ISO 27001 Checklist for Small and Medium Businesses

## Introduction ISO 27001 is the international standard for information security management systems (ISMS). For small and medium businesses, achieving certification can feel overwhelming, but it does not have to be. This checklist breaks the process into manageable steps so your team can work toward certification methodically, even without prior experience. The standard is divided into two main parts: the management system requirements (Clauses 4-10) and Annex A, which contains 93 reference controls organized into four themes. You do not need to implement every single Annex A control, only those relevant to your organization's risk profile. ## Step 1: Define the Scope Before anything else, determine what your ISMS will cover. For most SMBs, this means the entire organization, but you can also scope it to a specific product, department, or location. Key questions to answer: - Which business processes handle sensitive data? - Which IT systems support those processes? - Are there regulatory requirements (GDPR, NIS2) that influence the scope? Document your scope clearly. Auditors will evaluate your ISMS strictly within these boundaries. ## Step 2: Conduct a Gap Analysis A gap analysis compares your current security posture against ISO 27001 requirements. Walk through each clause and Annex A control and rate your current maturity: - **Not implemented**. No control exists - **Partially implemented**. Some measures are in place but not formalized - **Fully implemented**. Control is documented, operational, and reviewed This exercise produces a clear picture of how much work lies ahead. Most SMBs find they already cover 30-50% of controls informally, they just need to document and formalize them. ## Step 3: Perform a Risk Assessment ISO 27001 is a risk-based standard. You must identify information security risks, evaluate their likelihood and impact, and decide how to treat them. A practical approach for SMBs: 1. List your information assets (databases, cloud services, employee devices) 2. Identify threats to each asset (ransomware, insider threats, misconfiguration) 3. Assess the likelihood and business impact of each threat 4. Decide on treatment: mitigate, accept, transfer, or avoid Document your risk assessment methodology and results. This becomes a living document you will revisit regularly. ## Step 4: Write Your Policies ISO 27001 requires a set of documented policies. At minimum, you need: - **Information Security Policy**. Your top-level commitment to security - **Risk Assessment Methodology**. How you identify and evaluate risks - **Statement of Applicability (SoA)**. Which Annex A controls apply and why - **Access Control Policy**. Who can access what, and how access is granted - **Incident Response Policy**. How you detect, report, and respond to incidents - **Business Continuity Plan**. How you maintain operations during disruptions Keep policies concise and practical. A 3-page policy that people actually read is worth more than a 30-page document nobody opens. ## Step 5: Understand Annex A at a Glance The 2022 revision of ISO 27001 organizes Annex A into four themes: - **Organizational controls (37 controls)**. Policies, roles, responsibilities, threat intelligence, asset management, access control, supplier relationships - **People controls (8 controls)**. Screening, terms of employment, awareness training, disciplinary process, responsibilities after termination - **Physical controls (14 controls)**. Physical security perimeters, entry controls, protecting against environmental threats, equipment maintenance - **Technological controls (34 controls)**. Endpoint security, access rights, cryptography, secure development, vulnerability management, logging, network security For each control, document whether it applies (in your SoA), how you implement it, and what evidence demonstrates compliance. ## Step 6: Implement and Train With policies drafted and controls defined, put them into practice: - Deploy technical controls (MFA, encryption, endpoint protection) - Train all employees on security awareness - Assign control owners who are responsible for maintaining each control - Set up processes for incident reporting, access reviews, and change management Most SMBs can complete implementation in 8-12 weeks if they stay focused. ## Step 7: Internal Audit and Management Review Before your certification audit, you must conduct an internal audit and a management review: - **Internal audit**. An independent review of your ISMS against ISO 27001 requirements. This can be done by a trained internal team member or an external auditor. - **Management review**. A formal meeting where leadership reviews the ISMS performance, risk status, audit findings, and improvement opportunities. Document both thoroughly. Auditors will ask for evidence of each. ## Step 8: Certification Audit The certification audit happens in two stages: - **Stage 1 (Document review)**. The auditor reviews your documentation to confirm your ISMS is designed correctly - **Stage 2 (Implementation review)**. The auditor verifies that your ISMS is operational and effective through interviews, evidence review, and observation Address any non-conformities promptly. Minor non-conformities do not block certification, but major ones require resolution before a certificate is issued. ## Timeline for SMBs A realistic timeline for a 50-200 person company: - Weeks 1-2: Scope definition and gap analysis - Weeks 3-4: Risk assessment - Weeks 5-8: Policy writing and control implementation - Weeks 9-10: Employee training and awareness - Week 11: Internal audit - Week 12: Management review - Weeks 13-16: Certification audit (Stage 1 + Stage 2) With a dedicated effort, most SMBs can achieve certification in 3-4 months. Platforms like KaitoSec can compress this further by automating gap analysis, risk scoring, and policy generation.