ISO 27001 Compliance Checklist Template

Phase 1

ISMS Context, Scope & Leadership (Clauses 4–5)

• Identify internal and external factors relevant to the purpose of the ISMS and that affect its intended outcomes (Clause 4.1)
• Identify all interested parties — customers, regulators, employees, suppliers — and their relevant requirements (Clause 4.2)
• Define and document the ISMS scope — which information assets, business processes, locations, and organisational units are included (Clause 4.3)
• Obtain and document senior management commitment to the ISMS — confirm the information security policy is approved and signed at the appropriate level (Clause 5.1)
• Assign information security roles and responsibilities — appoint an ISMS lead or Information Security Manager (Clause 5.3)
• Draft the information security policy — confirm it states objectives, commitment to compliance, and continual improvement (Clause 5.2)
• Confirm the policy is communicated to all relevant internal and external parties
• Establish the ISMS governance structure — confirm who owns the ISMS, who reviews it, and who has authority to make decisions

Phase 2

Risk Assessment, Treatment & Statement of Applicability (Clause 6)

• Define and document the risk assessment methodology — criteria for accepting risks and performing assessments
• Identify all information assets within the ISMS scope
• Conduct the risk assessment — identify threats, vulnerabilities, and impacts for each information asset
• Evaluate risks against the risk acceptance criteria and prioritise by likelihood and impact
• Select risk treatment options for each identified risk — accept, treat, transfer, or avoid
• Map selected treatment options to applicable Annex A controls
• Produce the risk treatment plan — document treatment actions, owners, and target dates
• Produce the Statement of Applicability (SoA) — list all 93 Annex A controls, confirm which are applicable, which are excluded, and justify each exclusion
• Obtain management approval of the risk treatment plan and SoA
• Establish a process for managing and reviewing the risk register on an ongoing basis

Phase 3

Annex A — Organisational Controls (A.5, 37 controls)

Organisational controls cover policies, rules, and procedures affecting the organisation as a whole. Select applicable controls based on your SoA.

• Develop and publish information security policies covering all relevant areas — access control, cryptography, physical security, supplier relationships, incident management (A.5.1)
• Establish information security roles and responsibilities — confirm segregation of duties where required (A.5.2, A.5.3)
• Implement asset management — identify and document all information assets, assign ownership, and classify by sensitivity (A.5.9, A.5.10, A.5.12)
• Implement access control policy — define rules for granting, reviewing, and revoking access rights (A.5.15)
• Establish supplier and third-party security requirements — confirm security clauses are included in supplier contracts (A.5.19, A.5.20)
• Implement incident management procedures — define how incidents are reported, classified, and responded to (A.5.24, A.5.25, A.5.26)
• Implement threat intelligence processes — collect and analyse information about relevant threats (A.5.7) [New in 2022]
• Implement data leakage prevention measures where applicable (A.5.33) [New in 2022]
• Confirm all applicable organisational controls are documented and implemented per the SoA

Phase 4

Annex A — People, Physical & Technological Controls (A.6–A.8)

Select applicable controls based on your SoA. People controls (A.6) cover the full employee lifecycle and are typically implemented jointly by IT and HR.

• Conduct pre-employment background and reference checks for roles with access to sensitive information (A.6.1)
• Include information security responsibilities in employment contracts (A.6.2)
• Deliver information security awareness training to all staff — maintain training records as mandatory evidence (A.6.3)
• Define and implement a structured offboarding process — ensure access rights are revoked and assets returned promptly when employment ends (A.6.5)
• Implement remote working security controls — policies, equipment standards, and VPN requirements (A.6.7) [New in 2022]
• Establish a confidential reporting mechanism for employees to report security concerns (A.6.8) [New in 2022]

• Define and implement physical security perimeter controls — access restrictions to facilities housing sensitive information (A.7.1, A.7.2)
• Implement clear desk and clear screen policies (A.7.7)
• Confirm secure disposal of storage media before reuse or disposal (A.7.10, A.7.14)
• Implement physical security monitoring where applicable (A.7.4) [New in 2022]

• Implement user endpoint device management — policies for laptops, mobiles, and removable media (A.8.1)
• Implement privileged access management — restrict and monitor privileged accounts (A.8.2)
• Implement access rights management — provisioning, periodic review, and timely revocation (A.8.3, A.8.5)
• Implement malware protection across all relevant systems (A.8.7)
• Implement vulnerability management — regular scanning and timely patching (A.8.8)
• Implement logging and monitoring — activity logs, anomaly detection, and log protection (A.8.15, A.8.16)
• Implement data masking where personal or sensitive data is processed (A.8.11) [New in 2022]
• Implement secure coding practices where software is developed in-house (A.8.28) [New in 2022]
• Confirm ICT readiness for business continuity — redundancy and failover for critical systems (A.8.14) [New in 2022]
• Confirm all applicable technological controls are documented and implemented per the SoA

Phase 5

Documentation, Training & Performance Evaluation (Clauses 7–9)

• Confirm all mandatory documented information required by ISO 27001:2022 is in place — scope, policy, risk assessment, risk treatment plan, SoA, objectives, and records of competence, training, and monitoring
• Establish document control procedures — version control, approval, distribution, and defined review cycles
• Deliver information security awareness training to all staff — confirm completion is recorded for all employees
• Deliver role-specific training for staff with ISMS responsibilities
• Implement ongoing security awareness programme — confirm it covers phishing, social engineering, data handling, and incident reporting
• Define ISMS performance metrics and objectives — establish how effectiveness will be measured
• Implement monitoring and measurement procedures for key controls
• Develop and execute the internal audit programme — confirm all clauses and applicable SoA controls are covered across the audit cycle
• Conduct internal audits — document findings and nonconformities
• Conduct management review — confirm senior management participation, document inputs, outputs, and decisions

Phase 6

Certification Audit & Ongoing Maintenance (Clause 10 + External Audit)

• Address all internal audit nonconformities before the external certification audit
• Confirm the certification body is accredited by a recognised national accreditation body (e.g. UKAS, ANAB)
• Submit ISMS documentation for Stage 1 (documentation review) audit
• Address any issues identified at Stage 1 before Stage 2
• Undergo Stage 2 (on-site) certification audit — confirm all mandatory documents and evidence are available and current
• Address any nonconformities from Stage 2 within the agreed timeframe and submit corrective action evidence
• Receive ISO 27001 certificate — verify the scope statement is accurate and references ISO/IEC 27001:2022
• Establish the annual surveillance audit schedule
• Maintain ongoing ISMS activities between surveillance audits — internal audits, management reviews, risk assessment updates, and control monitoring
• Assess impact of any significant changes (new systems, new processes, staff changes) on the ISMS and update documentation accordingly
• Schedule recertification (every three years) with adequate preparation time