ISO Compliance Checklist Template

A structured framework for implementing, maintaining, and certifying any ISO management system standard.

Achieving ISO certification — whether ISO 27001 for information security, ISO 9001 for quality management, ISO 45001 for occupational health and safety, or any other management system standard — requires the same fundamental discipline: documented processes, consistent execution, evidence of review, and a culture of continual improvement. This free ISO compliance checklist template gives quality managers, information security managers, and compliance teams a structured framework for the full ISO implementation lifecycle — from initial gap analysis through to certification audit preparation and ongoing maintenance. Use it as a reference or run it as a live, trackable checklist in CheckFlow, with tasks assigned across departments and every completed step logged for your certification evidence file.

Use This Template Free See Live Example

No Credit Card Required

What Is an ISO Compliance Checklist?

An ISO compliance checklist is a structured tool used to plan, implement, audit, and maintain compliance with an ISO management system standard. While specific requirements vary by standard — ISO 27001 focuses on information security, ISO 9001 on quality management, ISO 14001 on environmental management, ISO 45001 on occupational health and safety — all ISO management system standards share a common architecture: the Plan-Do-Check-Act (PDCA) cycle, a set of mandatory clauses covering context, leadership, planning, support, operation, performance evaluation, and improvement, and an Annex or equivalent containing specific controls or requirements.

A well-structured ISO compliance checklist maps to this common architecture. It guides organisations through the initial gap analysis (where are we versus where ISO requires us to be), documentation and policy development, implementation of required controls and processes, internal audit, management review, and preparation for the external certification audit. Once certified, the same framework supports the ongoing surveillance audit cycles that maintain certification.

For organisations implementing ISO for the first time, a structured checklist ensures no mandatory clause is missed. For organisations maintaining existing certifications, it provides the repeatable annual framework that keeps compliance current and certification renewal straightforward.

What the ISO Compliance Checklist Covers

This checklist maps to the six key stages of an ISO management system implementation and maintenance lifecycle, applicable to any ISO standard including ISO 27001, ISO 9001, ISO 14001, and ISO 45001.

Phase 1

Gap Analysis & Scoping

Identify the ISO standard(s) applicable to your organisation and confirm the version in use is current
Define the scope of the management system — which parts of the organisation, which processes, and which locations are included
Identify exclusions from scope and document the justification for each
Conduct a gap analysis — review each clause and Annex requirement and assess current compliance status (compliant, partial, non-compliant, not applicable)
Review existing policies, procedures, and documentation for relevance and alignment with ISO requirements
Identify mandatory documents and records required by the standard
Assess existing controls and processes against standard requirements — document gaps and deficiencies
Identify regulatory, contractual, and stakeholder requirements relevant to the management system scope
Prioritise gaps by risk and effort required to close
Confirm senior management commitment and assign an ISO implementation lead

Phase 2

Policy & Documentation Development

Draft or update the top-level management system policy statement — confirm it is signed by senior management
Develop or update all mandatory procedures required by the standard
Develop the scope statement and statement of applicability (where required by the standard)
Create or update the risk assessment and risk treatment methodology
Complete the risk assessment — identify, analyse, and evaluate risks within scope
Develop the risk treatment plan and confirm treatment decisions are documented
Create or update all other mandatory documents — objectives, roles and responsibilities, competence records, communication plan
Establish document control procedures — version control, approval, distribution, and review cycles
Confirm all documents are stored securely and accessible to relevant personnel
Review and update documentation at defined intervals or following significant changes

Phase 3

Implementation & Controls

Implement all controls and procedures identified in the risk treatment plan (or equivalent for the standard in scope)
Assign ownership and accountability for each control to a named individual or role
Implement monitoring and measurement procedures for key controls and objectives
Establish supplier and third-party management procedures where required by the standard
Implement incident management and nonconformity procedures — ensure staff know how to report and escalate issues
Establish procedures for identifying and meeting legal and regulatory requirements within scope
Implement business continuity or emergency preparedness procedures where required
Confirm physical and environmental controls are in place where applicable
Confirm technical and IT controls are implemented and verified where applicable
Document evidence of implementation for each control — this is your certification evidence file

Phase 4

Training & Awareness

Identify training requirements for all roles involved in the management system
Develop or source training materials relevant to the standard and your organisation’s scope
Deliver awareness training to all relevant staff — confirm understanding of the management system and individual responsibilities
Deliver role-specific training for staff with operational responsibilities under the management system
Record training completion for all staff — maintain training logs as mandatory records
Confirm new joiners receive relevant induction training on the management system
Establish a process for identifying and addressing competence gaps on an ongoing basis
Schedule refresher training at appropriate intervals
Confirm training records are retained for the required period

Phase 5

Internal Audit & Management Review

Develop the internal audit programme — confirm all clauses and Annex requirements are covered across the audit cycle
Appoint internal auditors who are independent of the areas they are auditing
Conduct internal audits per the programme — document findings, nonconformities, and opportunities for improvement
Issue audit reports and confirm all nonconformities have assigned owners and remediation plans
Verify remediation of nonconformities before the external certification audit
Prepare management review inputs — audit results, risk register updates, performance against objectives, customer feedback, nonconformity trends
Conduct management review meeting — confirm senior management participation and document outputs
Record management review decisions and actions with owners and target dates
Confirm the management system remains suitable, adequate, and effective following the review
Update the internal audit programme for the next cycle

Phase 6

Certification Audit & Ongoing Maintenance

Confirm certification body is accredited by a recognised national accreditation body
Submit the management system documentation to the certification body for Stage 1 audit
Address any issues identified in the Stage 1 document review before the Stage 2 audit
Undergo Stage 2 (on-site) certification audit — confirm all mandatory documents and records are available
Address any nonconformities identified during the Stage 2 audit and submit corrective action plans within required timeframes
Receive ISO certificate — confirm the scope statement on the certificate is accurate
Establish the annual surveillance audit schedule with the certification body
Conduct ongoing internal audits and management reviews on schedule to maintain compliance between surveillance audits
Schedule recertification audit (typically every three years) with adequate preparation time
Monitor updates to the ISO standard and assess impact on your management system when new versions are published

This checklist is available as a free, runnable template in CheckFlow — with tasks assigned across compliance, IT, operations, and management teams, evidence of completion captured at every step, and a full audit trail for your certification file.

Use This Template Free

ISO Standards This Framework Applies To

The six-phase framework above applies to any ISO management system standard. Here are the most commonly implemented.

ISO 27001

Information Security Management

Protects the confidentiality, integrity, and availability of information. Covers the ISMS, risk assessment, Annex A security controls, and incident management.

Relevant to: IT managers, CISOs, technology businesses

ISO 9001

Quality Management

Ensures consistent product and service quality through documented processes, customer focus, and continual improvement. The world’s most widely adopted ISO standard.

Relevant to: Quality managers, operations teams, manufacturing and services businesses

ISO 45001

Occupational Health & Safety

Protects workers from work-related injury and ill health. Covers hazard identification, risk controls, incident reporting, and worker participation.

Relevant to: HSE managers, facilities teams, any organisation with physical workplace risks

ISO 14001

Environmental Management

Helps organisations identify and manage their environmental impact — including energy use, waste, emissions, and regulatory compliance.

Relevant to: Environmental managers, sustainability teams, regulated industries

ISO 22301

Business Continuity Management

Ensures organisations can continue critical operations during and after disruptions. Closely linked to disaster recovery planning and testing.

Relevant to: IT managers, risk managers, business continuity professionals

ISO 42001

AI Management System

The newest ISO management system standard, covering responsible development and deployment of AI systems — governance, risk management, transparency, and accountability.

Relevant to: Technology businesses, AI product teams, governance and compliance

CheckFlow’s template can be customised for any of these standards. The six-phase framework above applies to each — with tasks, controls, and evidence requirements adapted to the specific standard in scope.

Why Manage ISO Compliance in CheckFlow?

1

Evidence of compliance, built in

ISO certification requires documented evidence that processes are being followed — not just that they exist on paper. Every task completed in CheckFlow is logged with a timestamp and the name of the person who completed it. Your certification evidence file builds itself as your team works through the checklist, ready to present at Stage 1, Stage 2, and every surveillance audit.

Audit Trail

2

Coordinate compliance across departments

ISO implementation touches IT, HR, operations, facilities, and senior management simultaneously. CheckFlow assigns tasks to the right person in each department automatically, notifies them when their action is due, and gives the ISO lead a real-time view of progress across the entire programme — without a single status meeting.

Auto-Assignments

3

Recurring audits and reviews run themselves

Maintaining ISO certification requires annual internal audits, management reviews, and surveillance audit preparation — on schedule, every year. CheckFlow’s recurring checklist feature automates the schedule so nothing is missed or deferred. The same structured checklist, the same assignment logic, every cycle.

Recurring Checklists

ISO 27001 specifically requires that access rights are revoked promptly when employees leave. CheckFlow’s IT offboarding checklist ensures every departure triggers an immediate, structured access revocation process — with a timestamped audit trail that satisfies the ISO 27001 Annex A control requirement. Learn more about CheckFlow for IT offboarding →

Other Compliance Checklist Templates

ISO 27001 Compliance Checklist

HIPAA Compliance Checklist

PCI DSS Compliance Checklist

GDPR Compliance Checklist

Disaster Recovery Audit Checklist

View all compliance templates →

Frequently Asked Questions

Does this checklist apply to all ISO standards?

+

Yes — the six-phase framework on this page (gap analysis, documentation, implementation, training, internal audit and management review, certification and maintenance) applies to any ISO management system standard, including ISO 27001, ISO 9001, ISO 45001, ISO 14001, and ISO 22301. The specific tasks within each phase vary by standard — ISO 27001 has 93 Annex A security controls; ISO 9001 focuses on quality objectives and customer satisfaction — but the overall implementation lifecycle is the same. CheckFlow’s template can be customised for any standard by adapting the task content to the specific requirements in scope.

How long does ISO certification typically take?

+

For most organisations, initial ISO certification takes between six and eighteen months, depending on the standard, the size and complexity of the organisation, and how far the existing management practices already align with ISO requirements. Organisations that begin with a thorough gap analysis and have strong senior management commitment typically achieve certification faster. Once certified, surveillance audits are conducted annually and full recertification occurs every three years.

What is the difference between a Stage 1 and Stage 2 certification audit?

+

A Stage 1 audit (also called a documentation review or readiness review) is conducted remotely or on-site by the certification body. The auditor reviews your management system documentation to confirm it meets the standard’s requirements and that your organisation is ready for the Stage 2 audit. Any issues found at Stage 1 should be addressed before Stage 2. A Stage 2 audit (the certification audit) is an on-site assessment that verifies your management system is implemented and operating effectively in practice. Successful completion of Stage 2 results in the award of the ISO certificate.

What evidence does an ISO auditor typically ask to see?

+

ISO auditors look for documented evidence that your management system is implemented and operating as described. Common evidence includes: the signed management system policy, completed risk assessments, the statement of applicability (ISO 27001), documented procedures and work instructions, training records, internal audit reports, management review minutes, records of nonconformities and corrective actions, and monitoring and measurement data. CheckFlow produces a timestamped audit trail of every completed task, which serves as evidence of procedure execution throughout the certification period.

Does CheckFlow help maintain ISO compliance after initial certification?

+

Yes — maintaining certification is where CheckFlow is particularly valuable. Annual internal audits, management reviews, and ongoing control monitoring must be conducted on schedule and documented for each surveillance audit cycle. CheckFlow’s recurring checklist feature schedules these activities automatically, assigns tasks to the right people, and produces a timestamped record of completion — ensuring your evidence file is always current for the next surveillance or recertification audit.

Is CheckFlow free to use for this template?

+

You can start a free 14-day trial with no credit card required, giving you full access to all features including this template. The Business plan is $10 per user per month after the trial. Full details at checkflow.io/pricing.