Book Appointment Now
ISO/IEC 27001 Readiness Assessment (Sample)
Illustrative sample engagement for demonstration purposes only. This example does not represent a client engagement.
Scenario Overview
Organization type: SaaS startup
Size: ~50 employees
Operating model: Cloud-native, remote-first
Objective: Prepare for an initial ISO/IEC 27001 certification audit by assessing readiness and identifying material gaps.
Sample Scope Definition
In-Scope Areas
The readiness assessment focused on the following ISMS components:
Information Security Management System (ISMS)
ISMS scope definition and boundaries
Information security policy framework
Risk assessment methodology and risk treatment approach
Access Control
User access provisioning and deprovisioning
Role-based access controls for cloud systems
Privileged access management practices
Vendor & Third-Party Management
Identification of critical suppliers
Vendor risk assessment process
Security requirements within supplier agreements
Out-of-Scope (for this sample)
Secure software development lifecycle (SSDLC) testing
Incident response simulations
Business continuity and disaster recovery testing
Sample Risk Register (Redacted Example)
| Risk ID | Risk Description | Affected Area | Likelihood | Impact | Risk Rating |
|---|---|---|---|---|---|
| R-01 | Incomplete ISMS scope definition | ISMS Governance | Medium | High | High |
| R-02 | Inconsistent user access reviews | Access Control | Medium | Medium | Medium |
| R-03 | Limited supplier security assessments | Vendor Management | High | Medium | High |
Notes:
Risk ratings were determined using a qualitative likelihood/impact model
Detailed asset references and system identifiers are intentionally omitted
Sample Findings Summary (Excerpt)
Key Observations
ISMS Governance
The organization had defined high-level security objectives; however, the formal ISMS scope and documented interfaces required clarification to align with ISO/IEC 27001 expectations.
Access Control
Core access control mechanisms were in place for production systems. Periodic user access reviews were informal and not consistently documented across teams.
Vendor Management
Critical vendors were identified, but supplier risk assessments were not performed using a standardized, repeatable process.
Overall Readiness Assessment
Based on the sample review, the organization demonstrated partial readiness for ISO/IEC 27001 certification. Foundational controls existed, but additional documentation, consistency, and formalization would be required prior to a certification audit.
Example Deliverables (Illustrative)
Readiness assessment report with risk-ranked observations
High-level ISMS gap summary aligned to ISO/IEC 27001 clauses
Executive-ready findings summary suitable for leadership review
Important Note
This sample illustrates how SelahNex Audits approaches ISO/IEC 27001 readiness assessments, including scope definition, risk evaluation, and findings reporting.
It does not constitute certification, attestation, or assurance, and outcomes are dependent on engagement-specific scope and evidence.
Independent discussion to confirm scope and readiness approach