ISO 27001 Preparation: A Certification Guide for Companies

ISO 27001 preparation is the process of establishing an information security management system (ISMS) before a certification body conducts an audit. In practice it includes a gap analysis, risk assessment, the creation of mandatory documentation, the implementation of controls, and an internal audit. For an average small or medium-sized company, the entire process from the start of preparation to obtaining the certificate realistically takes between six and twelve months.

ISO/IEC 27001 is an international standard that defines the requirements for an information security management system. For companies in Bosnia and Herzegovina and the wider region, the certificate is increasingly a prerequisite for doing business with large clients, the public sector, and partners from the EU. In this guide we explain what serious ISO 27001 preparation looks like, which steps you must not skip, and where companies most often go wrong.

What ISO 27001 actually is and why it is not just a document

A common misconception is that ISO 27001 preparation is an exercise in writing paperwork. The standard revolves around the ISMS (Information Security Management System), a living operational structure of processes, policies, and controls that is continually improved. A certification body does not just assess whether a document exists, but whether the system works in reality and whether there is evidence that the controls are actually applied.

The currently valid version is ISO/IEC 27001:2022. It introduced a revised Annex A with 93 controls organized into four groups: organizational, people, physical, and technological. If you are carrying out preparation today, you do it according to the 2022 version. The older 2013 version is no longer a basis for new certificates.

It is important to distinguish between two parts of the standard. The Annex A controls are, put simply, a list of security measures that you select based on your risks. The main, mandatory part is clauses 4 through 10. They describe how the management system must be set up and you cannot "switch them off" the way you can an individual control. Many companies focus their attention on technical controls and neglect precisely these clauses, which the auditor always checks.

The mandatory clauses of the standard (4 to 10)

Regardless of the industry or size of the company, ISO 27001 preparation must cover all the mandatory clauses. In short, here is what each one requires:

• Clause 4 - Context of the organization: understanding internal and external circumstances, interested parties and their requirements, and defining the scope of the ISMS.
• Clause 5 - Leadership: clear commitment from management, an information security policy, and assigned roles and responsibilities.
• Clause 6 - Planning: risk assessment and treatment, security objectives, and a plan for how to achieve them.
• Clause 7 - Support: resources, competencies, employee awareness, communication, and management of documented information.
• Clause 8 - Operation: carrying out the planned processes and controls in day-to-day work.
• Clause 9 - Performance evaluation: measurement, internal audit, and management review.
• Clause 10 - Improvement: handling nonconformities and continually improving the system.

The logic behind these clauses is the well-known PDCA cycle (Plan-Do-Check-Act): you plan, implement, check, and improve. Auditors follow exactly this loop. They want to see that the company has not only introduced controls, but also regularly measures whether they work and corrects shortcomings.

The phases of ISO 27001 preparation step by step

Although every project has its own specifics, ISO 27001 preparation almost always goes through the following phases:

1. Gap analysis and scope

The first concrete step is a gap analysis, that is, a comparison of the current state against the requirements of the standard. This is where you determine how far you are from compliance and how much the project will realistically cost in time and resources. In parallel, the scope of the ISMS is defined: which organizational units, locations, systems, and processes are covered. Too narrow a scope reduces the value of the certificate in the eyes of clients, while too broad a scope makes the project unnecessarily more expensive.

2. Risk assessment and treatment plan

The heart of the standard is the risk assessment. Information assets, threats, and vulnerabilities are identified, and risks are rated by likelihood and impact. For each significant risk, a treatment is chosen: reduce, accept, transfer, or avoid. On that basis you produce the Statement of Applicability (SoA), a document that explains, for each of the 93 Annex A controls, whether it applies and why.

3. Creating documentation and policies

Only after the risk assessment does it make sense to write policies and procedures, because they must match the company's actual risks. A typical set includes an information security policy, an access control policy, incident management, supplier management, and business continuity.

4. Implementing controls

This is the phase where most mistakes are made, because it requires real changes in how work is done. Technical controls are introduced (access control, encryption, logging, security patching), organizational controls (roles and responsibilities, data classification), and people measures (employee training, security awareness). In this phase it is often discovered that security testing is useful for proving that the controls really work.

5. Internal audit and management review

Before the external certification body arrives, the company must carry out its own internal audit and management review. The goal is to find and correct nonconformities while it is still inexpensive, and to demonstrate that management actively manages the system.

6. The certification audit in two stages

The external audit has two stages. Stage 1 is a review of documentation and readiness, where it is checked whether the ISMS exists on paper and in the fundamental processes. Stage 2 is an in-depth audit of practical application, with interviews with employees and verification of evidence. After a successful Stage 2, a certificate is issued that is valid for three years, with surveillance audits usually conducted every year.

A realistic timeline and resources

The duration depends on the size of the company, the maturity of existing processes, and the availability of the team. The following table gives rough estimates for companies in the region:

Company size	Typical preparation time	Main challenge
Micro / small (up to 50 employees)	4 to 8 months	Limited internal resources and knowledge
Medium (50 to 250)	6 to 12 months	Aligning multiple departments and locations
Large (250+)	9 to 18 months	Complex scope and number of systems

In addition to time, plan for the costs of the certification body (separate from consulting costs), employees' internal time, and any investments in tools or infrastructure that arise from the risk assessment. In the region it is a common scenario for a company to have a good technical foundation but lack formal documentation and evidence, so most of the time goes precisely into establishing records and processes rather than into new technologies.

Which documentation and evidence the auditor requires

The standard requires certain mandatory documented information. Without it, the audit does not pass no matter how good the technical security is. The most important mandatory documents and records are:

• The scope of the ISMS and the information security policy.
• The risk assessment methodology, along with the results of the assessment and the treatment plan.
• The Statement of Applicability (SoA) with justification for each Annex A control.
• Information security objectives and plans for achieving them.
• Records of employee competencies and training.
• The results of internal audits and management reviews.
• Records of security incidents and the corrective actions taken.

The key word is evidence. A policy that says access is reviewed quarterly must be accompanied by a record that the review was actually carried out. In Stage 2 the auditor randomly selects examples and asks for evidence; if there is none, it is a nonconformity that must be corrected before the certificate is issued.

How to check whether you are ready for the audit

Before you order a certification audit, it is worth running through a short readiness check. The following questions most often reveal weak points for companies in BiH and the region:

• Is the scope of the ISMS clearly defined and approved by management?
• Is the risk assessment fresh and does it reflect the actual situation, not the situation from a year ago?
• Do you have evidence that the controls from the SoA actually work, and not just that they are described?
• Has at least one internal audit and management review been carried out?
• Is there an incident reporting and handling process that employees are familiar with?
• Are suppliers and external contractors covered by the risk assessment?

If the answer to any of these questions is not a convincing "yes", that is a sign that the preparation needs a little more work before you enter an expensive external audit.

The most common mistakes in ISO 27001 preparation

• Buying a ready-made set of documents without adapting it. Templates can speed up the start, but an auditor quickly recognizes policies that do not match how the company actually works.
• Treating the risk assessment as a formality. If the risks are not real and measurable, all the controls and the SoA lose their meaning.
• Ignoring suppliers. The standard requires managing third-party risks: cloud providers, subcontractors, freelancers.
• No evidence of application. Logs, training records, and incident reports are the evidence the auditor asks for; without them, a control "on paper" does not pass.
• Treating the certificate as a one-off project. The ISMS must be maintained; surveillance audits and incident management continue even after certification.

How NeoBit helps you with preparation

As a cyber security company from Mostar, NeoBit helps companies in BiH and the region carry out ISO 27001 preparation thoroughly, not just formally. We start with a gap analysis and risk assessment, help create the documentation, and technically verify whether the controls work. You can see an overview of our full offering on the services page.

It is particularly useful to connect the preparation with real security testing. A penetration test provides concrete evidence of vulnerabilities and the effectiveness of controls, which strengthens your position at the audit. If you want to assess your needs, fill out the short pentest questionnaire and you will receive feedback on the scope. For a concrete discussion about your situation, get in touch via the contact page.

Frequently asked questions

How long does ISO 27001 preparation take for a small company?

For a small company with up to 50 employees, ISO 27001 preparation usually takes between four and eight months, depending on the maturity of existing processes and how much time the internal team can devote to the project. Companies that already have well-organized IT processes tend toward the lower end of that range.

Can I carry out the preparation myself without a consultant?

It is technically possible, especially if you have an experienced information security expert in the company. In practice, a consultant speeds up the process, reduces the risk of nonconformities at the audit, and helps the documentation match the actual work rather than just the standard. The certification body must be independent of those who did the preparation.

How long is an ISO 27001 certificate valid and what happens after it?

The certificate is valid for three years. During that period the certification body conducts surveillance audits, usually once a year, to verify that the ISMS still functions. After three years comes a recertification audit. The ISMS, therefore, must be continually maintained.

Do we need a penetration test for ISO 27001?

The standard does not explicitly require a penetration test, but it does require you to check technical vulnerabilities and to have evidence of the effectiveness of controls. In practice, a penetration test is one of the most convincing ways to demonstrate this, so many companies include it in their preparation and in their regular maintenance cycle.

Related guides: Cyber security in BiH - the complete guide · Data protection and GDPR in BiH - a guide for companies · The NIS2 directive: what it means for companies in the Balkans