How to start your journey to ISO 27001 certification

Start your journey toward ISO 27001 accreditation by setting clear, concise strategic objectives.

This article is the first of a series of how-to articles dedicated to explaining each step of the ISO 27001 certification journey. From these articles you’ll learn how to start, build an asset register, create a risk management framework, ISMS, and more. But let’s not worry about that for now, in this article we’ll just start with:

  1. Determining strategic objectives on your journey to certification
  2. Examples of strategic objectives from real organisations
  3. Determine your scope

Reading time: 6 minutes

As discussed, this article is the first in a series of articles dedicated to explaining each step of the ISO 27001 certification journey. These articles will reference the standard itself and many of its finer details and steps. If you want these articles to make even more sense and help you on your journey to certification – buy the standard!

If you find yourself unaware of ISO 27001 and what it entails, you may find it useful to read our ISMS introductory articles before reading these articles to gain a better understanding of the standard overall.

Determining the strategic objectives on your journey to certification

To begin your journey to ISO 27001 certification, we believe it’s important to define your strategic objectives at the start of your journey. This may seem counter-intuitive if you have already read the standard (link to standard) because the standard typically directs you to define your strategic objectives according to clause 6.2: The standard shall establish information security objectives at relevant functions and levels.

In our experience we have found it more effective to define your strategic objectives at the start of your journey because your objectives might impact your scope, which must be decided on at the beginning.

Examples of strategic objectives from real organisations

Given that the main purpose of an Information Security Management System (ISMS) is to “…[preserve] the confidentiality, integrity and availability of information…”* it makes sense to have this as an overarching strategic objective. When you say “we want to become certified to ISO 27001 to better protect our information”, it means protecting the Confidentiality, Integrity and Availability. This is often referred to as CIA.

In addition to this overarching objective, you might want to choose others that apply to you from the examples below.

These are just examples, feel free to use them as you wish and/or add some of your own.  They need to be right for you. (note: see clause 0.1 of ISO/IEC 27001:2022.)

  • To enable us to respond to tenders where ISO 27001 certification is a requirement
  • To ensure the security of the information held within [insert the name(s) of the system(s) you wish to protect]
  • To reassure our clients and other commercial partners about the quality of our work and the security of the information we process and/or control
  • To establish our credibility as a reliable and responsible business partner
  • To increase the maturity of our business in terms of quality, efficiency, effectiveness and governance, thereby enabling scalability
  • To win [insert number of desired new clients] of new clients as a direct or indirect result of obtaining ISO 27001 certification

Determining your scope

Clause 4.2 of the standard asks you to determine the “scope” of your management system at the beginning of your journey. The scope of a management system can include the whole of the organisation, or specific functions, departments, locations or systems. What you determine as your scope is entirely down to you. 

Bear in mind that in a small organisation, it is very likely to be the whole organisation as it will be difficult to draw boundaries.

The key question to ask is: “What information do we want to protect exactly?” To help you answer that question, ask yourself:

  • What information would our customers, partners, suppliers, shareholders and other interested parties want us to protect?
  • Is this information digital? paper based? both?
  • What system is this information stored in?
  • Where are the servers? Are they in-house/on-premise? In what building? Cloud-based provided by a supplier?
  • Who is responsible for the information?
  • Who has access to the systems, filing cabinets and the information they contain?

Just as important as what is IN your scope, what is NOT in scope (if anything) should also be specified, as well as dependencies you might have for the assets in scope.

If you’d like to find out more about how to write your scope, read our “How to write an ISO 27001 scope statement” implementation guidance, to see examples and more tips.

Actionable steps:

Download our ISO 27001 Scope Statement template


You will need to have your scope as “documented information”, i.e. it needs to be written down in a controlled document (more on that later) – make sure to write down your chosen scope for now. 

Picture of Elisabeth Belisle

Elisabeth Belisle

Elisabeth is an Associate Consultant and Associate Tutor of the British Standards Institute (BSI), a BSI qualified Lead Auditor and member of the Standard Committee responsible for the publication of the BS 10008 Standard.

Elisabeth can help you decide if ISO 27001 is for you and support you through its implementation, all the way to certification.