ISO 27001 CHECKLIST
ISO 27001 Checklist: Everything You Need to Get Certified
Getting ISO 27001 certified involves a lot of moving parts — clauses, controls, documents, evidence, audits. This checklist pulls it all together into a single, phased framework you can work through from day one to certification day.
The list is structured around five phases that mirror the implementation journey: foundation, planning, implementation, checking, and audit readiness. Each phase maps directly to the clauses of the standard. Work through them in order, and by the time you reach Phase 5, you’ll have everything an auditor expects to see.
One important note: ticking items on a checklist isn’t enough. Each item requires thought, tailoring to your business and real evidence — a document, a record, a meeting minute, a log entry.
The checklist tells you what to have. Your ISMS tells the auditor you’re actually doing it.
Phase 1 — Foundation
ISO 27001 is a project, and all projects need preparation. Before you write a single policy or assess a single risk, get the groundwork in place. These steps aren’t part of the formal standard requirements, but skipping them is the most common reason ISO 27001 (or any) projects stall.
Foundation Activities
☐ Define the purpose and business case for ISO 27001
Why are you doing this, and what does success look like?
☐ Appoint an ISMS lead
One person who owns the project and is accountable for progress
☐ Secure formal commitment from senior leadership
The standard requires it, and without it, the project will struggle
☐ Agree on a realistic timeline and budget
Most UK SMEs can achieve certification in 60–90 days with focused effort
☐ Decide whether you’re working independently, using the DIY course, or engaging a consultant
Multiple routes offer different advantages – decide which is best for your organisation.
☐ Run an initial gap analysis to understand where you are now relative to the standard’s requirements
If you already have some pockets of information security, then a gap analysis may add value. If you are certain you have none, then why bother?
Phase 2 — Planning (Clauses 4–6)
This is where your ISMS takes shape on paper. You’re defining what you’re protecting, who cares about it, what the risks are, and how you’ll treat them. The planning phase produces the core strategic documents your auditor will review at Stage 1.
Context and Scope (Clause 4)
☐ Document the internal and external issues relevant to your organisation’s information security (Clause 4.1)
List the influences that shape your security (regulations, market changes, client contracts, etc)
☐ Identify interested parties — customers, regulators, staff, suppliers — and their security requirements (Clause 4.2)
Who is interested in your security?
☐ Define and document your ISMS scope — what parts of the business are included and why (Clause 4.3)
What business functions, physical offices, products, etc are covered by the ISMS?
☐ Get the scope approved by top management
Evidence approval and support
Leadership (Clause 5)
☐ Information Security Policy written, approved by leadership, and communicated to staff (Clause 5.2)
An overarching security policy
☐ Roles and responsibilities for information security defined and assigned (Clause 5.3)
Capture who is responsible for what.
☐ ISMS objectives documented and aligned with the organisation’s overall goals (Clause 6.2)
Document some objectives (who, what, when) for the ISMS for the next 6 – 12 months.
Risk Management (Clause 6)
☐ Risk assessment methodology documented — how you identify, score and prioritise risks (Clause 6.1.2)
Outline your approach to managing risks.
☐ Risk assessment completed; threats, vulnerabilities, likelihood and impact scored for all assets in scope
Log, score and prioritise risks.
☐ Risk treatment options decided for each risk
Evaluate options and decide upon your response to risks, e.g. accept, treat, transfer or avoid
☐ Risk Treatment Plan produced and approved by management (Clause 6.1.3)
Document your plan to address risks.
☐ Statement of Applicability (SoA) completed — all 93 Annex A controls listed, applicable ones selected with justification (Clause 6.1.3d)
Evaluate the 93 controls, decide which apply to your business, and determine what you will do to meet them.
Phase 3 — Implementation (Clauses 7 & 8)
Planning tells you what to do. Implementation is where you actually do it. This phase covers your supporting infrastructure: people, processes, documents and operational controls — plus the Annex A controls from your SoA.
Support (Clause 7)
☐ Resources allocated for ISMS operation — time, budget, tooling (Clause 7.1)
Capture what you are going to need to deliver your ISMS (people, funding, tools, etc)
☐ Competence requirements identified for all roles involved in information security (Clause 7.2)
Who will need what training?
☐ Staff security awareness programme in place — all relevant staff trained (Clause 7.3)
How will you make staff parties aware of the things they need to know (policies, implications, etc)
☐ Internal and external communication processes defined (Clause 7.4)
Define a communication plan; what, to whom, and when.
☐ Documented information (policies and procedures) created, approved and version-controlled (Clause 7.5)
Capture how you will control documentation (approval cycles, knowledge base, etc)
Operation (Clause 8)
☐ Operational controls implemented for all planned activities in scope (Clause 8.1)
Implement processes and track their progress.
☐ Risk assessment repeated or reviewed to confirm it reflects the current state (Clause 8.2)
Ongoing risk assessment process.
☐ Risk treatment actions completed and evidenced — not just planned, actually done (Clause 8.3)
Ongoing risk treatment process.
Phase 4 — Checking & Improvement (Clauses 9 & 10)
Clause 9 requires you to check that your ISMS is working. Clause 10 requires you to act on what you find. In practice, these happen together — you run an audit or management review, identify issues, and close them. Both must be evidenced before your Stage 2 audit.
Performance Evaluation (Clause 9)
☐ Monitoring and measurement processes defined — what you measure, how, and how often (Clause 9.1)
Capture what you are going to need to deliver your ISMS (people, funding, tools, etc)
☐ Internal audit programme conducted against all clauses 4–10 and applicable Annex A controls (Clause 9.2)
A planned and executed internal audit programme and findings
☐ Management review minutes produced (Clause 9.3)
Documented inputs and minutes of the meeting
Improvement (Clause 10)
☐ Continual improvement plan(s) evidenced (Clause 10.1)
An improvement plan or actions are documented.
☐ Nonconformities & corrective actions are logged (Clause 10.2)
Any deviations from the standard or the ISMS’s own policies / procedures are captured and addressed.
Phase 5 — Audit Readiness
This is your final pre-certification check. Before you book your Stage 2 audit, work through this list. If you can honestly tick everything here, you’re ready.
Documentation
☐ ISMS Scope document
☐ Information Security Policy
☐ Risk Assessment Methodology
☐ Risk Register (Risk Assessment results)
☐ Risk Treatment Plan
☐ Statement of Applicability (SoA)
☐ Information Security Objectives
☐ Competence and Training Records
☐ Evidence of monitoring and measurement results
☐ Internal Audit Programme and Report
☐ Management review meeting minutes
☐ Nonconformity and Corrective Action Log
☐ Documented information required by applicable Annex A controls
All 14 mandatory document templates are available as free, ready-to-edit Word and Excel files in the Iseo Blue free toolkit.
Download them, and your mandatory document checklist is half done.
Evidence of Operation
☐ Records exist showing the ISMS has been operational — not just documented but used
☐ Incident log maintained (even if no incidents — a log with zero entries is valid)
☐ Training and awareness records for all relevant staff
☐ Supplier security assessments or agreements in place for applicable suppliers
☐ Asset inventory maintained and current
Annex A Controls Checklist
ISO 27001:2022 contains 93 controls in Annex A, grouped into four themes: Organisational (37 controls), People (8 controls), Physical (14 controls) and Technological (34 controls).
You do not need to implement all 93. You need to assess each one, decide whether it applies to your organisation and risks, document your decision in the Statement of Applicability, and implement the ones that do apply with evidence.
The Practical Approach:
☐ Work through all 93 controls in Annex A during your risk treatment planning
☐ Work through all 93 controls in Annex A during your risk treatment planning
☐ For not-applicable controls: document the justification (e.g. “No physical premises — controls 7.1–7.14 not applicable”)
☐ For applicable controls: assign an owner, set a target implementation date, and track evidence
☐ Review the SoA at each management review — the control set should evolve as your risks change
A quick way to work through the full control set is the free Annex A Control Applicability Checker — it walks you through all 93 controls and helps you build your SoA.
FAQs
Is there an official ISO 27001 checklist?
There is no single official checklist published by ISO. The standard itself is structured as requirements (“the organisation shall…”) rather than a tick-box list. This checklist interprets those requirements into practical steps — but the underlying obligations all come from ISO/IEC 27001:2022. Your auditor will assess your ISMS against the standard, not against any particular checklist format.
How long does it take to work through the ISO 27001 checklist?
For a UK SME with a focused scope, most organisations work through all five phases and reach audit readiness in 60–90 days. The biggest variable is team availability — a part-time project with one person dedicating a few hours per week will take longer than a dedicated implementation sprint. Phase 2 (risk assessment and SoA) is typically the most time-consuming.
What is the difference between an ISO 27001 checklist and a gap analysis?
A gap analysis is a one-time assessment you run at the start of your project to understand where you currently stand relative to the standard’s requirements. A checklist is what you work through during implementation to build and evidence your ISMS. The gap analysis tells you how big the job is. The checklist is the job itself.
Does ISO 27001 have 93 controls or 114?
The current version — ISO/IEC 27001:2022 — has 93 controls. The previous version (ISO 27001:2013) had 114 controls. If you are implementing ISO 27001 today, you should be working to the 2022 version. Certification bodies are no longer issuing certificates against the 2013 standard.
Can I use a checklist to prepare for my Stage 2 audit?
Yes — Phase 5 of this checklist is specifically designed as a pre-Stage 2 readiness check. If you can honestly tick every item in Phase 5, you are in a strong position for your audit. The most common reason organisations fail Stage 2 is not gaps in documentation but gaps in evidence — policies that exist but aren’t being followed, or controls that are listed in the SoA but haven’t been implemented.
Where can I get a downloadable ISO 27001 checklist?
The free Iseo Blue toolkit includes a requirements checklist alongside the 14 mandatory document templates. It covers clauses 4–10 and gives you a working document to track your progress. Download it free — no commitment required.
Ready to Start Working Through It?
The checklist tells you what to do. The free toolkit gives you the documents to do it with — 14 mandatory templates, ready to edit, aligned to ISO 27001:2022. Or if you’d rather have someone guide you through every step, the 90-day consultancy programme covers everything in this checklist from scoping to certification.
ISO 27001 Full Document Toolkit
Every document your auditor
expects to see.
130 Word & Excel templates, ready to edit. Policies, risk register, Statement of Applicability, audit pack, staff communications — all updated for ISO 27001:2022.
130 templates
Instant download
Written by practising consultant
ISO 27001:2022
ISO 27001 Consultancy
Get ISO 27001 certified in 90 days.
I’ll coach you through every step.
Fully remote. Fixed fee. Working with SMEs across the UK, EU and USA.
✔ Audit-ready plan with structured checkpoints
✔ Full toolkit + templates included
✔ Expert support throughout
Cancel any time
Pro-rata refund on unused sessions
✔ Defined scope, SoA and risk treatment
✔ Plain-English — no jargon
✔ Trusted auditor recommendations
First-pass guarantee
If you don’t pass, I fix it for free
“..no-nonsense help in achieving our UKAS-accredited ISO 27001 certification…”
– Periculum Security Group (UK)
