ISO 27001 Certification Checklist for SaaS Companies

ISO 27001 certification is a multi-phase project — and the SaaS companies that approach it as a structured, phased effort are the ones that achieve certification without burning out their teams or blowing their budgets. Treating certification as a scramble in the weeks before the auditor arrives leads to gaps, nonconformities, and delays that cost more than doing it right from the start.

This checklist covers the full certification lifecycle: from your initial gap analysis through ISMS implementation, internal audit, management review, and the two-stage certification audit — plus ongoing surveillance. Each section links to a detailed guide where you can dive deeper into specific topics.

If you’re new to ISO 27001 entirely, start with our What Is ISO 27001? guide for the foundational concepts before working through this checklist.

Phase 1: Gap Analysis and Current State Assessment

Before you build anything, you need to understand where you stand. A gap analysis compares your current information security practices against ISO 27001’s requirements and identifies exactly what needs to change.

Assess Your Existing Security Practices

Map your current controls, policies, processes, and documentation against ISO 27001’s requirements (Clauses 4-10) and the 93 Annex A controls. Be honest about what exists versus what you think exists — “we do that informally” is a gap, not a control.

What to look for:

• Written policies versus unwritten conventions
• Documented procedures versus tribal knowledge
• Formal controls with evidence versus ad hoc practices
• Assigned roles and responsibilities versus assumed ownership
• Regular reviews and measurements versus set-and-forget implementations

SaaS example: Your engineering team uses role-based access control in AWS, enforces MFA, and rotates credentials — but there’s no written access control policy, no formal access review schedule, and no documented process for granting or revoking access. Technically, you have access controls. From an ISO 27001 perspective, you have a significant documentation gap.

Identify Gaps Against ISO 27001 Requirements

For each ISO 27001 requirement, document whether you are fully conformant, partially conformant, or nonconformant. This produces a clear remediation roadmap with specific items to address.

For a detailed walkthrough of every requirement, see our ISO 27001 Requirements guide.

Common gaps SaaS companies discover:

• No formal ISMS scope definition
• Risk assessment process is informal or inconsistent
• Information security policy exists but hasn’t been reviewed or approved by leadership
• No Statement of Applicability documenting control selection rationale
• Internal audit has never been conducted
• Management review of information security has never occurred as a formal process
• Incident management procedures exist in runbooks but aren’t linked to a formal ISMS process
• Supplier security assessments are done at onboarding but never revisited

Prioritize Remediation

Not all gaps carry equal weight. Prioritize based on:

• Certification criticality: Gaps that would result in major nonconformities during the certification audit must be addressed first. Missing mandatory documentation (risk assessment, SoA, information security policy) falls here.
• Risk level: Gaps that expose the organization to significant information security risk should be prioritized regardless of audit timing.
• Implementation effort: Quick wins (documenting an existing practice) versus heavy lifts (implementing a new control from scratch) should be sequenced to maintain momentum.
• Dependencies: Some controls depend on others — for example, you can’t complete your Statement of Applicability until your risk assessment is done.

Phase 2: Scoping Your ISMS

The scope of your ISMS defines the boundaries of your certification. Everything inside the scope is audited. Everything outside is not. Getting this right determines the cost, complexity, and relevance of your certification.

Define Organizational Scope

Identify which parts of your organization are included. For most SaaS companies, this means the teams that develop, deploy, operate, and support the production platform — engineering, DevOps/SRE, security, IT, and customer support.

Consider carefully:

• Are remote employees in scope? (Almost always yes, for SaaS companies)
• Are contractors and outsourced teams in scope? (If they access systems or data, yes)
• Is your corporate IT environment in scope, or just the production platform? (Usually both, since corporate IT supports the people who operate the platform)
• Are development and staging environments in scope? (Only if they contain production data or directly affect production security)

Define System and Technology Scope

Identify the systems, infrastructure, and technology assets that fall within your ISMS. This includes production infrastructure, CI/CD pipelines, monitoring and alerting systems, identity providers, and communication tools that handle sensitive information.

Define Information Asset Scope

Identify the information assets your ISMS protects — customer data, application code, infrastructure configurations, employee data, business records, and any other information that requires security controls.

Document the Scope Statement

Your ISMS scope statement is a formal, documented boundary definition. It must be specific enough that an auditor can clearly determine what’s in scope and what isn’t. Vague scope statements lead to audit confusion and scope creep.

Phase 3: Building the ISMS Foundation

With your gaps identified and scope defined, you build the core ISMS infrastructure — the policies, processes, and governance structures that everything else rests on.

Establish the Information Security Policy

Your top-level information security policy is the foundational document of your ISMS. It states your organization’s commitment to information security, sets the direction for the ISMS, and must be approved by top management.

This isn’t a 50-page technical document. It’s a concise, strategic statement that establishes the purpose and objectives of your ISMS, commits to satisfying applicable requirements, and commits to continual improvement. Detailed, topic-specific policies (access control, incident management, etc.) sit beneath it.

See our ISO 27001 Policies guide for the complete list of policies you’ll need and how to structure them.

Define Roles and Responsibilities

ISO 27001 requires clear assignment of information security roles and responsibilities. At minimum, you need:

• Top management accountable for the ISMS and committed to providing resources
• ISMS manager or information security lead responsible for establishing, maintaining, and improving the ISMS
• Risk owners responsible for managing identified risks within their areas
• Asset owners responsible for information assets and their security
• All employees responsible for following information security policies and reporting incidents

SaaS example: Your CTO serves as the executive sponsor. Your Head of Security is the ISMS manager. Engineering managers are risk owners for their respective services. Every employee with system access completes security awareness training and acknowledges their responsibilities in the acceptable use policy.

Establish the Document Control Process

ISO 27001 requires controlled documented information — meaning documents must be created, reviewed, approved, distributed, and updated through a managed process. You need version control, review cycles, approval workflows, and a way to ensure people are working from current versions.

SaaS tip: Don’t overthink this. If you use Confluence, Notion, or Google Docs with clear versioning and an approval process, that works. The auditor cares that documents are controlled, not that you use a specific tool.

Phase 4: Risk Assessment

The risk assessment is the analytical engine of your ISMS. It determines which risks your organization faces, how severe they are, and how you’ll treat them. Every control decision in your ISMS should trace back to a risk identified in this assessment.

For the complete methodology, see our ISO 27001 Risk Assessment guide.

Define Your Risk Assessment Methodology

Before assessing risks, document your approach. ISO 27001 requires a repeatable, documented risk assessment methodology that includes:

• Criteria for identifying information security risks
• Criteria for analyzing risks (likelihood and impact scales)
• Criteria for evaluating risks (risk acceptance threshold)
• A process that produces consistent, valid, and comparable results

SaaS example: You define a 5-point likelihood scale (rare to almost certain) and a 5-point impact scale (negligible to critical), producing a 25-cell risk matrix. Risks scoring 15 or above require treatment. Risks below 15 may be accepted with documented justification.

Identify Information Security Risks

Systematically identify risks to the confidentiality, integrity, and availability of information assets within your ISMS scope. Consider:

• Threat sources: External attackers, malicious insiders, negligent employees, natural disasters, technology failures, supply chain compromises
• Vulnerabilities: Misconfigurations, unpatched software, weak authentication, excessive permissions, lack of monitoring, insufficient training
• Impact scenarios: Data breaches, service outages, data corruption, regulatory fines, reputational damage, intellectual property theft

Analyze and Evaluate Risks

For each identified risk, assess the likelihood of occurrence and the impact if it materializes. Plot risks on your risk matrix and compare against your risk acceptance criteria. This produces a prioritized list of risks that require treatment.

Create the Risk Treatment Plan

For each risk above your acceptance threshold, decide on a treatment option:

• Mitigate: Implement controls to reduce likelihood or impact
• Transfer: Share the risk through insurance or contractual arrangements
• Avoid: Eliminate the activity that creates the risk
• Accept: Formally accept the risk (with documented justification and management approval)

Your risk treatment plan maps each risk to specific controls and assigns ownership, timelines, and resources for implementation.

Phase 5: Selecting and Implementing Controls

With your risk treatment plan in hand, select and implement the controls that mitigate your identified risks. ISO 27001 Annex A provides a reference set of 93 controls, but you can also implement controls from other sources.

For a complete walkthrough of all 93 controls, see our Annex A Controls guide.

Complete the Statement of Applicability

The Statement of Applicability (SoA) is one of the most important documents in your ISMS. It lists all 93 Annex A controls, states whether each is applicable or not, provides justification for inclusion or exclusion, and describes the implementation status.

Why this matters: Your auditor will review the SoA carefully. Excluding a control requires a justification rooted in your risk assessment. “We don’t think it applies” isn’t sufficient — you need to demonstrate that the risks the control addresses are either not present in your environment or are addressed by alternative controls.

Implement Organizational Controls

Deploy the governance, policy, and process controls that establish your security framework:

• Information security policies and topic-specific policies
• Segregation of duties in critical processes
• Contact with authorities and special interest groups
• Threat intelligence monitoring
• Information security in project management
• Information classification and labeling
• Identity management and access control governance

Implement People Controls

Establish the human-element controls that address your workforce:

• Pre-employment screening and background checks
• Employment terms and conditions including security responsibilities
• Security awareness, education, and training programs
• Disciplinary process for information security violations
• Responsibilities after termination or change of employment
• Confidentiality and non-disclosure agreements
• Remote working security requirements

Implement Physical Controls

Address physical security for your offices, equipment, and facilities:

• Physical security perimeters and entry controls
• Securing offices, rooms, and equipment
• Physical security monitoring (CCTV, access badges)
• Protection against environmental threats
• Secure disposal or reuse of equipment
• Clear desk and clear screen policies

Implement Technological Controls

Deploy the technical security mechanisms that protect your systems and data:

• Endpoint device security and mobile device management
• Privileged access management and access control enforcement
• Information access restriction and authentication mechanisms
• Capacity management and protection against malware
• Vulnerability management and patch management
• Logging, monitoring, and alerting
• Network security, segregation, and filtering
• Encryption and key management
• Secure development lifecycle and secure coding practices
• Data backup, redundancy, and business continuity
• Incident management detection and response tools

Phase 6: Documentation

ISO 27001 requires specific documented information, and your auditor will review it thoroughly. Documentation isn’t busywork — it’s the evidence that your ISMS exists, operates, and is maintained.

Mandatory Documented Information

At minimum, you must have:

• ISMS scope statement (Clause 4.3)
• Information security policy (Clause 5.2)
• Risk assessment methodology (Clause 6.1.2)
• Risk assessment results (Clause 6.1.2)
• Risk treatment plan (Clause 6.1.3)
• Statement of Applicability (Clause 6.1.3)
• Information security objectives (Clause 6.2)
• Evidence of competence (Clause 7.2)
• Operational planning and control documentation (Clause 8.1)
• Risk assessment results from periodic assessments (Clause 8.2)
• Risk treatment results (Clause 8.3)
• Monitoring and measurement results (Clause 9.1)
• Internal audit program and results (Clause 9.2)
• Management review results (Clause 9.3)
• Nonconformities and corrective actions (Clause 10.1)

Topic-Specific Policies and Procedures

Beyond the mandatory documents, you’ll need topic-specific policies and procedures that support your Annex A controls. See our ISO 27001 Policies guide for the complete list, including:

• Acceptable use policy
• Access control policy
• Change management procedure
• Incident management procedure
• Business continuity plan
• Backup policy
• Encryption policy
• Supplier security policy
• Data classification and handling policy
• Secure development policy

Documentation Quality Tips for SaaS Companies

• Keep policies concise and actionable. Auditors aren’t impressed by 80-page policies nobody reads. Clear, enforceable policies that employees actually follow are what matters.
• Use your existing tools. If your team lives in Confluence, write your policies in Confluence. If procedures are in runbooks alongside your infrastructure code, that’s fine — as long as they’re controlled and accessible.
• Version and approve everything. Every document needs a version, a review date, and an approver. Set review cycles (at least annually) and stick to them.
• Link documentation to controls. Every Annex A control in your SoA should reference the policies, procedures, and evidence that support it.

Phase 7: Awareness and Training

ISO 27001 requires that everyone working under your ISMS is aware of the information security policy, their contribution to the ISMS, and the consequences of not conforming. Beyond general awareness, people in specific roles need competence relevant to those roles.

General Security Awareness Training

All employees within your ISMS scope must receive information security awareness training. This should cover:

• Your information security policy and what it means for daily work
• Common threats (phishing, social engineering, credential theft)
• Data handling and classification requirements
• Incident reporting procedures — what to report and how
• Acceptable use of company systems and data
• Remote work security requirements

SaaS tip: Run awareness training during onboarding and at least annually thereafter. Track completion and keep records — your auditor will ask for them.

Role-Specific Competence Training

People in security-critical roles need targeted training beyond general awareness:

• Developers: Secure coding practices, OWASP Top 10, code review security expectations
• System administrators / SREs: Hardening standards, access management procedures, incident response roles
• ISMS manager: ISO 27001 requirements, audit management, risk assessment methodology
• Internal auditors: Audit techniques, evidence evaluation, nonconformity classification
• Management: Their role in the ISMS, management review responsibilities, resource allocation decisions

Measure Training Effectiveness

Don’t just track completion — measure whether training actually changes behavior. Consider phishing simulations, knowledge assessments, and tracking security incident trends that correlate with awareness gaps.

Phase 8: Internal Audit

The internal audit is your pre-certification reality check. It verifies that your ISMS conforms to ISO 27001 requirements and your own policies, and that it is effectively implemented and maintained. Auditors expect to see at least one complete internal audit cycle before the certification audit.

For the complete methodology, see our ISO 27001 Internal Audit guide.

Plan the Internal Audit Program

Develop an audit program that covers all ISMS requirements and Annex A controls over a defined cycle. You don’t have to audit everything at once — you can spread audits across the year — but every element must be covered before the certification audit.

Key decisions:

• Audit scope: Which clauses, controls, and processes to audit in each cycle
• Audit frequency: At least annually for the full ISMS, with higher-risk areas audited more frequently
• Auditor selection: Internal auditors must be objective and impartial — they can’t audit their own work. Consider cross-functional auditing (engineering audits operations, operations audits engineering) or engaging an external party for the internal audit.

Conduct the Audit

Internal auditors review documentation, interview process owners, examine evidence, and test controls. They’re looking for:

• Conformity: Do your practices match what your policies and procedures say?
• Effectiveness: Are controls actually reducing the risks they’re designed to address?
• Completeness: Are all ISO 27001 requirements addressed?
• Documentation: Is documented information current, controlled, and accessible?

Report Findings and Track Corrective Actions

Document audit findings as conformities, opportunities for improvement, minor nonconformities, or major nonconformities. For every nonconformity, initiate a corrective action:

1. Identify the root cause (not just the symptom)
2. Define the corrective action to eliminate the root cause
3. Implement the corrective action
4. Verify effectiveness after implementation

Track corrective actions to closure. Open nonconformities from your internal audit will be reviewed during the certification audit — having them documented and resolved demonstrates a functioning improvement process.

Phase 9: Management Review

Management review is a mandatory ISMS activity where top management evaluates the ISMS’s performance, suitability, and effectiveness. It ensures leadership remains engaged and makes informed decisions about the ISMS’s direction.

Prepare Management Review Inputs

ISO 27001 specifies what must be considered during management review:

• Status of actions from previous management reviews
• Changes in external and internal issues relevant to the ISMS
• Feedback on information security performance (nonconformities, monitoring results, audit findings, objective achievement)
• Feedback from interested parties
• Results of risk assessment and status of risk treatment plan
• Opportunities for continual improvement

Conduct the Review

Present the inputs to top management and discuss:

• Is the ISMS still aligned with business objectives?
• Are adequate resources allocated?
• Are there changes in the internal or external context that require ISMS changes?
• What improvements should be prioritized?

Document Outputs and Decisions

Management review outputs must include decisions related to continual improvement opportunities and any changes needed to the ISMS. Document the meeting minutes, decisions made, and actions assigned. These records are mandatory documented information that your auditor will review.

SaaS tip: Integrate management review into an existing leadership meeting cadence — quarterly works well. It doesn’t need to be a separate, formal event as long as the required inputs are covered and outputs are documented.

Phase 10: Certification Audit

The certification audit is conducted by an accredited certification body (an independent, external organization — not the same as a consulting firm that helped you implement your ISMS). The audit happens in two stages.

Stage 1 Audit: Documentation Review

The Stage 1 audit is primarily a documentation review. The auditor assesses whether your ISMS documentation is complete and adequate. They review:

• ISMS scope, policies, and objectives
• Risk assessment methodology and results
• Statement of Applicability
• Internal audit results
• Management review records
• Key procedures and operational documentation

What to expect: Stage 1 typically takes 1-2 days (depending on organization size) and may be conducted remotely. The auditor identifies any areas that need attention before Stage 2 and confirms the organization is ready to proceed.

Common Stage 1 issues:

• Missing mandatory documentation
• Risk assessment methodology not clearly defined
• Statement of Applicability incomplete or lacking justification for exclusions
• Internal audit not yet completed
• Management review not conducted or not documented

If significant issues are found, the certification body may delay Stage 2 until they’re resolved.

Stage 2 Audit: Implementation Assessment

Stage 2 is the main audit. The auditor verifies that your ISMS is effectively implemented and operating. They will:

• Interview process owners, system administrators, developers, and management
• Review evidence of control operation (logs, records, configurations, screenshots)
• Test controls to verify they function as described
• Assess the effectiveness of your risk treatment
• Evaluate the competence and awareness of your team
• Review incident records and corrective actions
• Verify that the ISMS is driving continual improvement

What to expect: Stage 2 is conducted on-site (or via video for remote organizations) and typically takes 3-5 days for a mid-sized SaaS company. Multiple auditors may be involved.

SaaS tip: Prepare your team. Engineers, SREs, and security staff will be interviewed. They need to understand the ISMS context — not just their technical work, but how it connects to the policies and controls they’re implementing. A 30-minute briefing before the audit explaining what auditors will ask goes a long way.

Addressing Nonconformities

If the auditor identifies nonconformities:

• Minor nonconformities must be addressed with a corrective action plan. You typically have 90 days to resolve them before the certificate is issued.
• Major nonconformities must be resolved before the certificate can be granted. This may require a follow-up audit to verify resolution.
• Observations / opportunities for improvement are noted but don’t prevent certification. Address them proactively to demonstrate commitment to improvement.

Receiving Your Certificate

Once all nonconformities are resolved, the certification body issues your ISO 27001 certificate. The certificate is typically valid for three years, subject to annual surveillance audits.

Phase 11: Surveillance and Continuous Improvement

Certification is the beginning, not the end. Your ISMS must be maintained and continuously improved throughout the three-year certification cycle.

Annual Surveillance Audits

The certification body conducts surveillance audits — typically annually — to verify your ISMS continues to operate effectively. Surveillance audits are smaller in scope than the initial certification audit but cover key areas and any issues from previous audits.

What surveillance auditors look for:

• Evidence that the ISMS is actively maintained (not shelf-ware)
• Corrective actions from previous audits are implemented and effective
• Internal audits and management reviews continue on schedule
• Changes to the organization, scope, or risk landscape are reflected in the ISMS
• Continual improvement is demonstrable

Recertification Audit

Before your three-year certificate expires, you undergo a recertification audit — similar in scope to the initial Stage 2 audit. Plan for this well in advance. Starting recertification preparation 6 months before expiry gives you adequate time to address any gaps.

Drive Continuous Improvement

Continuous improvement isn’t a phase — it’s the ongoing engine of your ISMS. Feed improvements from:

• Internal audit findings
• Surveillance audit observations
• Incident post-mortems and lessons learned
• Risk assessment updates triggered by business or threat landscape changes
• Employee feedback and training effectiveness measurements
• Industry developments, new threats, and emerging best practices

Track improvements in a structured register, assign ownership, and review progress during management reviews.

How GRCTrail Helps

GRCTrail gives SaaS teams a single platform to manage every phase of ISO 27001 certification — from initial gap analysis through ongoing surveillance and continuous improvement.

• Gap analysis and readiness assessment that maps your current state against every ISO 27001 requirement and generates a prioritized remediation plan
• Risk assessment workflows with structured threat identification, scoring matrices, and treatment tracking that produce audit-ready documentation
• Statement of Applicability generator that maps your risk treatment decisions to Annex A controls and produces a formatted SoA your auditor will accept
• Policy and procedure templates built for SaaS companies, covering every required document with clear, actionable language
• Internal audit management to plan audit cycles, document findings, and track corrective actions to closure
• Continuous monitoring dashboards that track control effectiveness, flag drift, and keep your ISMS audit-ready year-round

Get started with GRCTrail →

Related Guides

• What Is ISO 27001? A Practical Guide for SaaS Companies
• ISO 27001 vs SOC 2: Which Framework Does Your SaaS Company Need?
• ISO 27001 Requirements: Clauses 4-10 Explained
• ISO 27001 Risk Assessment Guide
• ISO 27001 Annex A Controls Explained
• ISO 27001 Statement of Applicability Guide
• ISO 27001 Information Security Policies Guide
• ISO 27001 Access Control Guide
• ISO 27001 Incident Management Guide
• ISO 27001 Supplier Management Guide
• ISO 27001 Internal Audit Guide
• ISO 27001 Continuous Improvement Guide
• ISO 27001 Cost and Timeline for SaaS Companies
• What Is SOC 2? A Practical Guide for SaaS Companies
• SOC 2 Compliance Checklist for SaaS Companies