# ISO 27001 checklist for Norwegian SMBs

> A practical ISO 27001 checklist that takes a Norwegian small or mid-size business from "we should get certified" to a Stage 2 audit.

Source: https://fmcybersecurity.com/en/insights/compliance/iso-27001-checklist-for-norwegian-smbs/
Locale: English
Other locale: https://fmcybersecurity.com/insights/compliance/iso-27001-sjekkliste-for-smb/

## Metadata

- Date: 2026-05-05
- Author: maximilian-sharoyan
- Topic: compliance
- Format: guide

Here is how a Norwegian small or mid-size business gets to ISO 27001 certification the first time, step by step.

ISO 27001 is the international standard for running an information security management system, an ISMS, which is the set of policies, decisions, and records that show you manage security on purpose and not by luck. This checklist is for the IT manager or compliance lead who has to make it happen. The current edition is [ISO/IEC 27001:2022](https://www.iso.org/standard/27001), and the old 2013 version is dead: every 2013 certificate had to transition by [31 October 2025](https://www.iso.org/standard/27001) or it lapsed. Build to the 2022 version from day one.

![ISO 27001, FM CyberSecurity](../../../assets/news/iso-27001-checklist-for-norwegian-smbs-inline.png)

## 1. Write down what you are protecting and why

Define the scope before anything else, because it sets the size of the whole project (Clause 4).

List the parts of the business the ISMS covers: which services, which offices, which systems, which data. A 30-person firm can scope tightly, for example "our SaaS platform and the team that runs it," and leave the coffee machine out. Write one page. The auditor reads it first, and a vague scope drags every later step wider than it needs to be.

## 2. Get leadership to own it in writing

ISO 27001 puts security squarely on top management, not on IT alone (Clause 5).

Get your CEO or managing director to approve a short information security policy and name who owns the ISMS. Minute the decision. This is not a formality; the Stage 2 auditor will ask your leadership how they steer security, and "I leave that to IT" is a finding.

## 3. Set objectives you can measure

Decide what good looks like, in numbers (Clause 6).

Write three or four security objectives with a figure attached, for example "patch critical vulnerabilities within 14 days" or "100% of staff complete security training each year." Vague aims like "improve security" give the auditor nothing to check and give you nothing to report against.

## 4. Run a risk assessment

List your risks, score them, and decide what to do with each one (Clause 6.1).

Build a simple risk register: the asset or process, what could go wrong, how likely, how bad, and your decision (treat, accept, transfer, or avoid). A spreadsheet is fine for a small firm. The method matters less than using the same method every time so results are comparable year to year.

## 5. Pick your controls and write the Statement of Applicability

Choose which Annex A controls apply, and justify any you leave out (Clause 6.1.3).

ISO 27001:2022 Annex A lists [93 controls in four groups](https://www.iso.org/standard/27001): organizational (37), people (8), physical (14), and technological (34). The Statement of Applicability, the SoA, is the one document that lists all 93, says whether each applies, and links each included control to a risk. If you exclude a control, write why. This is the document auditors scrutinise hardest, so make it honest and complete.

## 6. Do a gap analysis against where you are now

Compare the controls you need against the controls you run, and list the holes (composite step, not a clause).

Put the Annex A control on one side and your current reality on the other. Mark each as in place, partial, or missing. The gaps become your work plan. Most SMBs find the technical basics already exist and the missing pieces are documentation: an access control policy, a supplier security clause, a logging standard. Closing the gaps usually takes three to six months for a small firm, per the [certification bodies' own transition guidance](https://www.lrqa.com/en-us/insights/articles/preparing-for-iso-270012022-transition-by-october-2025/).

## 7. Put the controls to work and keep the evidence

Implement the missing controls and start collecting proof that they run (Clause 8).

The standard certifies what you do, not what you wrote. Turn on the logging, enforce the access reviews, run the supplier checks, and save the records: access review exports, training completion lists, incident tickets, change approvals. If you want technical controls tested against real attack paths, we run that through [Aikido AI Pentest](/en/partners/aikido/) so the findings feed straight back into your risk register.

## 8. Run an internal audit

Check your own ISMS against the standard before an outsider does (Clause 9.2).

Have someone independent of the work audit each part of the ISMS and write up findings. In a small firm this can be a different team member or an outside reviewer; it cannot be the person who wrote the thing being audited. Fix what the audit finds and keep the report. The certification body will ask to see it.

## 9. Hold a management review

Get leadership back in the room to review how the ISMS is performing (Clause 9.3).

Run a meeting where management looks at the audit results, the open risks, the incidents, and the objectives from step 3, then decides what changes. Minute it. This closes the loop the standard cares about: leadership set direction in step 2, and here they check it worked.

## 10. Choose an accredited certification body and pass Stage 1

Pick a body accredited to certify ISO 27001, then pass the documentation review (Stage 1).

In Norway, [Norsk akkreditering](https://www.akkreditert.no/) is the national accreditation body, and an accredited certification body is what gives your certificate weight in tenders. Stage 1 is the auditor reading your ISMS documents to confirm you are ready, usually one to two days. They flag anything missing so you can fix it before Stage 2.

## 11. Pass Stage 2 and get certified

Stage 2 is the real audit: the auditor checks that the ISMS runs as documented.

The Stage 2 auditor interviews people and samples evidence across the controls in your SoA. Pass it, clear any non-conformities, and the body issues a certificate valid for three years. Have your evidence from step 7 organised and easy to pull; a clean evidence trail is the difference between a smooth audit and a stressful one.

## 12. Keep it alive

Certification is not one and done: you keep the ISMS running for the three-year cycle.

The body runs a shorter surveillance audit at the end of year one and year two, then a fuller recertification audit at year three to start the next cycle. Repeat the internal audit and management review each year. The work that keeps the certificate is the same work that made you secure in the first place, so do not let it lapse between audits.

## Next action

Talk to [our compliance practice](/en/services/compliance/) for an ISO 27001 readiness review: a gap analysis against the 2022 Annex A controls, a draft Statement of Applicability, and a work plan you can take to your chosen certification body. We work alongside your team so the ISMS you certify is one you can run on your own.

## FAQ

### How long does ISO 27001 take for an SMB?

For a small firm starting from scratch, plan on six to twelve months to first certification. Closing the gaps after a gap analysis typically takes three to six months on its own, per the [certification bodies' transition guidance](https://www.lrqa.com/en-us/insights/articles/preparing-for-iso-270012022-transition-by-october-2025/), and you then add scoping, internal audit, management review, and the Stage 1 and Stage 2 audits. A firm that already runs decent controls and just needs the documentation can move faster.

### How much does ISO 27001 cost?

There are two cost lines: the certification body's audit fees, which scale with your headcount and scope, and your own internal effort plus any consultant help to build the ISMS. Surveillance audits in years one and two are shorter and cheaper than the Stage 2 audit. Get quotes from two or three accredited bodies, because audit-day rates and the way they count your scope vary.

### Do we need ISO 27001 to win Norwegian public tenders?

Often yes in practice, even when the law does not name it. Many Norwegian buyers, public and private, ask bidders to show a recognised security certification, and ISO 27001 from an accredited body is the one most procurement teams accept. If you are losing bids on a security question you cannot answer, certification usually pays for itself.

### What is the difference between ISO 27001 and SOC 2?

ISO 27001 certifies that you run a management system to a standard, and the certificate is recognised worldwide. SOC 2 is a US attestation report, written by an auditor, on how well your controls met defined criteria over a period. Norwegian and European buyers usually ask for ISO 27001; firms selling to US customers sometimes need SOC 2 as well. They overlap enough that work on one reduces the work on the other.

### Can we reuse our ISO 27001 work for NIS2?

Yes, a large share carries over. NIS2 and its Norwegian incorporation expect risk management, supplier security, incident handling, and leadership accountability, and an ISO 27001 ISMS already produces all of those with evidence. Map your Annex A controls against the NIS2 obligations and you will find most of the security work is done; what remains is mostly the specific incident-reporting timelines.

---

For the full documentation index, see https://fmcybersecurity.com/llms.txt
For the complete corpus as a single document, see https://fmcybersecurity.com/llms-full.txt