Skip to main content

Getting Started with ISO 27001

ISO 27001 is the international standard for Information Security Management Systems (ISMS). Certification demonstrates to customers, partners, and regulators that your organization manages information security systematically. Matproof pre-loads 93 controls based on ISO 27001:2022 Annex A, mapped to your ISMS policies, risk register, and evidence library. This guide walks you through implementation in the recommended order to reach audit-readiness.
To activate ISO 27001, go to Settings → Frameworks → ISO 27001 and click Activate. Your Annex A control set will be pre-populated immediately.

What ISO 27001 Requires at a Glance

ISO 27001 AreaCore RequirementMatproof Module
Clauses 4-6: Context, Leadership & PlanningDefine ISMS scope, interested parties, and risk management approachControls, Policies
Clause 7: SupportDocumented procedures, competence, awareness, communicationPolicies, People
Clause 8: OperationRisk assessments, treatment plans, Annex A controlsRisk Management, Controls
Clause 9: PerformanceInternal audits, management reviews, metricsAudit Programs
Clause 10: ImprovementCorrective actions for nonconformitiesCorrective Actions
Annex A93 information security controls across 4 themesControls, Evidence

Am I in Scope?

ISO 27001 is voluntary but effectively mandatory if:
  • You sell to enterprise customers who require it in their vendor assessments
  • You process personal data or sensitive customer information
  • You operate in industries with regulatory overlap (finance, healthcare, critical infrastructure)
  • You need a recognized security credential to enter new markets
The standard applies to any organization, any size, any industry.

The 4 Annex A Themes in Matproof

Organisational Controls

37 controls — Policies, roles, asset management, supplier relationshipsStart here. These establish the governance foundation all other controls depend on.

People Controls

8 controls — Hiring, training, offboarding, disciplinary processManaged in the People module. Link employment records and training completions as evidence.

Physical Controls

14 controls — Physical security, clear desk, secure areasUpload site assessments and physical security documentation as evidence.

Technological Controls

34 controls — Access control, cryptography, logging, malware protectionAutomate evidence collection by connecting your cloud and SaaS integrations.
ISO 27001 certification requires a Stage 1 (documentation review) and Stage 2 (implementation audit) audit. This plan prepares you for certification over approximately 16-20 weeks, with Stage 1 readiness by week 12.
1
Week 1-2 — Define ISMS scope and context
2
The first thing your auditor will check is whether your ISMS scope is clearly defined and appropriate.
3
  • Go to Settings → Organization and document your ISMS scope statement
  • Identify interested parties (customers, regulators, employees, partners)
  • List applicable legal, regulatory, and contractual requirements
  • Document what is explicitly out of scope and why
    • 4
    Keep your initial scope narrow. Certifying a single product or business unit is faster and cheaper than certifying the whole company. You can expand scope later.
    5
    Week 3-4 — Risk assessment
    6
    ISO 27001 Clause 8.2 requires a formal risk assessment as the basis for selecting Annex A controls.
    7
  • Go to Risk Management → New Risk Assessment
  • Identify assets, threats, and vulnerabilities for each asset
  • Score inherent risk (likelihood × impact)
  • Define your risk acceptance criteria — your auditor will ask for this
  • For risks above your acceptance threshold, document a treatment plan
    • 8
    Controls you choose from Annex A must be justified by your risk assessment. This is what the Statement of Applicability (SOA) documents.
    9
    Week 5-6 — Generate and customize policies
    10
  • Go to Policies → Generate and generate the full ISO 27001 policy set
  • Prioritize these 5 foundational policies:
    • Information Security Policy
    • Access Control Policy
    • Acceptable Use Policy
    • Incident Response Policy
    • Business Continuity Policy
  • Customize each policy to reflect your actual environment (reference your tech stack, team structure, and regulatory context from the Context Hub)
  • Assign a policy owner and set a review date
  • Publish and distribute for employee acknowledgement
    • 11
    Week 7-8 — Complete Annex A controls
    12
    Open Controls → ISO 27001 → Annex A and work through each theme:
    13
  • Start with Organisational Controls — these document decisions already made in Weeks 1-6
  • People Controls — link to onboarding/offboarding checklists and training records in the People module
  • Physical Controls — upload physical security assessments, visitor logs, clean desk policy acknowledgements
  • Technological Controls — connect integrations to automate evidence for access control, logging, and configuration
    • 14
    Every Annex A control you mark as Not Applicable needs a written justification. These are documented in the Statement of Applicability and are always reviewed by auditors.
    15
    Week 9 — Statement of Applicability (SOA)
    16
    The SOA is a required ISO 27001 document that lists all Annex A controls and states whether each is:
    17
  • Applicable and implemented — link to the evidence
  • Applicable but not yet implemented — document the plan
  • Not applicable — document the justification
    • 18
    Export the SOA from Controls → Export → SOA. Review it with your ISMS owner before submitting to your auditor.
    19
    Week 10 — Internal audit
    20
    ISO 27001 Clause 9.2 requires internal audits at planned intervals. In practice, your certification body will expect at least one complete internal audit cycle before the Stage 2 audit.
    21
  • Go to Audit Programs → New Audit
  • Create an internal audit against the ISO 27001 control set
  • Assign an internal auditor (someone independent from the implementation)
  • Document findings and create Corrective Actions for each gap
    • 22
    Run the internal audit 4-6 weeks before your Stage 2 date to leave time to close corrective actions before the external auditor arrives.
    23
    Week 11 — Corrective actions
    24
    Work through all findings from the internal audit:
    25
  • Go to Corrective Actions and filter by the internal audit
  • Assign owners and due dates
  • Close each action with evidence before the Stage 2 date
    • 26
    Week 12 — Management review and final prep
    27
    ISO 27001 Clause 9.3 requires a management review before certification.
    28
  • Export the ISMS Performance Report from Audit Programs → Reports
  • Present to your leadership team: risk status, audit findings, control completeness, incidents
  • Document the management review outputs (decisions made, resources allocated)
  • Final check: ensure all applicable controls are in Implemented status with evidence attached, or have a documented remediation plan with a credible timeline

    • The Three Things Teams Get Wrong

    1. Scope creep

    Starting with “the whole company” creates a compliance project that never ends. Pick the narrowest defensible scope — a product, a team, a data type — certify that, then expand.

    2. The SOA is an afterthought

    The Statement of Applicability is a primary deliverable, not an export at the end. Build it as you work through controls. Auditors read it before they look at anything else.

    3. No internal audit before the external one

    Stage 2 auditors will raise nonconformities for gaps they find. If you walk in with zero corrective actions documented, they conclude you haven’t been running your ISMS — because every ISMS finds issues. Run a real internal audit and close the findings.

    Certification Timeline Reference

    MilestoneTypical Timeline
    ISMS scope definedWeek 1-2
    Risk assessment completeWeek 4
    Policies approvedWeek 6
    Annex A controls >80% completeWeek 8
    SOA finalizedWeek 9
    Internal audit completeWeek 10-11
    Stage 1 audit (documentation review)Week 12-14
    Corrective actions from Stage 1 closedWeek 14-16
    Stage 2 audit (implementation audit)Week 16-20

    What Good Looks Like

    Before submitting to your certification body:
    • ISMS scope statement documented and approved
    • Risk assessment complete with all risks above threshold assigned a treatment plan
    • All 5 foundational policies published, owned, and acknowledged
    • SOA complete with justifications for all Not Applicable controls
    • At least one internal audit completed with findings documented
    • All corrective actions from the internal audit closed with evidence
    • Management review documented since ISMS establishment

    Next Steps

    • Risk Management — ISO 27001-aligned risk assessment and treatment workflow
    • Policy Management — generating, customizing, and distributing your policy library
    • Audit Programs — running internal audits and producing the management review report
    • Corrective Actions — Clause 10.2 compliance through tracked remediation