of it.
This roadmap walks through the five phases of an ISO 27001 certification journey as it should work: structured, evidence-driven, and built for organisations that need to stay compliant across multiple frameworks simultaneously.
Before you can implement a single control, you need a clear boundary around your organisation's critical systems, processes, data flows, and third-party relationships. Every ISMS begins with this deceptively simple question: what exactly are we trying to protect?
An unowned asset is an invisible risk — and invisible risks have a way of surfacing at the worst possible moment. Without explicit ownership, controls go unimplemented, and evidence goes uncollected.
In NorthGRC's Records and Risk module, asset inventories and vendors can be imported via APIs, structured templates, or a bulk Excel upload. Each asset is assigned an owner — a named individual or team — ensuring nothing sits without accountability. If your scope is poorly defined at this stage, your Statement of Applicability will be contested, and your external auditor will have questions you would rather not answer in the room.
Explore the Records module here ->
Most organisations make the mistake of treating ISO 27001 certification as an all-or-nothing leap. The smarter approach is to establish a baseline — typically via a GAP analysis — and calibrate the implementation to what is genuinely achievable in your current maturity stage.
Compliance overload is real. Organisations that try to implement every conceivable control simultaneously often stall entirely. A calibrated starting point keeps momentum and protects team capacity.
NorthGRC makes it easy to begin an ISO 27001 implementation by providing immediate access to the relevant standards and guidance. The platform's Certification ambition level helps organisations stay focused by highlighting the controls, tasks, and documentation typically expected during a certification audit.
By presenting only the most relevant activities for certification, teams can avoid unnecessary administrative work and focus on building an effective, audit-ready information security management system.
See how NorthGRC's Certification Ambition Level works →
ISO 27002 organises its controls across four domains. Working through them systematically is the operational core of any certification effort.
|
Domain |
Examples |
|---|---|
|
Organisational |
Policies, roles, supplier relationships, incident management |
|
People |
Screening, training, disciplinary process, remote working |
|
Physical |
Physical security perimeters, equipment maintenance, clear desk |
|
Technological |
Access control, cryptography, logging, vulnerability management |
Most EU enterprises are simultaneously navigating ISO 27001, NIS2, and GDPR. The traditional approach — separate workstreams, separate documentation, separate owners — creates enormous duplication and makes it nearly impossible to maintain consistency across frameworks.
NorthGRC is built around a Connected Compliance approach, where regulatory frameworks are already mapped against one another. This means that work completed for ISO 27001 can automatically support compliance efforts across other relevant frameworks, such as NIS2 and GDPR, reducing duplication and helping teams maintain consistency.
The platform also encourages a structured approach to control implementation. Whether a control is fully implemented, partially implemented, or intentionally excluded, every decision is documented and supported by a clear rationale. This creates a transparent audit trail and ensures that scope decisions can be justified during certification audits.
To support audit readiness, NorthGRC provides a consolidated view of all applicable controls and requirements. Compliance teams can review, refine, and validate their implementation in one place, making it easier to identify gaps, avoid inconsistencies, and prepare for external assessment with confidence.
See how this works in practice in our customer case study with Aidn.
The Statement of Applicability (SoA) is the centrepiece of any ISO 27001 audit. It demonstrates to the external auditor which controls you have selected, why you selected them, and — equally important — which controls you have excluded and the rationale behind each exclusion.
A weak SoA is the fastest route to a non-conformity finding.
A time-stamped, versioned SoA demonstrates to your auditor that your compliance posture is a genuine, evolving record — not a document retrofitted after the fact. This distinction matters significantly during surveillance audits, where the auditor specifically seeks evidence of continuity.
NorthGRC helps organisations prepare and maintain their Statement of Applicability by connecting it directly to the underlying compliance work already taking place in the platform. Instead of assembling the SoA manually, teams can draw on up-to-date information on control status, responsibilities, justifications, and evidence to create a more accurate, audit-ready document.
When the SoA is ready for review, NorthGRC also supports a controlled audit process. External auditors can be given secure, read-only access to the relevant information, allowing them to verify the organisation’s position directly without relying on static PDF exports, email threads, or fragmented documentation.
This creates a clearer audit trail, reduces manual preparation, and helps ensure that the SoA reflects the organisation’s actual security and compliance posture.
Learn how NorthGRC generates a live SoA →
ISO 27001 certification is not a project — it is a programme. Clause 9.2 mandates a documented internal audit process, and Annex A controls require ongoing monitoring. The organisations that maintain their certification without drama are those that have built compliance into their operational rhythm.
When a CISO or DPO leaves, organisations built around individuals rather than structures often lose critical context. The fix is architectural: assign compliance tasks to teams — IT Security, the Risk Committee, the Privacy Office — rather than named individuals. When someone moves on, you update the team member. The compliance programme stays intact.
Maintaining ISO 27001 certification is not about preparing for an annual audit – it is about embedding compliance activities into day-to-day operations. NorthGRC supports this by helping organisations distribute reviews and control activities throughout the year, creating a more sustainable approach to governance and reducing the risk of compliance becoming a last-minute exercise.
Responsibilities can be assigned at team level, ensuring continuity even as personnel change and helping organisations maintain accountability across the business. Automated reminders and follow-up processes keep reviews on track and provide management with an up-to-date view of compliance status and emerging risks.
Because compliance activities are connected with operational processes, organisations can also demonstrate how real-world events influence their information security programme. Information from areas such as supplier management, risk assessments and incident handling contributes to a more accurate and evidence-based view of control effectiveness. This helps demonstrate to auditors that the ISMS is being actively maintained and improved based on operational reality rather than static documentation.
Based on NorthGRC's experience working with EU compliance teams, these are the structural differences that determine whether certification becomes a sustainable programme or a recurring crisis.
They stop duplicating compliance efforts across frameworks. Implementing controls once and inheriting compliance across ISO 27001, NIS2, and GDPR is not just a convenience — it is a prerequisite for maintaining compliance at enterprise scale without burning out the team.
They treat audit readiness as a continuous state. The frantic four-week preparation period before an external audit is a symptom of a reactive compliance function. With locked document versions accumulating over time and tasks distributed evenly throughout the year, evidence is available before the auditor asks for it.
Ready to build compliance into your operations rather than your calendar? Book a personal demo →