ISO 27001 Checklist: 13-Step Implementation Guide

ISO 27001 Checklist: 13-Step Implementation Guide

Preparing for ISO 27001 certification can get quickly complex and cumbersome without a proper plan in place. Even so, it isn’t uncommon to feel slightly inundated by the reams of paperwork and organization-wide coordination the framework demands. To help with your ISO 27001 certification journey, we have developed an easy step-by-step ISO 27001 checklist of things to do. The checklist will help organize your way around the mountain of tasks to be completed to achieve your ISO 27001 certification. And not to mention the dopamine high of checking things off the list! 

ISO 27001 Compliance Checklist


While you can scour the internet and find many ISO 27001 compliance checklist – each promising to make your compliance journey more manageable, there’s a caveat. It wouldn’t always fit your requirement bill. We understand that making a checklist is an effortful process, especially when it comes to compliances such as ISO 27001. And so, we have come up with a detailed ISO 27001 controls checklist that helps you tick even the smallest of ToDos off the list, ensuring no detail is missed. 

iso 27001 checklist

Step 1: Form an ISO 27001 Internal Team

Treat this team as your task force for ISO 27001 Compliance Checklist. They will own and lead the compliance initiative, as well as work and coordinate with all the other stakeholders to take the process to its completion. The team can comprise an Infosec Officer (you can internally nominate one if needed) and key members from your IT team. You must ensure the roles and responsibilities are clearly etched out for each team member, and they have the right level of oversight to make sure the requirements as per ISO 27001 checklist are met. 

Step 2: Build your ISMS

Before you can build an ISMS, you must scope and design it. The ISMS scope defines which information and information assets you intend to protect and is based on your:

  • Organization Structure
  • Business Needs & Locations
  • Business’ Critical Processes & Products

The scope must include your organization’s systems, processes, physical locations, services, and products, to name a few that must be protected. Since each business is unique and handles different types of data, you’ll need to determine what kind of data you have to protect before you build an ISMS. Ask yourself which service, product, or platform your customers want ISO certified. 

Remember, any organizational assets outside the scope would be treated as those external to your company. The scope must be defined as a separate document or as part of your overall information security compliance policy. And don’t forget to get management approval for the scope.

Step 3 – Create and Publish ISMS Policies, Procedure & Documentation

The ISO 27001 checklist is heavy on documentation and requires the organization to set up policies and procedures to control and mitigate risks to its ISMS. 

Policies you need to have in place:

  • Information Security Policy 
  • Mobile Device Policy 
  • Remote Access / Teleworking Policy 
  • Access Control Policy 
  • Clear Desk and Screen Policy 
  • Acceptable Use of Information Assets Policy 
  • Communications (Information Transfer) Policy 
  • Secure Development Policy or Plan 
  • Supplier Management Security Policy)

Mandatory documents for the management of the ISMS:

  • Scope of ISMS
  • Statement of Applicability (covered in detail later)
  • Inventory of Assets
  • Risk Assessment and Treatment Plan (covered in detail later)
  • Security Roles & Responsibilities

Mandatory procedures required:

  • Information Classification and Management
  • Asset Management
  • Vulnerability Management
  • Management of (Removable) Media and Storage Devices
  • User Access Management
  • Working in secure areas
  • Change Management
  • Capacity Management
  • Anti-Malware
  • Backup and Recovery
  • Information Security Incident Management
  • Business Continuity Plan

Additional documents needed: 

  • Job Descriptions of employees dealing with Information Security
  • Training of Staff 
  • Audit Plans
  • Internal and External Audits and the results
  • Maintenance Plans and Performed Maintenance Work 
  • Logs, KPIs, Key Figures, Configuration Files, and Network Plans
  • Minutes of the Meetings (capturing discussion of risks and overall security topics)

Step 4: Conduct Risk Assessment & Treatment

You must conduct an internal risk assessment of your assets and systems. You must then identify the risks that could impact data confidentiality, integrity, and availability for these, assign a probability of their occurrence and peg the impact levels (high to low). Remember, the objective here is to assess the risks to prioritized information assets and implement controls to placate the likelihood of these risks developing into actual security incidents and compromise. Your ISO 27001 controls checklist measures should include people, processes and technology. Annex A specifies 114 ISO 27001 controls in 14 groups covering policy, access control and supplier relationships. 

Therefore, the risk treatment (remediation) involves procedures/measures to be taken to decrease the identified risks to an acceptable level. The risk assessment methodology and measurement must be agreed upon in advance and applied consistently.

iso 27001 controls checklist
An overview of the Risk Assessment and Treatment Plan – Sample

Again, have clear documentation of it all as part of your ISO 27001 Compliance Checklist.

Step 5: Ready the Statement of Applicability (SOA)

The SOA for ISO 27001 is a list of all of the controls from Annex A that apply to your organization. The SOA should reveal which controls the organization has chosen to mitigate the identified risks. It should also include justifications for the inclusion and exclusion of controls. It should point to the relevant documentation on the implementation of each control. 

There are 11 ISO 27001 requirements (mandatory), with 114 security controls grouped into 14 sections (Annex A). To know more about the controls listed in Annex A, you can refer to the ISO 27002 standard that details the controls.

Step 6: Implement ISMS Policies and Controls

Implementing the ISMS policies and controls is the most critical step in your ISO 27001 checklist. You can consider the oft-used Plan Do Check Act (PCDA) cycle for implementation. Its elements include:

  • Plan – Identify the challenges & threats, and note the requirements & control objectives
  • Do – Implement and test solutions, processes and technologies to lower risk and operational failure
  • Check – Monitor and review the performance of the ISMS
  • Act – Update and improve your ISMS based on the results of any outputs or failures

checklist for iso 27001 audit

Ensure your ISMS meets the mandatory requirements of clauses 4-10 of ISO 27001 checklist and the select controls from Annex A. At this point, you must also create a communication plan to inform your employees about the policies and procedures and set a plan rolling to track their feedback and reviews.

Step 7: Conduct Employee Awareness & Training Programmes

Employees are the first line of defence in the event of cyber attacks, breaches and hacks. Therefore, employee awareness and certification training play a significant role in the ISO 27001 standards. You must ensure your employees receive relevant and regular infosec education and training and periodic updates on organizational policies and procedures. You must also train your employees on how to respond to some of the common risks your organization faces as per the ISO 27001 checklist.

Step 8: Monitor ISMS, conduct Gap Analysis and Remediate

The best way to evaluate your ISMS is to monitor and review it. Monitor the ISMS, do a gap analysis, remediate, test more and monitor – this endless cycle can help you strengthen your ISMS. Remember, continual improvement is the name of the game.

Post remediation, gather evidence to demonstrate how the ISMS meets the standard’s requirements as per your ISO 27001 checklist. 

Step 9: Undergo Internal Audit

Internal audits are executed internally to evaluate whether their ISMS meets the standard’s requirements. These audits can be conducted by an internal team (aka ISO 27001 internal auditor) as designated by the management or contracted out to external auditors. 

The internal audit is much like reconnaissance of ISO 27001 checklist before the external audit. It looks for gaps, non-conformities, and vulnerabilities in the ISMS. The internal audit will assess ISMS performance and review your documentation before producing an internal audit report. 

Here’s a look at what the internal audit will be like:

Documentation Review

The internal auditor will review all the documentation, ensure the audit scope covers ISMS adequately and evaluate the controls to the ISO Standard for compliance. 

Field Review

The internal auditor will review the ISMS, conduct penatration tests, and collect evidence to demonstrate what’s working and isn’t. They will also talk to different teams and understand how they comply with the ISMS.

Internal Audit Report

Based on their findings and analyses, the auditor will present an internal audit report to the management as per the ISO 27001 controls checklist. The report will contain the scope, objective and extent of the audit. It will also detail which policies, procedures and controls are working and which aren’t with evidence.

The report also details correction actions and recommendations, limitations, and other observations. It includes remediation suggestions and course corrections before your organization can present itself for an external audit. The report is presented to the management. 

Management Review

The management goes through the internal audit report. The auditor and the management can discuss the list of major and minor non-conformities and action plans and review whether the organization is ready for the external audit and ISO certification as per the ISO 27001 compliance checklist. 

Step 10: Undergo Stage 1 Audit

Once the internal audit gives a clean chit, organizations are ready to undergo an external audit. The process of the external audit is the same as that of an internal audit, the difference being that it leads to certification (or recertification, as the case may be).

The accredited ISO 27001 External Auditor reviews the documentation you created for ISO 27001, compares it to the ISO standard and checks for compliance. The auditor will ask to see all the documents created for the ISMS and will review them to ensure you have all the mandatory documents in place. While organizations can define the scope of their ISMS, smaller organizations should keep the entire organization in scope. 

The Stage 1 ISO 27001 audit will end with an Audit Report, which will include an assessment of your ISMS, scope and certification, improvement areas and audit readiness, among other things. 

You should perform Stage 1 and Stage 2 ISO 27001 audits within six months. Stage 1 Audit may otherwise need to be repeated.

Step 11:Undergo a Stage 2 Audit

The main audit entails an evidential audit (on a sample basis) to ascertain if your organization is operating the ISMS per the ISO standards. The external auditor will check if your organization’s documents, policies, procedures and controls are implemented and operating effectively as per the standard and whether it helps meet your organizational objectives. The auditor will also evaluate the effectiveness of the preventive and corrective actions and review the actions from the Stage 1 ISO 27001 audit to ensure the improvement requests have been incorporated.

At the end of the Stage 2 ISO 27001 audit, the auditor will submit a report including observations and a summary of the findings. It will detail minor nonconformities, major nonconformities and opportunities for improvement (OFI). Note that in case of major nonconformities, certification doesn’t require you to go through the entire process all over again. You must rectify the major nonconformities and share evidence of correction action with the auditor. Minor nonconformities, typically, do not affect the recommendation for certification. But several minor non-conformities can add up to your disadvantage.

Step 12: Post Certification, undergo Periodic Surveillance Audits

The ISO 27001 certification holds a validity of three years; it, however, requires the organization to undergo Periodic Surveillance Audits every year.

The Periodic Surveillance Audits are mandatory to maintain your ISO 27001 certification and aren’t as comprehensive as the Stage 2 ISO 27001 audit. The audit is mostly done at the end of the first year and the second year after certification. The auditor goes through a similar process as was followed in Stage 2 ISO 27001 audit and reviews nonconformities and corrective actions, document updations, maintenance and performance of the ISMS, among other things. As per the ISO 27001 controls checklist, the second surveillance audit would probably go over different aspects of your ISMS. 

Again, a report detailing the findings and nonconformities is submitted to the management at the end of the audit.  ​​In case of major nonconformities, you must take corrective action and share evidence within three months. Failure to do this could risk your certification. Minor nonconformities,  if any, also need to be corrected and their evidence shared with the auditor. These, however, don’t have a bearing on your certification status. 

Step 13: Perform Continual Improvement

Just like your organization, the ISMS needs to grow and evolve too. For instance, the addition of vendors and software, identification of new threats, and changes/updates in policies and procedures have a bearing on the ISMS, and must, therefore, be assessed for their risk and treated with a relevant control/measure to mitigate it. So, perform annual risk assessments, and document all the changes in risk assessments and their treatment plans. The scope of the ISMS too can change. So, ensure the ISMS and its objectives continue to remain appropriate and effective. And most importantly, ensure you have the management buy-in for the changes/updates.

Doing this helps to ace your recertification audits at the end of the third year. And much like your Stage 2 ISO 27001 audit, the recertification audit examines nonconformities from earlier audits and OFIs. It reviews the overall effectiveness of your ISMS, the scope of your certification, and its appropriateness (if it’s appropriate three years later too). The audit also includes a review of policies, procedures, and controls and their operational effectiveness, corrective and preventive actions, evaluation of internal audits, and management reviews, to name a few.

Download your ISO 27001 Compliance Checklist

How to become ISO 27001 certified the Sprinto Way

It’s a big checklist, we understand. And, yes, there is quite a lot to accomplish before you get audit ready. 

Sprinto offers a tech-enabled solution that saves you the effort and does the work without human intervention 10x faster. You will be audit ready in days (not months) with Sprinto’s ISO 27001 automated evidence collection, structured implementation, and continuous monitoring! 

From policy creation to mapping of controls to the audit, Sprinto’s got you covered with its hassle-free automation, integration and clear checklist.

Book a demo with us and see how Sprinto can help you go through an uncomplicated, resource-light ISO 27001 audit and certification. 

iso 27001 compliance checklist
Posted in: