ISO 27001 readiness: a step-by-step guide

ITHQ 9 min read Compliance
compliancegovernancesecurityriskgrc

ISO 27001 is the international standard for information security management systems (ISMS). For South African businesses - particularly those in financial services, healthcare, professional services, and technology - achieving certification signals to clients, regulators, and partners that you take information security seriously.

But the path to certification can feel overwhelming. This guide breaks it down into manageable steps, sets realistic timeline expectations, and highlights the areas where organisations most commonly stumble.

Why ISO 27001 matters for South African businesses

Beyond the obvious security benefits, ISO 27001 certification delivers tangible business value:

  • Competitive differentiation. Many enterprise clients and government tenders require or prefer ISO 27001 certified suppliers.
  • Regulatory alignment. ISO 27001 controls overlap significantly with POPIA requirements, the King IV governance code, and sector-specific regulations.
  • Reduced risk. The structured approach to identifying, assessing, and treating information security risks leads to measurably fewer incidents.
  • Client confidence. Certification provides independent assurance that is difficult to achieve through self-assessment alone.
  • Operational discipline. The management system framework drives consistency and continuous improvement in a way that ad-hoc security programmes do not.

Step 1: Secure leadership commitment

ISO 27001 requires visible management commitment. This is not a tick-box exercise - the certification auditor will look for evidence that senior leadership actively supports and participates in the ISMS.

Actions:

  • Brief the executive team on the business case, resource requirements, and expected timeline
  • Appoint an ISMS manager or project lead with the authority and bandwidth to drive the programme
  • Allocate budget for consulting, tools, training, potential infrastructure upgrades, and the certification audit itself
  • Include information security as a standing agenda item at management meetings

Without genuine leadership buy-in, the project will stall when competing priorities arise - and they always do.

Step 2: Define the scope

The scope statement defines what is covered by your ISMS - which locations, business units, systems, processes, and information assets are included.

Guidance:

  • Start with a manageable scope. It is better to certify a well-defined portion of your business (e.g. your managed services division or your head office operations) than to attempt an overly broad scope that delays certification.
  • Consider your clients’ expectations. If they require you to be certified, the scope must include the services and systems relevant to them.
  • Document the scope clearly, including boundaries and interfaces with out-of-scope areas.
  • You can expand the scope in subsequent surveillance or recertification cycles.

Step 3: Conduct a risk assessment

Risk assessment is the heart of ISO 27001. The standard requires you to identify information security risks and select appropriate controls to treat them.

Process:

  1. Identify assets. Catalogue the information assets within your scope - data, systems, applications, people, physical locations, and third-party services.
  2. Identify threats and vulnerabilities. For each asset, consider what could go wrong (threats) and where weaknesses exist (vulnerabilities). Work with your cybersecurity and security operations team to bring real-world threat intelligence into this process.
  3. Assess likelihood and impact. Use a consistent methodology - a simple 5×5 risk matrix works well for most organisations.
  4. Determine risk treatment. For each risk above your defined tolerance, decide whether to mitigate (apply controls), transfer (insurance, outsourcing), avoid (change the process), or accept (document the rationale).
  5. Map controls to Annex A. ISO 27001 Annex A provides a reference set of 93 controls (in the 2022 version). Select and justify the controls you implement based on your risk assessment, and document any controls you exclude and why.

Common pitfalls:

  • Making the risk assessment too theoretical - ground it in your actual environment and threat landscape
  • Treating it as a one-off exercise - risk assessments must be reviewed and updated regularly
  • Using generic risk registers without tailoring to your context

Step 4: Develop policies and procedures

ISO 27001 requires documented policies and procedures covering the operation of your ISMS and the controls you have selected.

Core documents you will need:

  • Information security policy (the overarching statement of intent, signed by top management)
  • Risk assessment and treatment methodology
  • Statement of Applicability (SoA) - the document listing all Annex A controls and their applicability status
  • Access control policy
  • Acceptable use policy
  • Incident management procedure
  • Business continuity and disaster recovery plan
  • Asset management procedure
  • Supplier security management policy
  • Data classification and handling guidelines

Guidance:

  • Write policies that are practical and enforceable, not aspirational fiction. Auditors will check whether you actually follow what you have documented.
  • Keep the language clear and accessible. A policy that no one reads provides no value.
  • Align with your existing IT governance, risk, and compliance framework where possible - avoid creating a parallel governance universe.

Step 5: Implement controls

With your risk treatment plan and policies in place, implement the technical and organisational controls required.

Technical controls typically include:

  • Access management and multi-factor authentication
  • Encryption for data in transit and at rest
  • Network segmentation and firewall management
  • Endpoint detection and response
  • Vulnerability management and patching
  • Logging and monitoring (SIEM)
  • Backup and recovery

Your infrastructure team or managed services provider will be closely involved in this step. Many controls may already be partially implemented - the task is to verify they meet the standard’s requirements and document them properly.

Organisational controls include:

  • Security awareness training for all staff
  • Background checks for employees in sensitive roles
  • Documented onboarding and offboarding procedures
  • Supplier due diligence and ongoing management
  • Change management processes
  • Physical security controls (access to server rooms, offices, data centres)

Step 6: Train your people

ISO 27001 requires that everyone within the scope of the ISMS is aware of the information security policy, their role in maintaining security, and the consequences of non-compliance.

Actions:

  • Conduct security awareness training for all employees - not just IT staff
  • Provide role-specific training for people with particular responsibilities (system administrators, incident responders, risk owners)
  • Keep records of training delivery and attendance
  • Reinforce training with regular communications, simulated phishing exercises, and practical reminders

Step 7: Operate the ISMS

Before you can be certified, you need to demonstrate that the ISMS has been operating for a period - typically at least three months, though six months provides a stronger evidence base.

During this period:

  • Run the risk assessment and treatment process
  • Manage incidents according to your documented procedure
  • Conduct supplier reviews
  • Track and close non-conformities and improvement actions
  • Collect evidence of policy compliance, training, monitoring, and management oversight

This operational evidence is what the auditor will examine. If you implement everything the week before the audit, it will be obvious.

Step 8: Conduct an internal audit

An internal audit is a mandatory requirement. It must be conducted by someone independent of the area being audited - this can be an internal resource from a different department or an external consultant.

The internal audit should:

  • Cover the full scope of the ISMS
  • Assess conformity with ISO 27001 requirements and your own policies
  • Identify non-conformities and opportunities for improvement
  • Produce a formal audit report

Address all significant findings before proceeding to the certification audit. Minor non-conformities are acceptable, but major ones will delay certification.

Step 9: Management review

Top management must formally review the ISMS at least annually (more often during implementation). The management review should cover:

  • Results of internal audits
  • Status of risk treatment actions
  • Incident and breach reports
  • Feedback from interested parties
  • Opportunities for improvement
  • Resource adequacy
  • Changes to the external or internal context that affect the ISMS

Document the meeting minutes and any decisions or actions arising. This is a key piece of evidence that auditors always request.

Step 10: Certification audit

The certification audit is conducted by an accredited certification body in two stages:

Stage 1 (documentation review)

The auditor reviews your ISMS documentation - policies, risk assessment, SoA, internal audit report, management review minutes - to verify that the management system is designed to meet the standard’s requirements.

This is typically conducted remotely or in a short on-site visit. The auditor will identify any gaps that must be closed before Stage 2.

Stage 2 (implementation audit)

The auditor visits your premises (or conducts the audit remotely for smaller scopes) to verify that the ISMS is implemented, operational, and effective. They will interview staff, review evidence, observe processes, and test controls.

If no major non-conformities are found, the certification body issues the certificate, valid for three years.

After certification:

  • Annual surveillance audits verify ongoing compliance
  • A full recertification audit is conducted every three years
  • Continual improvement is expected - standing still is not an option

Realistic timeline expectations

PhaseDuration
Leadership commitment and planning2–4 weeks
Scope definition and risk assessment4–8 weeks
Policy and procedure development6–12 weeks
Control implementation8–16 weeks (overlaps with policy work)
ISMS operation and evidence collection12–24 weeks
Internal audit and management review2–4 weeks
Certification audit (Stage 1 + Stage 2)2–6 weeks

For most South African mid-sized businesses, expect 9 to 18 months from project kick-off to certification, depending on your starting maturity and resource availability.

Start your journey

ISO 27001 certification is a significant undertaking, but it is achievable for any organisation willing to commit the resources and discipline required. The payoff - in reduced risk, client confidence, and operational maturity - is substantial.

Contact us to discuss where your organisation stands today and how we can help you build a clear, practical path to certification.

Need help with compliance?

Our team can help you implement the solutions discussed in this article.

Get in touch