ISO 27001 Compliance Checklist
Comprehensive ISO 27001 compliance checklist covering pre-certification preparation, ISMS requirements across Clauses 4-10, Annex A control categories, documentation requirements, and internal audit readiness for the 2022 revision.
- 1
Start with executive sponsorship, a cross-functional project team, and a preliminary gap assessment before beginning ISMS implementation.
- 2
The ISMS management system requirements (Clauses 4-10) are as important as the Annex A controls — auditors assess both equally.
- 3
The Statement of Applicability is the most scrutinised document in the audit. Complete it thoroughly with clear justifications for each control's applicability status.
- 4
Internal audit and management review must be completed before Stage 1 audit — schedule these early enough to demonstrate at least one full cycle.
- 5
Maintain 20-40 documented information items for a mid-sized organisation, controlled through a formal document management process with version control and approval workflows.
1. Pre-Certification Preparation
Before diving into ISMS implementation, complete a set of foundational activities that set the project up for success. Secure executive sponsorship: ISO 27001 Clause 5.1 requires top management to demonstrate leadership and commitment to the ISMS, including ensuring the ISMS achieves its intended outcomes, directing and supporting persons to contribute to ISMS effectiveness, and promoting continual improvement. This is not a formality — auditors will interview top management during Stage 2 to verify genuine commitment. Brief the executive sponsor on the certification process, timeline, resource requirements, and their personal obligations under the standard.
Define the project team and governance structure. Appoint a project lead with the authority and capacity to drive implementation (this person will likely become the ongoing ISMS manager). Identify cross-functional contributors from IT, HR, legal, operations, facilities, and any other function that handles information assets within the planned scope. Establish a project governance cadence — fortnightly steering meetings are typical for a 6-12 month implementation programme. Set realistic milestones: scope definition (month 1), risk assessment completion (months 2-3), control implementation (months 3-8), internal audit (month 9-10), management review (month 10), and Stage 1 audit readiness (month 11-12).
Conduct a preliminary gap assessment to understand your starting position. Map your existing security controls, policies, and processes against the ISO 27001:2022 requirements (Clauses 4-10 and Annex A). This initial assessment does not need to be exhaustive — its purpose is to identify the major gaps that will drive the implementation workplan and resource allocation. Categorise gaps as: already addressed (existing control meets the requirement), partially addressed (control exists but needs enhancement or documentation), or not addressed (no existing control). This gap profile determines the implementation effort and budget required.
If your organisation already holds certifications to other ISO management system standards (ISO 9001, ISO 22301), you can reuse common elements — document control, internal audit procedures, management review processes, and corrective action workflows all share structural requirements across ISO standards.
2. Context of the Organisation and Scope (Clauses 4.1-4.3)
Clause 4.1 requires you to determine external and internal issues relevant to the ISMS purpose and objectives. External issues include the regulatory environment (NIS2, DORA, GDPR applicability), industry-specific requirements, customer contractual obligations, threat landscape trends, and technology evolution. Internal issues include organisational culture, governance structure, existing security capabilities, resource constraints, and strategic business direction. Document these issues formally — they form the context within which all ISMS decisions are made and will be reviewed by the auditor at Stage 1.
Clause 4.2 requires identification of interested parties and their requirements relevant to the ISMS. Interested parties typically include: customers (security requirements in contracts, due diligence expectations), regulators (NIS2, DORA, GDPR, sector-specific regulations), employees (data protection, acceptable use), suppliers and partners (security expectations in supply chain relationships), shareholders or board (risk management expectations), and certification bodies (ISO 27001 standard requirements). For each interested party, document their specific requirements and how those requirements are addressed through the ISMS. The 2022 revision added an explicit requirement to determine which interested party requirements will be addressed through the ISMS.
Clause 4.3 defines the ISMS scope. The scope statement must be documented and available as documented information (a mandatory document that auditors will request). It should clearly describe: the organisational units, functions, and locations included; the information systems, networks, and technology environments covered; the services and processes within scope; and any exclusions with justification. Exclusions from Annex A controls must be justified in the Statement of Applicability (not in the scope statement) — but the scope itself determines which organisational boundaries the ISMS covers. Draft the scope statement early and review it with your certification body before Stage 1 to avoid scope-related audit findings.
3. Leadership and Planning (Clauses 5-6)
Clause 5.1 (Leadership and commitment) requires top management to: establish an information security policy compatible with strategic direction, ensure ISMS requirements are integrated into business processes, ensure resources are available, communicate the importance of effective information security management, ensure the ISMS achieves its intended outcomes, direct and support persons to contribute to ISMS effectiveness, promote continual improvement, and support other relevant management roles. The auditor will verify these commitments through management interview, policy review, and evidence of resource allocation.
Clause 5.2 requires an information security policy that is appropriate to the organisation's purpose, includes information security objectives or a framework for setting them, includes a commitment to satisfy applicable requirements, and includes a commitment to continual improvement. The policy must be documented, communicated within the organisation, and available to interested parties as appropriate. Clause 5.3 requires assignment of ISMS roles, responsibilities, and authorities — critically including responsibility for ensuring the ISMS conforms to ISO 27001 requirements and for reporting ISMS performance to top management.
Clause 6 covers planning. Clause 6.1.1 requires the ISMS to address risks and opportunities identified from the context analysis (Clause 4.1) and interested party requirements (Clause 4.2). Clause 6.1.2 is the core risk assessment requirement: define and apply a risk assessment process that establishes risk acceptance criteria, identifies risks to confidentiality, integrity, and availability, analyses and evaluates those risks, and selects risk treatment options. Clause 6.1.3 requires a risk treatment process that selects appropriate controls (considering Annex A as a reference but not limiting), produces a Statement of Applicability, and formulates a risk treatment plan. Clause 6.2 requires information security objectives at relevant functions and levels — objectives must be measurable, monitored, communicated, and updated as appropriate. Clause 6.3 (new in 2022) requires that changes to the ISMS are planned in a structured manner.
The Statement of Applicability (SoA) is one of the most scrutinised documents in the certification audit. For each of the 93 Annex A controls, state whether it is applicable or not applicable with justification, and for applicable controls, describe the implementation status. Vague or incomplete SoAs are a common source of Stage 1 findings.
4. Support and Operation (Clauses 7-8)
Clause 7 addresses the resources and support infrastructure needed for an effective ISMS. Clause 7.1 requires the organisation to determine and provide resources needed for ISMS establishment, implementation, maintenance, and continual improvement. Clause 7.2 (Competence) requires that persons performing ISMS work are competent on the basis of education, training, or experience — and requires documented evidence of competence (training records, qualifications, experience profiles). Clause 7.3 (Awareness) requires that all persons working under the organisation's control are aware of the information security policy, their contribution to ISMS effectiveness, and the implications of not conforming. Clause 7.4 (Communication) requires the organisation to determine internal and external communications relevant to the ISMS — what to communicate, when, with whom, who communicates, and the processes for communication.
Clause 7.5 (Documented information) sets the requirements for creating, updating, and controlling ISMS documentation. All documented information required by the standard (mandatory documents) and determined by the organisation as necessary for ISMS effectiveness must be controlled: appropriately identified and described, available and suitable for use when needed, and adequately protected. A document control procedure is essential — define naming conventions, version control, review and approval processes, distribution, and retention. Auditors pay particular attention to document control, as it reflects the operational discipline of the management system.
Clause 8 covers operational planning and control. Clause 8.1 requires the organisation to plan, implement, and control the processes needed to meet ISMS requirements and to implement risk treatment actions. This includes managing planned changes and reviewing consequences of unintended changes. Clause 8.2 requires periodic risk assessments at planned intervals or when significant changes occur. Clause 8.3 requires implementation of the risk treatment plan. In practice, Clause 8 is where the ISMS becomes operational — policies are enacted, controls are deployed, risk treatment plans are executed, and the day-to-day operation of information security is conducted. Evidence of operational implementation is the primary focus of Stage 2 audit.
5. Performance Evaluation (Clause 9)
Clause 9.1 (Monitoring, measurement, analysis, and evaluation) requires the organisation to determine what needs to be monitored and measured, the methods used, when monitoring and measurement are performed, who performs them, and when results are analysed and evaluated. Define a set of information security metrics that provide meaningful insight into ISMS effectiveness — for example, the percentage of risk treatment actions completed on schedule, the number and severity of security incidents, the timeliness of vulnerability remediation, security awareness training completion rates, and the results of control effectiveness testing. Avoid metrics that measure activity rather than outcomes.
Clause 9.2 (Internal audit) requires the organisation to conduct internal audits at planned intervals to determine whether the ISMS conforms to the organisation's own requirements, conforms to ISO 27001 requirements, and is effectively implemented and maintained. The internal audit programme must cover the full ISMS scope over a defined cycle (typically annual). Internal auditors must be competent and independent of the activities being audited — you may train internal staff as internal auditors or outsource the function to an external provider. Internal audit findings and their corrective actions are a critical input to the management review and will be closely reviewed by the certification body auditor.
Clause 9.3 (Management review) requires top management to review the ISMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness. The standard specifies mandatory management review inputs: status of actions from previous reviews, changes in external and internal issues, changes in interested party needs, information security performance (including nonconformities, monitoring results, audit results, and fulfilment of objectives), feedback from interested parties, risk assessment results, and opportunities for continual improvement. Management review outputs must include decisions related to continual improvement and any changes needed to the ISMS. Document the management review minutes thoroughly — they are a mandatory record that auditors will request at every audit.
Schedule your first management review at least two months before the planned Stage 1 audit date. The auditor will want to see evidence of at least one complete management review cycle, including documented inputs, outputs, and follow-up actions.
6. Improvement and Documentation Requirements (Clause 10)
Clause 10.1 (Continual improvement) is the engine of the PDCA cycle. The organisation must continually improve the suitability, adequacy, and effectiveness of the ISMS. This is not an aspiration — auditors will look for evidence of systematic improvement activities. Maintain an improvement register that tracks identified improvement opportunities, their implementation status, and the outcomes achieved. Sources of improvement inputs include internal audit findings, management review decisions, incident post-mortems, risk assessment updates, monitoring and measurement results, and feedback from interested parties.
Clause 10.2 (Nonconformity and corrective action) requires a documented process for handling nonconformities: reacting to the nonconformity (taking action to control and correct it), evaluating the need for corrective action to eliminate the root cause, implementing corrective action, reviewing the effectiveness of corrective action, and making changes to the ISMS if necessary. Records of nonconformities, actions taken, and results must be retained. Auditors will trace the nonconformity management process from identification through root cause analysis to corrective action and effectiveness verification — incomplete closure of nonconformities is a frequent audit finding.
Regarding mandatory documentation, ISO 27001:2022 explicitly requires the following documented information: ISMS scope (4.3), information security policy (5.2), risk assessment process and results (6.1.2, 8.2), risk treatment plan (6.1.3, 8.3), Statement of Applicability (6.1.3), information security objectives (6.2), evidence of competence (7.2), operational planning and control documentation (8.1), monitoring and measurement results (9.1), internal audit programme and results (9.2), management review results (9.3), and nonconformity and corrective action records (10.2). Beyond these mandatory documents, most organisations also maintain: asset inventories, access control policies, incident response procedures, business continuity plans, supplier security assessment records, and change management procedures. The total documentation set typically comprises 20-40 documents for a mid-sized organisation.
7. Annex A Control Categories: A Quick Reference
Annex A of ISO 27001:2022 contains 93 controls organised into four categories. Organisational controls (A.5, 37 controls) cover information security policies, roles and responsibilities, threat intelligence, asset management, access control, identity management, supplier relationships, information security in project management, and incident management. These controls establish the governance and process foundation for information security. Every organisation will find the majority of organisational controls applicable — exclusions must be carefully justified.
People controls (A.6, 8 controls) address human resource security: screening, terms and conditions of employment, information security awareness and training, disciplinary processes, responsibilities after termination, confidentiality agreements, and remote working. Physical controls (A.7, 14 controls) cover physical security perimeters, entry controls, securing offices and facilities, physical security monitoring (new in 2022), protection against environmental threats, working in secure areas, clear desk and clear screen, equipment siting and protection, security of assets off-premises, storage media management, supporting utilities, and cabling security.
Technological controls (A.8, 34 controls) address the technical security measures: user endpoint devices, privileged access, information access restriction, source code access, secure authentication, capacity management, malware protection, technical vulnerability management, configuration management (new in 2022), information deletion (new in 2022), data masking (new in 2022), data leakage prevention (new in 2022), information backup, redundancy, logging, monitoring activities (new in 2022), clock synchronisation, privileged utility use, software installation control, network security, security of network services, web filtering (new in 2022), use of cryptography, secure development lifecycle, security requirements analysis, secure system architecture, secure coding (new in 2022), security testing, outsourced development, and change management. Review each control against your risk assessment to determine applicability and implementation approach, then document the results in your Statement of Applicability.
What are the mandatory documents for ISO 27001 certification?
ISO 27001:2022 explicitly requires documented information for: ISMS scope statement (Clause 4.3), information security policy (Clause 5.2), risk assessment process and results (Clauses 6.1.2 and 8.2), risk treatment plan (Clauses 6.1.3 and 8.3), Statement of Applicability (Clause 6.1.3), information security objectives (Clause 6.2), evidence of competence (Clause 7.2), operational planning and control records (Clause 8.1), monitoring and measurement results (Clause 9.1), internal audit programme and results (Clause 9.2), management review records (Clause 9.3), and nonconformity and corrective action records (Clause 10.2). Most organisations supplement these with additional documents such as asset inventories, access control policies, incident response procedures, and business continuity plans.
How often should we conduct internal audits?
ISO 27001 requires internal audits at planned intervals. The standard does not prescribe a specific frequency, but the entire ISMS scope must be covered within the audit cycle (typically 12 months). Most organisations conduct internal audits annually, covering the full scope in one or more audit events. Some larger organisations use a rolling audit programme that covers different ISMS areas quarterly, ensuring complete scope coverage over the year. The internal audit must be completed before each management review, as audit results are a mandatory management review input.
Can we exclude Annex A controls?
Yes, but exclusions must be justified and documented in the Statement of Applicability. A control may be excluded only if it is genuinely not applicable to the organisation's risk profile, technology environment, or operational context — not because it is inconvenient or expensive to implement. For example, an organisation with no physical office may reasonably exclude certain physical security controls. However, auditors will scrutinise exclusions carefully, and excluding controls that are obviously relevant (e.g., excluding malware protection or access control) will result in an audit finding.
What is the difference between Clause requirements and Annex A controls?
The Clause requirements (Clauses 4-10) are mandatory management system requirements that apply to every ISO 27001-certified organisation without exception. They define the governance structure, planning, support, operation, performance evaluation, and improvement processes of the ISMS. Annex A controls are a reference set of information security controls that the organisation evaluates for applicability through the risk assessment and treatment process. While Clause requirements are non-negotiable, Annex A controls may be included or excluded based on the risk assessment — but every control must be considered and the decision documented in the Statement of Applicability.
How do we prepare for the Stage 1 audit specifically?
Stage 1 is a documentation and readiness review. To prepare, ensure the following are complete and available: ISMS scope statement, information security policy, risk assessment methodology and results, risk treatment plan, Statement of Applicability, information security objectives, internal audit plan and results from at least one audit cycle, management review minutes from at least one review, and key operational procedures (incident management, access control, change management). The Stage 1 auditor reviews these documents to confirm that the ISMS is designed to meet the standard's requirements and that the organisation is ready for the Stage 2 implementation audit.
Ready to Operationalise This?
Turn this guide into working compliance workflows. Create an account or schedule a personalised demo.