The ISO 27001 Readiness Checklist: Is Your Business Ready?

ISO 27001 is the international standard for information security management systems (ISMS). In Kenya's enterprise procurement market, it has shifted from "nice to have" to a requirement — particularly for financial services, healthcare, and companies bidding on government contracts. But the certification process can feel overwhelming. This checklist helps you assess where you stand before investing in a formal gap assessment.

The 10-point readiness checklist

1. Do you have a written information security policy?

This is the foundation. Your policy should define scope, responsibilities, and management commitment. A single page is enough to start.

2. Have you identified your information assets?

ISO 27001 requires an asset register — a list of all information assets (data, software, hardware, people, locations) with ownership and classification.

3. Have you conducted a formal risk assessment?

The standard requires a documented risk assessment process. You must identify threats, assess likelihood and impact, and document your treatment decisions.

4. Is access to systems controlled and reviewed?

Do you have a formal process for granting and revoking system access? Are admin accounts separate from day-to-day accounts? Are access rights reviewed quarterly?

5. Do you have a business continuity plan?

What happens if your server room floods? If a ransomware attack takes your systems offline? ISO 27001 requires documented continuity procedures and regular testing.

6. Is your staff security-aware?

Human error is involved in over 80% of security incidents. The standard requires documented security awareness training for all staff, including evidence it was delivered.

7. Do you manage supplier security?

Third-party suppliers with access to your systems or data present a risk. Do you have contracts that require them to maintain adequate security? Do you review their posture?

8. Do you have an incident response process?

When (not if) a security incident occurs, do you know who does what? Is there a documented escalation path and a notification process for affected parties?

9. Do you conduct internal audits?

ISO 27001 requires periodic internal audits of your ISMS. These do not need to be done by external parties — trained internal auditors are acceptable.

10. Does management review the ISMS?

Senior leadership must formally review the ISMS at planned intervals, with documented outputs including decisions and resource commitments.

What to do next

If you scored 7 or more — you are in good shape for a formal gap assessment. If you scored below 5 — engage a consultant to help you build the foundations before committing to the certification timeline.

Argenix offers structured ISO 27001 readiness support — from policy development and risk assessment through to controls implementation and pre-audit internal review. If you are starting the journey, we can help you build the right foundations.