Skip to content

Soon — ISO/IEC 27001:2022 Certification Roadmap & Document Register

Goal: Certify Soon (the company) and the Soon WFM SaaS platform against ISO/IEC 27001:2022. Scope: See Context & Scope. Standard: ISO/IEC 27001:2022 (management system) + Annex A (93 controls, themes A.5 Organizational, A.6 People, A.7 Physical, A.8 Technological). Approach: Right-sized for a small, fully-remote SaaS. Physical/on-premises controls are inherited from AWS or marked Not Applicable with justification in the Statement of Applicability.

Last updated: 2026-06-25

1. How certification works (what we're working toward)

ISO 27001 certification is awarded by an accredited certification body after a two-stage audit:

  • Stage 1 (documentation review): the auditor checks that the ISMS is designed — mandatory documents exist, scope is defined, risk assessment and Statement of Applicability (SoA) are in place. This is largely a paperwork gate.
  • Stage 2 (certification / implementation audit): the auditor checks the ISMS is operating — that controls are actually working and producing evidence (records, logs, tickets, review minutes). They sample evidence against the SoA.

Two things matter for passing: 1. Documented information — the policies and procedures (most of this repo). 2. Records / evidence — proof the documents are lived (risk reviews, access reviews, training logs, incident tickets, internal audit, management review).

Before booking Stage 2 the ISMS must have been operating for a period (typically ~3 months) so there is evidence to sample.

Mandatory documented information (ISO requires these explicitly)

These cannot be omitted — auditors will look for every one:

  1. Scope of the ISMS (4.3) → done
  2. Information security policy (5.2)
  3. Information security objectives (6.2)
  4. Risk assessment process & results (6.1.2 / 8.2)
  5. Risk treatment process & results (6.1.3 / 8.3)
  6. Statement of Applicability (6.1.3 d) — the single most important document
  7. Evidence of competence (7.2)
  8. Documented information required by the standard and for ISMS effectiveness (7.5)
  9. Operational planning & control evidence (8.1)
  10. Monitoring & measurement results (9.1)
  11. Internal audit programme & results (9.2)
  12. Management review results (9.3)
  13. Nonconformities & corrective actions (10.2)

2. Certification journey — phases & indicative timeline

Timeline assumes a small team working this part-time. Adjust to capacity.

Phase What happens Key outputs Indicative
0. Mobilize Confirm scope, assign ISM/owner, get leadership sign-off, set up this repo Context & Scope ✅, Exec Support Letter, repo Weeks 0–2
1. Core framework Author the mandatory management-system docs (clauses 4–10) ISMS Manual, ISO Policy, Objectives, Roles Weeks 2–6
2. Risk & SoA Build asset inventory, run risk assessment, decide treatment, produce SoA Asset Inventory, Risk Assessment, Risk Treatment Plan, SoA Weeks 4–8
3. Annex A controls Tailor the policies/procedures (already drafted) to Soon; close control gaps A.5–A.8 policy set finalized Weeks 6–12
4. Operate & collect evidence Run the ISMS: access reviews, training, supplier reviews, logging, incidents Records/evidence accumulate (~3 months) Weeks 12–24
5. Internal audit + management review First internal audit; first management review; fix nonconformities Internal Audit Report, Mgmt Review minutes, CAPA log Weeks 20–26
6. Stage 1 audit Certification body reviews documentation Stage 1 findings closed Weeks 24–28
7. Stage 2 audit Certification body audits implementation & evidence Certificate Weeks 28–34
Ongoing Surveillance audits (yr 1 & 2), recertification (yr 3) Continual improvement Annual

3. Current status snapshot

Status legend used throughout:

  • Authored — Soon-specific content complete (this repo)
  • 📝 Template drafted — converted from CertiKit/existing draft, needs Soon tailoring & approval
  • To create — no document yet
  • Not applicable / inherited — justify in the SoA
Bucket 📝
Mandatory ISMS (clauses 4–10) 1 6 ~14
Annex A.5 Organizational 0 15 ~22 a few
Annex A.6 People 0 9 ~2
Annex A.7 Physical 0 1 0 ~11 (remote/AWS)
Annex A.8 Technological 0 19 ~13 a few

Biggest gaps to close first (blocking certification): 1. Statement of Applicability (ISMS-FORM-06-2) — the core artefact; not yet started. 2. Risk Assessment process + report (ISMS-DOC-06-2 / 06-3) — process doc missing; tool drafted. 3. Information Asset Inventory (ISMS-DOC-A05-9-2) — needed to drive risk assessment. 4. Internal Audit + Management Review procedures & first runs (clause 9). 5. ISMS Manual, Roles & Responsibilities, Control of Documented Information (clauses 5 & 7).

4. Master document register

IDs follow the CertiKit ISO 27001 Toolkit v12 numbering (kept for traceability to the source templates). "File" links the markdown in this repo where one exists.

4.1 Programme / project management (pre-cert)

ID Document Status File / notes
ISMS-DOC-00-1 ISMS Project Initiation Document Optional; this ROADMAP partly covers it
ISMS-DOC-00-4 ISO 27001 Project Plan See §2 above
ISMS-FORM-00-1 Certification Readiness Checklist
ISMS-FORM-00-4 ISO 27001 Gap Assessment Tool

4.2 Clause 4 — Context

ID Document Status File
ISMS-DOC-04-1 Information Security Context, Requirements and Scope docs/04-context/ISMS-04-01-context-and-scope.md

4.3 Clause 5 — Leadership

ID Document Status File
ISMS-DOC-05-1 Information Security Management System Manual Top-level ISMS description
ISMS-DOC-05-2 Information Security Roles, Responsibilities and Authorities Critical — define ISM, owners, RACI
ISMS-DOC-05-3 Executive Support Letter 📝 docs/05-leadership/isms5-executive-support-letter.md
ISMS-DOC-05-4 Information Security Policy 📝 docs/05-leadership/isms5-informationsecuritypolicy.md
ISMS-FORM-05-1 Meeting Minutes (template)

4.4 Clause 6 — Planning (risk & SoA)

ID Document Status File
ISMS-DOC-06-1 Information Security Objectives and Plan 📝 docs/06-planning/isms6-infosec-objectives-plan.md
ISMS-DOC-06-2 Risk Assessment and Treatment Process Defines methodology, criteria, appetite
ISMS-DOC-06-3 Risk Assessment Report Output of running the assessment
ISMS-DOC-06-4 Risk Treatment Plan 📝 docs/06-planning/risk-treatment-plan.md
ISMS-DOC-06-5 ISMS Change Process
ISMS-DOC-06-6 ISMS Change Log
ISMS-FORM-06-1 Asset-Based Risk Assessment Tool 📝 docs/06-planning/isms6-risk-assessment-tool.md
ISMS-FORM-06-2 Statement of Applicability (SoA) HIGHEST PRIORITY — all 93 Annex A controls + applicability decision + justification
ISMS-FORM-06-4 Opportunity Assessment Tool Optional

4.5 Clause 7 — Support

ID Document Status File
ISMS-DOC-07-1 Information Security Competence Development Procedure
ISMS-DOC-07-2 Information Security Communication Programme
ISMS-DOC-07-3 Procedure for the Control of Documented Information How this repo is governed (versioning, approval)
ISMS-DOC-07-4 ISMS Documentation Log 📝 docs/_reference/certikit-master-documentation-log.md — this register supersedes it
ISMS-DOC-07-6 Awareness Training Presentation
ISMS-FORM-07-1 Competence Development Questionnaire

4.6 Clause 8 — Operation

ID Document Status File
ISMS-DOC-08-1 ISMS Process Interaction Overview 📝 docs/08-operation/isms8-process-interaction-overview.md

4.7 Clause 9 — Performance evaluation

ID Document Status File
ISMS-DOC-09-1 Process for Monitoring, Measurement, Analysis and Evaluation KPIs/metrics for the ISMS
ISMS-DOC-09-2 Procedure for Internal Audits
ISMS-DOC-09-3 Internal Audit Plan
ISMS-DOC-09-4 Procedure for Management Reviews 📝 docs/09-performance/isms9-procedure-for-management-reviews.md
ISMS-DOC-09-5 Internal Audit Report Record (produced when audit runs)
ISMS-FORM-09-1..4 Audit programme / action plan / review agenda / checklist Forms

4.8 Clause 10 — Improvement

ID Document Status File
ISMS-DOC-10-1 Procedure for the Management of Nonconformity
ISMS-FORM-10-1 Nonconformity and Corrective Action Log
ISMS-FORM-10-2 ISMS Regular Activity Schedule Calendar of recurring ISMS tasks

5. Annex A control documents

5.1 A.5 — Organizational controls

ID Document Status File
ISMS-DOC-A05-1-1 Social Media Policy 📝 docs/annex-a/A5-organizational/a05-social-media-policy.md
ISMS-DOC-A05-1-2 HR Security Policy 📝 docs/annex-a/A5-organizational/a05-hrsecuritypolicy.md
ISMS-DOC-A05-3-1 Segregation of Duties Guidelines
ISMS-DOC-A05-4-1 Information Security Whistleblowing Policy 📝 docs/annex-a/A5-organizational/a05-information-security-whisteblowingpolicy.md
ISMS-DOC-A05-5-1 Authorities Contacts Contacts with regulators/authorities
ISMS-DOC-A05-6-1 Specialist Interest Group Contacts
ISMS-DOC-A05-7-1 Threat Intelligence Policy 📝 docs/annex-a/A5-organizational/a05-threat-intelligence-policyv0-1.md
ISMS-DOC-A05-7-2/3 Threat Intelligence Process / Report
ISMS-DOC-A05-8-1 Information Security Guidelines for Project Management
ISMS-DOC-A05-9-1 Asset Management Policy 📝 docs/annex-a/A5-organizational/a05-asset-management-policy.md
ISMS-DOC-A05-9-2 Information Asset Inventory HIGH PRIORITY — drives the risk assessment; see reference asset list
ISMS-DOC-A05-10-1 Acceptable Use Policy 📝 docs/annex-a/A5-organizational/a05-acceptable-use-policy.md
ISMS-DOC-A05-10-2 Internet Access Policy
ISMS-DOC-A05-10-3 Electronic Messaging Policy 📝 docs/annex-a/A5-organizational/a05-electronic-messaging-policy.md
ISMS-DOC-A05-10-4 Asset Handling Procedure
ISMS-DOC-A05-10-5 Procedure for Managing Lost or Stolen Devices Relevant — remote/BYOD
ISMS-DOC-A05-10-6 Online Collaboration Policy 📝 docs/annex-a/A5-organizational/a05-online-collaboration-policy.md
ISMS-FORM-A05-11-1 New Starter Checklist
ISMS-DOC-A05-12-1 Information Classification Procedure
ISMS-DOC-A05-13-1 Information Labelling Procedure
ISMS-DOC-A05-14-1/2 Information Transfer Procedure / Agreement
ISMS-DOC-A05-15-1 Access Control Policy 📝 docs/annex-a/A5-organizational/a05-access-control-policy.md
ISMS-DOC-A05-18-1 User Access Management Process Joiner/mover/leaver
ISMS-DOC-A05-19-1 Information Security Policy for Supplier Relationships 📝 docs/annex-a/A5-organizational/a05-information-security-policy-for-supplier-relationships.md
ISMS-DOC-A05-20-1 Supplier Information Security Agreement
ISMS-DOC-A05-21-1 Supplier Due Diligence Assessment Procedure
ISMS-DOC-A05-22-1 Supplier Information Security Evaluation Process
ISMS-DOC-A05-23-1 Cloud Services Policy 📝 docs/annex-a/A5-organizational/a05-cloud-service-policy.md + Cloud Architecture Policy
ISMS-DOC-A05-24-1..3 Incident Response Plans (Ransomware / DoS / Data Breach) HIGH PRIORITY — playbooks
ISMS-DOC-A05-25-1 Information Security Event Assessment Procedure
ISMS-DOC-A05-26-1 Information Security Incident Response Procedure HIGH PRIORITY
ISMS-FORM-A05-27-1 Incident Lessons Learned Report
ISMS-DOC-A05-30-1..7 Business Continuity / ICT Continuity set BIA, continuity & test plans
ISMS-DOC-A05-31-1 Legal, Regulatory and Contractual Requirements Procedure 📝 docs/annex-a/A5-organizational/a05-legal-regulatory-and-contractual-requirements-procedurev0-1.md
ISMS-DOC-A05-31-2 Legal, Regulatory and Contractual Requirements (register) The filled-in register
ISMS-DOC-A05-32-1 IP and Copyright Compliance Policy 📝 docs/annex-a/A5-organizational/a05-ip-and-copyright-compliance-policy.md
ISMS-DOC-A05-33-1 Records Retention and Protection Policy 📝 docs/annex-a/A5-organizational/a05-records-retention-and-protection-policy.md
ISMS-DOC-A05-34-1 Privacy and Personal Data Protection Policy 📝 docs/annex-a/A5-organizational/a05-privacy-and-personal-data-protection-policy.md
ISMS-DOC-A05-34-2 Personal Data Breach Notification Procedure GDPR 72h
ISMS-DOC-A05-35-1 Information Systems Audit Plan
ISMS-DOC-A05-37-1 Operating Procedure(s) Documented operating procedures / runbooks

5.2 A.6 — People controls

ID Document Status File
ISMS-DOC-A06-1-1 Employee Screening Procedure 📝 docs/annex-a/A6-people/a06-employee-screening-procedures.md
ISMS-FORM-A06-1-1 Employee Screening Checklist 📝 docs/annex-a/A6-people/a06-employee-screening-checklist.md
ISMS-DOC-A06-2-1 Guidelines for Inclusion in Employment Contracts 📝 docs/annex-a/A6-people/a06-guidelines-for-inclusion-in-employment-contracts.md
ISMS-DOC-A06-4-1 Employee Disciplinary Process 📝 docs/annex-a/A6-people/a06-employee-disciplinary-process.md
ISMS-FORM-A06-5-1 Employee Termination & Change of Employment Checklist 📝 docs/annex-a/A6-people/a06-employee-termination-and-change-of-employment-checklist.md
ISMS-FORM-A06-5-2 Leavers Letter
ISMS-DOC-A06-6-1 Schedule of Confidentiality Agreements 📝 docs/annex-a/A6-people/a06-schedule-of-confidentiality-agreements.md
ISMS-DOC-A06-6-2 Non-Disclosure Agreement 📝 docs/annex-a/A6-people/a06-non-disclosure-agreement.md
ISMS-DOC-A06-7-1 Remote Working Policy 📝 docs/annex-a/A6-people/a06-remote-working-policy.mdcentral for Soon
ISMS-DOC-A06-8-1 Information Security Event Reporting Procedure 📝 docs/annex-a/A6-people/a06-information-security-event-reporting-procedure.md

5.3 A.7 — Physical controls (mostly Not Applicable / inherited)

Soon operates no offices and no data centres; all hosting is on AWS (certified ISO 27001 / SOC 2). The physical security of infrastructure is inherited from AWS. The home-working aspects are handled by the Remote Working and Clear Desk policies.

ID Document Status Decision for SoA
ISMS-DOC-A07-1-1 Physical Security Policy Inherited (AWS) + remote-working policy covers home offices
ISMS-DOC-A07-2-1 Physical Security Design Standards N/A — no Soon premises
ISMS-DOC-A07-3-1 Data Centre Access Procedure Inherited (AWS)
ISMS-DOC-A07-4-1 CCTV Policy N/A — no Soon premises
ISMS-DOC-A07-6-1 Procedure for Working in Secure Areas N/A — no secure areas
ISMS-DOC-A07-7-1 Clear Desk and Clear Screen Policy 📝 docs/annex-a/A7-physical/a07-clear-desk-and-clear-screen-policy.mdapplies to home working
ISMS-DOC-A07-9-1 Procedure for Taking Assets Offsite Covered by Remote Working / Mobile Device policies
ISMS-DOC-A07-10-1/2 Removable Media / Physical Media Transfer N/A — cloud-only; removable media prohibited (state in AUP)
ISMS-FORM-A07-13-1 Equipment Maintenance Schedule Inherited (AWS)
ISMS-DOC-A07-14-1 Procedure for the Disposal of Media Limited — secure wipe of personal/company laptops on offboarding

5.4 A.8 — Technological controls

ID Document Status File
ISMS-DOC-A08-1-1 Mobile Device Policy 📝 docs/annex-a/A8-technological/a08-mobile-device-policy.md
ISMS-DOC-A08-1-2 BYOD Policy 📝 docs/annex-a/A8-technological/a08-bring-your-own-device-policy.mdcentral for Soon
ISMS-DOC-A08-3-1 Dynamic Access Control Policy 📝 docs/annex-a/A8-technological/a08-dynamic-access-control-policy.md
ISMS-DOC-A08-6-1 Capacity Plan
ISMS-DOC-A08-7-1 Anti-Malware Policy 📝 docs/annex-a/A8-technological/a08-anti-malware-policy.md
ISMS-DOC-A08-8-1 Technical Vulnerability Management Policy 📝 docs/annex-a/A8-technological/a08-technical-vulnerability-management-policy.md
ISMS-DOC-A08-8-2 Technical Vulnerability Assessment Procedure
ISMS-DOC-A08-9-1 Configuration Management Policy 📝 docs/annex-a/A8-technological/a08-configuration-management-policy.md
ISMS-DOC-A08-9-2/3 Configuration Management Process / Standard Template
ISMS-DOC-A08-10-1 Information Deletion Policy 📝 docs/annex-a/A8-technological/a08-10-information-deletion-policy.md
ISMS-DOC-A08-11-1 Data Masking Policy 📝 docs/annex-a/A8-technological/a08-data-masking-policy.md
ISMS-DOC-A08-12-1 Data Leakage Prevention Policy 📝 docs/annex-a/A8-technological/a08-data-leakage-prevention-policyv0-1.md
ISMS-DOC-A08-13-1 Backup Policy 📝 docs/annex-a/A8-technological/a08-backup-policy.md
ISMS-DOC-A08-14-1 Availability Management Policy 📝 docs/annex-a/A8-technological/a08-availability-management-policy.md
ISMS-DOC-A08-15-1 Logging and Monitoring Policy 📝 docs/annex-a/A8-technological/a08-logging-and-monitoring-policy.md
ISMS-DOC-A08-16-1 Monitoring Policy 📝 docs/annex-a/A8-technological/a08-monitoring-policy.md
ISMS-DOC-A08-18-1 Privileged Utility Program Register
ISMS-DOC-A08-19-1 Software Policy 📝 docs/annex-a/A8-technological/a08-software-policy.md
ISMS-DOC-A08-20-1 Network Security Policy 📝 docs/annex-a/A8-technological/a08-network-security-policy.md
ISMS-DOC-A08-21-1 Network Services Agreement
ISMS-DOC-A08-23-1 Web Filtering Policy 📝 docs/annex-a/A8-technological/a08-web-filtering-policy.md
ISMS-DOC-A08-24-1 Cryptographic Policy 📝 docs/annex-a/A8-technological/a08-cryptographic-policy.md
ISMS-DOC-A08-25-1 Secure Development Policy 📝 docs/annex-a/A8-technological/a08-secure-development-policy.md
ISMS-FORM-A08-26-1 Requirements Specification
ISMS-DOC-A08-27-1 Principles for Engineering Secure Systems
ISMS-DOC-A08-28-1 Secure Coding Policy 📝 docs/annex-a/A8-technological/a08-secure-coding-policy.md
ISMS-FORM-A08-29-1 Acceptance Testing Checklist
ISMS-DOC-A08-31-1 Secure Development Environment Guidelines Separation of prod/staging/dev
ISMS-DOC-A08-32-1 Change Management Process 📝 docs/08-operation/isms8-change-management-process.md
  1. Confirm roles — appoint the Information Security Manager and document roles/responsibilities (ISMS-DOC-05-2). Get the Executive Support Letter signed.
  2. Build the Information Asset Inventory (A05-9-2) from the platform, the supply-chain table in the Context doc, and the reference asset list.
  3. Define the Risk Assessment & Treatment Process (06-2), then run it → Risk Assessment Report (06-3) and Risk Treatment Plan (06-4, already drafted).
  4. Produce the Statement of Applicability (06-2 form) — map all 93 Annex A controls to applicable/excluded with justification (use §5 decisions above).
  5. Tailor the drafted policies (📝 items) to Soon specifics — replace CertiKit placeholders, align with the real stack (AWS, Stripe, Intercom, Sentry, Supabase, PostHog, SSO/SAML, MFA).
  6. Stand up the operational procedures with no draft yet: incident response, access management (JML), internal audit, management review, nonconformity.
  7. Operate for ~3 months, collecting evidence, then run internal audit + management review before booking the Stage 1 audit.

This register supersedes the converted CertiKit documentation log. Keep it updated as part of change management whenever a document's status changes.