Key Takeaways
- ISO 27001 readiness is a sequential process: scope → gap analysis → risk assessment → policy/control implementation → internal audit → management review → Stage 1.
- Most failed audits trace back to incomplete risk assessment or a Statement of Applicability that doesn't justify exclusions. Get these right first.
- Implement controls in the order they need to operate: governance and HR controls first, technical controls second, monitoring controls last.
- You need at least one complete internal audit cycle and one management review meeting before Stage 1. Without these, the auditor will refuse to proceed.
- Budget 4-6 months end-to-end for first-time certification. Trying to compress under 3 months is a recipe for failure.
Phase 0: Strategic Decisions Before You Start
Before you write a single ISMS document, make 4 strategic decisions that will shape the entire program. Getting these wrong forces expensive rework later.
Decision 1, Scope. What products, services, locations and teams will be in scope? Too broad means more controls to implement; too narrow risks looking like a token certificate. Most Indian SaaS companies certify just their 'product engineering and customer data processing' organization, explicitly excluding marketing, sales, and finance unless those areas touch customer data heavily.
Decision 2, Certification body. Pick before you start. Different auditors have different styles and quirks. We've found this earlier blog useful for selection guidance. Don't wait until Stage 1 to start contacting auditors, the booking cycle is 6-12 weeks.
Decision 3, Internal lead. Designate one person (typically the CISO, IT Director, or Head of Engineering) as the ISMS owner. They sign off on documents, escalate issues, and represent the ISMS to the auditor. Without a clear owner, decisions get stuck.
Decision 4, Consultant vs in-house. Most Indian SMEs use a consultant because the learning curve for first-time ISO 27001 is steep. If going in-house, allocate 2 full-time-equivalent staff for 4-6 months. Don't try to do this as a part-time side project.
Phase 1: Gap Analysis (Weeks 1-3)
Gap analysis is the first hands-on activity. Map your current security practices against ISO/IEC 27001:2022 requirements and identify what's missing, what's partial, and what's already in place. The output is a remediation backlog ranked by effort and impact.
What to Assess
Cover all 7 mandatory clauses of ISO 27001 (clauses 4 through 10): organizational context, leadership, planning, support, operation, performance evaluation, improvement. Then cover all 93 Annex A controls across the 4 themes (Organizational 37, People 8, Physical 14, Technological 34). For each item, rate as: Implemented (evidence exists), Partial (some evidence, gaps remain), Not implemented, or Not applicable (with justification).
Common Findings in First-Time Gap Analysis
Indian SMEs typically have 40-60% of Annex A controls partially in place from previous security investments but lack the documentation evidence. About 25-35% of controls are not implemented at all, usually formal risk management, supplier security, and HR security controls. About 5-10% of controls are properly implemented with full evidence. Marking 'Not applicable' should be reserved for controls that genuinely don't apply (e.g., cryptographic key management for an organization that doesn't use cryptography), and each exclusion needs a defensible written justification.
- Use a spreadsheet or ISMS tool with one row per control
- Capture evidence pointer (file path, system, person) for each implemented control
- Estimate remediation effort in days for each gap
- Categorize gaps by priority: Critical (blocks certification), Major (needs work), Minor (improvement)
- Present the gap report to leadership before Phase 2, they need to commit budget and people
Need a Fixed-Price ISO 27001 Readiness Program?
Codesecure runs end-to-end ISO/IEC 27001:2022 readiness programs in 4-6 months with named senior consultants, fixed pricing, and a working ISMS your auditor accepts. We are ISO 27001 certified ourselves, we know exactly what's needed.
Start ISO 27001 Program →Phase 2: Risk Assessment and Treatment (Weeks 4-6)
ISO 27001's risk management approach is what separates serious ISMSes from policy-only ones. Auditors spend significant time here in Stage 2, they will ask to see your risk register, your treatment decisions, and how risks have evolved over time. Getting this right is non-negotiable.
Start with a documented risk assessment methodology. Most Indian organizations use a simple qualitative approach: likelihood × impact = risk level, on a 5x5 matrix. The methodology should describe how risks are identified, who participates in assessment, how scores are assigned, and what review cycle is used.
Next, build the risk register. Identify risks across people, processes, technology, and external threats. Don't just copy a generic risk list, anchor risks in your actual context: "Unauthorized access to customer database in AWS Mumbai due to weak IAM policies" is a real risk; "Data breach" is not specific enough. Most Indian SMEs end up with 30-60 distinct risks in their first register.
Risk Treatment Decisions
For each risk, decide one of 4 treatments: Treat (implement controls to reduce likelihood/impact), Transfer (insurance or third-party shifts risk), Avoid (stop the risky activity), or Accept (acknowledge and live with it, with sign-off). The risk treatment plan documents each decision with the responsible person, target completion date, and current residual risk after treatment.
Statement of Applicability (SoA)
The SoA is the single most important ISMS document. It lists all 93 Annex A controls, states whether each applies to your scope (with reason for exclusion if not), describes implementation status, and references the procedure or evidence. Auditors compare your SoA against your risk treatment plan to confirm alignment. Common mistake: writing 'Implemented' against every control without specific implementation details. Real auditors require a sentence or two per control describing HOW it's implemented in your context.
Phase 3: Policies and Procedures (Weeks 6-10)
ISO 27001:2022 has a relatively small set of mandatory documented information. You don't need 50 policies. You need a focused set that maps to your context and actually gets followed.
Mandatory Documents
At minimum: Information Security Policy, ISMS Scope, Risk Methodology, Risk Assessment Results, Risk Treatment Plan, Statement of Applicability, Information Security Objectives, Internal Audit Programme, Management Review Records, Documented operating procedures for critical controls. Many Indian SMEs add: Acceptable Use Policy, Access Control Policy, Incident Response Plan, Business Continuity Plan, Supplier Security Policy, Data Classification Policy, Cryptography Policy. Total: 12-18 documents, not 30+.
Procedures vs Policies
Policy = what we will do and why. Procedure = step-by-step how to do it. ISO 27001 auditors want both for critical controls. For example: "Access Control Policy" says all access is least-privilege and reviewed quarterly; "Access Review Procedure" describes who runs the review, what reports are generated, how findings are tracked, and where the evidence is filed.
Avoiding Policy Theatre
The biggest failure mode in policy writing: producing beautiful 30-page policy documents that nobody reads and nobody follows. Auditors detect this immediately by interviewing staff. If your engineers don't know what the cryptography policy says, the policy is theater. Keep policies short (3-8 pages), written in plain English, mapped to actual operational procedures, and reviewed annually with version control.
Phase 4: Control Implementation (Weeks 8-16)
Most of the calendar time goes into actually implementing the technical and organizational controls. Sequence matters: foundation controls first, then operational, then monitoring.
- Foundation (Weeks 8-10): Asset register, information classification, access control baseline, identity management, HR security (background checks, NDAs, onboarding/offboarding processes), supplier register.
- Operational (Weeks 10-13): Vulnerability management, patch management, backup and recovery, change management, capacity management, secure development lifecycle (if you build software).
- Technical (Weeks 11-14): Cryptography standards, network segmentation, secure configurations, malware protection, web filtering, configuration management.
- Monitoring (Weeks 13-16): Logging architecture, log review procedures, security event monitoring, incident response process, threat intelligence integration.
Need an Independent Internal Audit Before Stage 1?
Many Indian SMEs need an independent internal auditor to satisfy the independence requirement. Codesecure provides a one-off internal audit by a Lead Auditor with full report and remediation guidance, at fixed price.
Book Internal Audit →Phase 5: Internal Audit and Management Review (Weeks 16-20)
Before Stage 1, you must complete: at least one full internal audit cycle covering all clauses and controls, at least one management review meeting with documented outcomes, and corrective actions for findings from both. Auditors will refuse to do Stage 1 without these.
Internal Audit
Conduct a structured audit of your ISMS using the same standard your external auditor will use (ISO/IEC 27001:2022 and ISO 19011 audit methodology). Internal auditors must be independent of the area they audit (the engineer running access controls can't audit access controls). For small companies, this often means rotating audit responsibilities or engaging a consulting firm just for the audit. Document findings honestly, minor non-conformities in internal audit are normal and expected.
Management Review
Top management (CEO, CISO, IT Director, the actual decision-makers) review the ISMS performance at least annually. Mandatory inputs: status of previous management review actions, changes in internal/external context, information security performance metrics, internal/external audit results, risk treatment status, opportunities for improvement. Outputs: decisions on changes, resource allocation, objectives. Document everything, this is gold for the auditor.
Final Pre-Stage 1 Checklist
Two weeks before the Stage 1 audit, run this final checklist. Anything missing here will cause the Stage 1 to fail and Stage 2 to be delayed by 4-6 weeks at minimum.
- ✅ All mandatory documents finalized and approved by top management
- ✅ Risk register reviewed in last 90 days with documented evidence
- ✅ Statement of Applicability covers all 93 controls with justified status
- ✅ All 'Implemented' controls have at least one evidence record from the last 30 days
- ✅ Internal audit completed with findings tracked to closure or accepted with reason
- ✅ Management review meeting held with documented attendance, agenda, decisions
- ✅ Security awareness training records exist for all in-scope staff
- ✅ Incident response process tested with at least one tabletop exercise
- ✅ Access review completed for at least one cycle with records
- ✅ Supplier register classified by risk with annual review evidence
- ✅ Top management aware of certification audit timeline and available for opening/closing meetings
Frequently Asked Questions
What documents are mandatory for ISO 27001:2022?
The mandatory documented information includes: ISMS Scope, Information Security Policy, Risk Assessment Methodology, Risk Assessment Results, Risk Treatment Plan, Statement of Applicability, Information Security Objectives, evidence of competence (training records), evidence of monitoring/measurement, Internal Audit Programme and Results, Nonconformity and Corrective Action records, and Management Review records. Many organizations add: Acceptable Use Policy, Access Control Policy, Cryptography Policy, Incident Response Plan, Business Continuity Plan. Total typically 12-18 documents.
How do I scope my ISMS correctly?
Define scope by: (1) products/services included, (2) physical locations included, (3) organizational units included, (4) information assets included, (5) external dependencies. The most successful approach is a narrow, deep scope (one product line + the org that supports it) rather than broad, shallow (all of company). You can expand scope later if needed. Avoid the common trap of certifying 'everything' on first attempt.
Can I use a Statement of Applicability template?
Use a template as starting structure (list of 93 controls), but the content for each control must be original to your organization. Auditors will catch generic boilerplate immediately. For each applicable control, write 1-3 sentences describing exactly how it's implemented in your context (which system, which person owns it, where evidence lives). For each excluded control, write a defensible justification (why it doesn't apply to your scope).
How long should our policies be?
Aim for 3-8 pages per policy. Information Security Policy is usually 5-10 pages and signed by the CEO. Operational procedures (like 'Access Review Procedure') can be 2-5 pages. Avoid the trap of 30-page policies that bury the important parts. Auditors prefer concise, operational documents over impressive-looking but unusable manifestos.
What if our risk assessment identifies risks we can't fix immediately?
Document them in the risk register with the 'Accept' treatment, including the justification, the residual risk level, and top management sign-off. Acceptance is a valid treatment under ISO 27001, auditors don't expect every risk to be reduced to zero. What they expect is honest evaluation and conscious decisions. Don't pretend risks don't exist.
How do I conduct an internal audit if I'm a small team?
Three options: (1) Rotate internal audits across team members for areas they don't own (the network engineer audits HR controls; the HR lead audits network controls). (2) Engage an external Lead Auditor for a one-off internal audit (typical cost INR 2-4 lakh for a one-week engagement). (3) Hire a fractional ISMS Auditor for ongoing internal audit (INR 50,000-100,000/month). The third option is increasingly popular for SMEs.
What's the most common reason organizations fail Stage 2?
By a wide margin: documented controls that aren't actually operating. The Statement of Applicability claims a control is 'Implemented,' but when the auditor asks for evidence from the last 30 days, none exists. The fix: do a hard internal review 4 weeks before Stage 2 and pull actual evidence for every 'Implemented' control. If you can't pull evidence, the control isn't really implemented.
Audit-Ready in 4-6 Months, Guaranteed
Codesecure runs ISO/IEC 27001:2022 readiness programs with named senior consultants, fixed pricing, and a working ISMS your auditor accepts. We are ISO 27001 certified ourselves, so we know exactly what auditors look for. 50+ Indian businesses certified.
