Skip to content
SecTepe Mit Sicherheit gut aufgestellt!
DE
ISMS

ISO 27001 Certification in 6 Phases: The Structured Roadmap with a Wizard

SecTepe Editorial
|
|
7 min read

ISO 27001 has long ago turned from nice-to-have into mandatory evidence in 2026 – cyber insurers, large customers, and increasingly the commercial register of B2B suppliers demand it. The certification path is well-trodden but long: typically 12–18 months, five-figure consulting costs, many iterations.

SecTepe.Core delivers a structured 6-phase roadmap with phase gating, templates, and a guided wizard.

The Six Phases at a Glance

  1. Scope & stakeholders – scope, interfaces, interested parties, top-management commitment.
  2. Risk assessment & risk treatment – asset inventory, threat modelling, risk evaluation, treatment decisions.
  3. Statement of Applicability (SoA) – selection of Annex A controls, justification of inclusion/exclusion.
  4. Implementation & documentation – policies, procedures, technical measures, awareness programs.
  5. Internal audit & management review – effectiveness check, non-conformities, corrective actions.
  6. Certification audit (stage 1 + stage 2) – preparation, accompaniment, remediation of findings.

What Phase Gating Means in Practice

Each phase has defined entry and exit criteria. Phase 3 (SoA) can only be closed when the risk assessment from phase 2 is complete – otherwise the justification for every control choice is missing. The platform doesn't enforce this rigidly but makes skipping visible and warns in the audit report.

Templates That Save Weeks

Empirically, a first-time ISMS team spends 20–30 % of project time writing standard documents:

  • ISMS policy, statement of applicability, context analysis.
  • Risk methodology, risk acceptance criteria, escalation paths.
  • Asset classification, information handling guidelines.
  • Supplier security requirements, BCDR plan templates, reporting paths.

SecTepe.Core ships GDPR- and BSI-compatible templates for all these documents in German and English, adapted to your own company via wizard – instead of an empty Word template.

ISO 27002:2022 Is Pre-Loaded in the SoA Step

The 93 controls from ISO 27002:2022 are pre-loaded in the SoA module as an interactive list – with default justifications for the most common inclusion/exclusion decisions. Anyone not running a cloud service can, for example, exclude A.5.23 (cloud security) with one click and a pre-loaded justification text.

Audit Preparation: From Phase 5 Evidence Flows Directly Into the Stage 2 Report Folder

Instead of manually copying 200 documents into an auditor folder, SecTepe.Core generates a structured export following the typical auditor schema: chapters, cross-references to SoA controls, evidence per measure. External ISOs recognize the structure immediately – this significantly speeds up audit accompaniment.

Where the Platform Is Not Magic

A roadmap doesn't make top-management commitment. It doesn't make the awareness training. It doesn't make the BCDR plan tests. But it makes everything around it so frictionless that those substantive topics get the full attention they deserve – instead of drowning in the documentation backlog.

Conclusion

ISO 27001 certification in 2026 is a calculable project when you get structure, templates, and phase gating. A platform like SecTepe.Core ships these – instead of the typical mix of consulting handbook, Excel, and SharePoint. The consequence: shorter time-to-cert, lower consulting costs, higher audit confidence.

View all articles More in this category