ISO/IEC 27001 readiness

This page helps structure our documentation if we decide to pursue ISO/IEC 27001 certification. It is not a claim of certification.

How to use this page

Treat this as a living checklist: link to canonical docs where they exist, and record gaps without guessing.

What ISO 27001 typically expects (documentation artifacts)

The exact set depends on scope and auditor expectations, but a typical ISO 27001 program needs:

• An ISMS scope statement and governance (roles, responsibilities).
• An information security policy and measurable objectives.
• A risk assessment approach (methodology) and an active risk register.
• A Statement of Applicability (SoA) and risk treatment decisions.
• Documented policies/procedures for relevant control areas (people, access, operations, continuity, suppliers, etc.).
• Control of documented information (document control).
• Evidence of internal audits, management review, and corrective actions.

Current coverage (high-level)

This is a navigation map to the policies we already have.

Area	Current canonical docs	Notes / gaps
ISMS scope	ISMS scope (draft)
Information security policy	Information security policy (draft)
Information security objectives	Information security objectives (draft)
Risk management	Risk management
Document control	Document control (draft)
Internal audit	ISMS internal audit (draft)
Management review	ISMS management review (draft)
Corrective action	Nonconformity and corrective action (draft)
Access control	Access control policy
Information handling	Information classification policy
Retention & deletion	Data retention and deletion policy
Incident management	Incident response procedure
Vulnerability management	Vulnerability management procedure
Backup & recovery	Backup and recovery policy
Business continuity	BCDR plan
Supplier security	Suppliers
Secure development	Secure development (draft)
Change management	Change management (draft)
Compliance positioning	Compliance & alignment	This page is for external questions; ISO readiness work should live here.
Confidentiality agreements	NDA defaults

Common gaps to plan for

These are common policy/evidence areas teams usually need to add when preparing for ISO 27001:

• Top-level information security policy — see Information security policy (draft).
• Information security objectives and measures — see Information security objectives (draft).
• Control of documented information — see Document control (draft).
• Internal audits, management review, corrective actions — see ISMS internal audit (draft), ISMS management review (draft), and Nonconformity and corrective action (draft).
• Risk management (methodology, risk register, treatment decisions, SoA) — see Risk management.
• Supplier security (vendor onboarding, due diligence, review cadence) — see Suppliers.
• Secure development (SDLC controls, change management, code review expectations) — see Secure development (draft) and Change management (draft).
• Logging/monitoring and auditability (what is logged, retention, access to logs).
• HR security (onboarding/offboarding, training, acceptable use).