ISO 27001 certification guide
ISO 27001 Certification for Enterprise Technology Teams: A Practical Implementation Guide
A practical guide to ISO 27001 certification for engineering and security teams: scoping the ISMS, implementing controls, managing the Statement of Applicability, and preparing for Stage 1 and Stage 2 audits.
TL;DR — Key Points
- 1Scope the ISMS around the commercial certification requirement, not the entire organisation
- 2Complete the Statement of Applicability before implementing controls — it is the implementation roadmap
- 3Automated evidence collection built into operations from day one, not assembled before the audit
- 4Stage 1 is a documentation review; Stage 2 is a controls effectiveness test — prepare for them differently
ISO 27001 Certification for Enterprise Technology Teams: A Practical Implementation Guide
Most ISO 27001 implementations fail not because the controls are difficult to implement but because the scope is wrong. Too broad and the project becomes a multi-year compliance programme that never reaches audit readiness. Too narrow and a certificate that covers only a small corner of the business does not satisfy enterprise procurement requirements.
The second failure mode is treating ISO 27001 as a documentation exercise. Auditors increasingly look for evidence of the controls operating effectively, not just policies that say they exist. A policy without a technical control behind it, or a technical control with no evidence log, will generate findings at Stage 2.
This guide covers the four decisions that determine whether your ISO 27001 programme reaches certification or stalls before the audit.
Why ISO 27001 programmes stall before certification
ISO 27001 programmes stall for predictable reasons. The most common is scope creep: an organisation scopes the entire business into its Information Security Management System (ISMS) and discovers that implementing Annex A controls across every department is a multi-year programme. The right scope for a first certification is typically the product and engineering function, data centres or cloud environments, and the people and processes directly supporting them.
The second reason is the Statement of Applicability (SOA) trap. The SOA requires justifying which of the 93 Annex A controls apply and which are excluded. Teams that justify exclusions poorly, or exclude controls that auditors expect to see, generate findings that delay certification. The SOA needs to be written by people who understand both the control library and the actual risk profile of the scoped environment.
The third reason is evidence collection: ISO 27001 requires evidence that controls operate effectively, not just that they are documented. Access review logs, vulnerability scan results, security training completion records, and incident response drill evidence are all expected at Stage 2. Organisations that start evidence collection the week before the audit will not have enough.
Four Decisions That Determine ISO 27001 Certification Outcomes
These four decisions shape whether an ISO 27001 programme reaches certification within budget and timeline, or stalls in implementation.
Scope the ISMS around the commercial certification requirement
The ISO 27001 scope statement defines what is inside the ISMS. A well-scoped ISMS covers the systems, people, and processes required to satisfy your certification objective — typically enterprise sales procurement requirements that ask for an ISO 27001 certificate covering your SaaS product and its supporting infrastructure. Scope that includes HR, legal, and marketing functions adds significant implementation complexity without adding commercial value to the certificate. Define your scope based on the systems that process or store customer data, the cloud infrastructure those systems run on, and the engineering and security personnel who operate them.
Write the Statement of Applicability before implementing controls
The Statement of Applicability (SOA) is the most important document in an ISO 27001 programme. It lists all 93 Annex A controls, states whether each is applicable or excluded, and justifies both decisions. The SOA should be completed before control implementation begins — it is your implementation roadmap. Controls that are excluded must have documented justification. Controls that are applicable but not yet implemented need a planned implementation date. Auditors will review the SOA in detail at Stage 1; finding that it was written after controls were implemented, rather than before, is a yellow flag.
Implement technical controls with automated evidence collection
ISO 27001 Annex A controls that matter most for technology organisations include: A.8 (asset management and access control), A.12 (operations security including vulnerability management and logging), A.14 (system acquisition and development including security in development practices), and A.16 (incident management). Each of these requires both a documented procedure and evidence that the procedure operates. Automated evidence collection — CloudTrail logs exported to S3, access review reports generated monthly from your IAM system, vulnerability scan results from Qualys or Wiz stored in an evidence repository — is far more auditable than manually collected screenshots. Build evidence collection into your regular operations from day one of the programme.
Prepare for Stage 1 and Stage 2 audits differently
Stage 1 is a documentation review: the auditor confirms your ISMS documentation is complete (policies, procedures, SOA, risk assessment, risk treatment plan) and that the scope is correctly defined. Stage 2 is a controls effectiveness audit: the auditor tests whether controls are operating as documented and reviews evidence logs. Common Stage 2 findings include: access reviews documented but no evidence of quarterly completion, vulnerability management policy exists but scan results are not being reviewed and remediated, and business continuity procedures exist but no DR test evidence. The month before Stage 2 should be spent reviewing evidence completeness, not writing new policies.
Correct scope definition, a completed SOA before implementation, automated evidence collection, and distinct preparation for Stage 1 and Stage 2 — these four decisions determine whether certification is achieved in 6-9 months or becomes a multi-year project.
Achieving ISO 27001 certification in 7 months
A 60-person B2B SaaS company engaged Wolk Inc to lead its ISO 27001 certification programme. The company had failed a previous attempt after scoping the entire organisation and running out of implementation capacity before reaching audit readiness.
Wolk Inc rescoped the ISMS to cover the SaaS product, its AWS infrastructure, and the engineering and security team. The SOA was completed in week 3, identifying 67 applicable controls and excluding 26 with documented justification. Technical controls — CloudTrail logging, quarterly access reviews, monthly vulnerability scans, employee security awareness training — were implemented with automated evidence pipelines in weeks 4-14.
The company reached Stage 1 audit in month 5 with zero major non-conformities. Stage 2 was completed in month 7 with two minor findings (both resolved before the certification decision). The certificate scope satisfied the enterprise procurement requirements that had been blocking two significant contract renewals.
Actionable takeaways
- Scope the ISMS around the commercial certification requirement, not the entire organisation
- Complete the Statement of Applicability before implementing controls — it is the implementation roadmap
- Automated evidence collection built into operations from day one, not assembled before the audit
- Stage 1 is a documentation review; Stage 2 is a controls effectiveness test — prepare for them differently
- Common Stage 2 findings: access reviews not evidenced, vulnerability findings not remediated, no DR test records
James Okafor
Cloud Security & Compliance Lead · Wolk Inc
Cloud security and compliance specialist at Wolk Inc, focused on SOC 2, HIPAA, and enterprise security architecture for SaaS companies and regulated industries.
Planning an ISO 27001 certification programme?
Wolk Inc leads ISO 27001 implementation programmes for mid-sized technology organisations: ISMS scoping, SOA completion, technical control implementation, evidence pipeline setup, and audit coordination. Book a 30-minute call to discuss your scope, timeline, and certification objectives.
Wolk Inc is a 2021-founded senior-engineer-only DevOps, Cloud, AI and Cybersecurity consulting firm serving US and Canadian enterprises.