To streamline your journey toward ISO 27001 Year 1 certification, we recommend following this checklist sequentially. You'll find the essential Information Security Management System (ISMS) Plan document readily available in the Policy Center.
Policy Management
Draft, review, and approve all required ISO 27001:2022 policies in the Policy Center.
Use the: Essential Policy FAQs as an additional resource.
NOTE: The ISMS Plan is an administrative document, and does not require personnel interaction (review, acknowledgement, acceptance, etc.).
Review Monitoring Tests
Work towards 100% completion of Monitoring Tests.
Helpful Tip: Use the “Learn More” button on each test for help articles and remediation guidance.
Review Evidence for Not Monitored Controls
Upload documentation to support the controls that are not automatically monitored by the Drata platform.
Reference the Example Evidence for Not Monitored Controls (ISO 27001)
Invite Personnel into the Drata Platform
Drata Personnel Overview - Start with this is a three-part tutorial series to help you configure Drata’s Personnel Section and manage user onboarding, acknowledgements, and training.
Review and complete all sections within the ISMS Plan
Context of the Organization (Clause 4)
Leadership (Clause 5)
Planning (Clause 6)
Support (Clause 7)
Operation (Clause 8)
Performance Evaluation (Clause 9)
Improvement (Clause 10)
Statement of Applicability (SoA) & Annex A – Reference Control Objectives and Controls (93 total, categorized into the four themes below)
A.5 Organizational Controls
A.6 People Controls
A.7 Physical Controls
A.8 Technological Controls
Note: Please Reference the ISO 27001:2022 Example ISMS Plan for additional guidance.
Appoint and establish ISMS + ISO 27001 Key Stakeholders
Assemble an ISMS team (e.g., security engineers, compliance staff, and executive leadership) to guide strategy and implementation.
Assign clear roles and align the team on the ISMS scope, plan, and responsibilities.
Build your ISMS
Define the ISMS scope (e.g., what departments, systems, data covered)
Create a roadmap outlining tasks, timeline, and responsibilities
Complete Risk Assessment and Risk Management in Drata
Identify, analyze, and treat risks to your information assets, systems, and services.
After risks are identified, scored, and ranked, establish a designated remediation plan.
Complete the Statement of Applicability (SoA)
Review the 93 controls listed in Annex A.
Select and implement controls that are relevant to your organization.
Complete the SoA, provide justification for inclusion or exclusion for each control within the ISMS.
Perform Internal Audit
If the internal audit will be conducted by someone in your organization, you will need to ensure they are independent (i.e., not involved in building the ISMS or responsible for any Annex A controls) and possess appropriate audit competency.
Document results in Appendix A of your ISMS Plan.
Upload your completed internal audit report under DCF-165 to satisfy the requirement for periodic independent assessments.
Review Internal Audit Results
After completion of the internal audit, conduct a formal management review of the internal audit report.
Corrective Action Plans should be documented for non-conformities identified during the internal audit.
Document the review in Appendix C of the ISMS Plan.
Upload your completed management review summary to DCF-164 to demonstrate compliance with Clause 9.3.
Pre-Audit Check-In
Schedule a pre-audit readiness check-in with your Drata Customer Success Manager (CSM) and Compliance Advisor (CA). Ensure that your Drata platform reflects ~100% control completion prior to this call.
Engage an Accredited ISO 27001 Certification Body and Schedule Your Audit
Coordinate with your selected ISO 27001-accredited certification body to schedule both stages of the audit:
Stage 1 Audit – Review of documentation, scope, and readiness
Stage 2 Audit – Evaluation of control implementation and effectiveness
Finalize Agreement and Audit Dates
Finalize your agreement with the selected certification body and confirm audit dates for both Stage 1 and Stage 2.
Reach out to your Drata CSM to schedule advisory meetings around the audit timeline and align on expectations.
Post–Stage 1 Review with Drata
Schedule a debrief with your Drata CSM and CA to analyze feedback from the Stage 1 audit. Address any deficiencies or areas of concern flagged during Stage 1. Clarify and review potential nonconformities, observations, and gaps.
Complete Stage 2 Audit (Certification Assessment)
The certification body performs an in-depth evaluation of your ISMS implementation and control effectiveness during the Stage 2 audit.
Post–Stage 2 Review with Drata
Meet with your Drata team for a final check-in to review any non-conformities or opportunities for improvement (OFIs) identified, and determine next steps for closure and continuous improvement.
Support Availability
Drata’s Technical Support Team is available via Live Chat 24/5, and Compliance Advisors are available from 6 AM to 6 PM PT, Monday–Friday. If you have questions at any step, don’t hesitate to reach out.