ISO 27001 Certification DIY Guide

Most organizations don’t start ISO 27001 because they hired a consultant. They start because a deal stalls, a customer asks for certification, or leadership asks: “Are we actually secure?”

First: What ISO 27001 Really Is (and Isn’t)

1) Define the Scope (Don’t Skip This)

Your scope answers: What parts of the business does ISO 27001 apply to?
Start small one product, platform, or business unit.

• In-scope systems
• In-scope data
• In-scope teams

DIY warning: Most DIY failures start with scopes that are too broad.

2) Identify Your Information Assets

You can’t protect what you haven’t identified. List:

• Systems: cloud platforms, apps, servers, endpoints
• Data types: customer data, IP, employee data, financials
• Processes: deployments, support, backups, access provisioning

3) Perform a Risk Assessment (Simple, Not Perfect)

ISO 27001 doesn’t require complex math. It requires consistent decisions:
identify threats, assess likelihood/impact, and treat risk.

Tip: This is where many teams outgrow spreadsheets and move to an ISMS platform for clean tracking.

4) Choose Applicable Annex A Controls (Build Your SoA)

Not every Annex A control applies to every organization that’s normal.
Your job is to review controls, decide applicability, and document reasoning in your Statement of Applicability (SoA).

5) Write Core Policies (Keep Them Practical)

Start with practical policies that reflect how you operate today:

• Information Security Policy
• Access Control Policy
• Incident Response Policy
• Risk Management Policy
• Supplier / Vendor Management Policy

DIY trap: Over-engineered policies create nonconformities because teams can’t follow them.

6) Assign Ownership (ISO 27001 Is About Accountability)

Every control needs a named owner (not “IT” and not “the team”). Auditors care about: ownership, awareness, and responsibility.

7) Train Your Team (Yes, Really)

ISO 27001 requires awareness. Keep it simple and repeatable:

• Security awareness training for all staff
• Role-specific training for control owners
• Document attendance and completion

8) Collect Evidence as You Go (Don’t Wait)

Evidence proves your ISMS operates. Examples:

• Access reviews and approvals
• Incident logs and lessons learned
• Risk register updates
• Policy approvals and review records

Why DIY teams struggle: evidence isn’t centralized, so audit prep becomes a scavenger hunt.

9) Conduct an Internal Audit (Before Certification)

Before certification, you must audit your ISMS: are controls implemented, is documentation consistent, and what needs fixing before the external auditor arrives?

10) Management Review (The Step Most Teams Forget)

Leadership must review risks, incidents, audit results, and improvement actions.
This proves governance and auditors take it seriously.

• Top risks and trends
• Incident summary
• Internal audit results
• Corrective actions and deadlines

• Keeping documentation organized as versions multiply
• Tracking evidence over time (without spreadsheets exploding)
• Preparing confidently for audits (without last-minute panic)
• Scaling the ISMS as the business grows

Good news: This is a tooling + structure problem not a “you failed” problem.

Want to know if your DIY ISO 27001 setup would survive an audit?

Get a quick readiness check and a prioritized fix list so you don’t waste weeks building the wrong things.

Ready to turn your DIY start into certification-ready momentum?

Get the structure you need without losing ownership policies, risk, evidence, and audit readiness in one place.