Download the ISO 27001 Compliance Checklist

The Compliance Checklist is one of the key tools to manage your implementation and achieve certification. 

  • Use this checklist to make sure you’re ready for the certification assessment
  • Check you’re not missing any of the requirements of ISO/IEC 27001:2013
  • Get practical guidance from ISO/IEC 27002 for Annex A controls

Frequently asked questions

The checklist is an Excel spreadsheet listing every single requirement in the standard, including those in the Annex A controls. You’ll find requirements covered for:

  • Context (interested parties, issues, scope) (clause 4)
  • Roles and responsibilities in regards to information security (clause 5)
  • Risk management framework (clause 6)
  • Competence, awareness, communication and documented policies and procedures (clause 7)
  • Risk management processes (clause 8)
  • Internal audit and performance evaluation of your ISMS (clause 9)
  • Managing nonconformities and continuous improvement (clause 10)
  •  Annex A Controls:
    • Human resources management
    • Asset management
    • Access control (to systems and premises
    • Cryptography
    • Environmental security & equipment
    • IT procedures (change management, backups, event logging, vulnerability management, malware protection, etc)
    • Network security
    • Information transfer
    • System acquisition and development
    • Supplier management
    • Incident management
    • Business continuity and disaster recovery
    • Compliance with legal obligations

ISO 27001 is an ISO standard about information security, which you can use to build an Information Security Management System that will help you keep your information confidential, available, complete and accurate. If you’re new to ISO 27001 and management system standards, read our blog What is an Information Security Management System (ISMS) and how does it relate to ISO 27001?

We have extracted every single instance of the word “shall” being used across the ISO/IEC 27001:2013 and entered it as a row in the checklist, including those in Annex A listing the 114 potential controls.

That means this compliance checklist covers 100% of the requirements in ISO 27001. We have also added some information from ISO 27002 to guide our consultants when assessing if the requirements are met. You’ll find that information invaluable.

You can use it at the beginning of your implementation to perform a gap analysis and assess how much work you have to do. A gap analysis is useful if you already have a number of policies and procedures in place. For example, you might already have some of the core information security policies and procedures such as:

  • Information security policy

  • Acceptable use policy

  • Access control policy

  • Asset management policy

  • Change management procedure

  • Disaster recovery and business continuity plan

  • Incident management procedure

  • Network security policy

  • Supplier management Policy

  • Teleworking policy

You can also use the checklist to manage your ISO 27001 implementation project – it’s a complete list of all the requirements you need to meet so a good starting point as a project management tool.

Finally, it’s a good tool to do a final review just before your Stage 1 audit to make sure you have everything in place.

We use this compliance checklist at the very beginning of a consultancy engagement to find out what documentation and controls are already in place and determine how much work there is to do.

We use it during the implementation as a project plan, to keep track of progress, determine who’s responsible for doing what, determine where each requirement is documented or what evidence there is that it’s met.

Finally, we also use it just before an audit to list where everything is and verify that we’re ready. This spreadsheet is our core consultancy tool!

An ISO 27001 requirement is where the word “shall” is used in the text of the standard. For example, clause 6.1.2 Information security risk assessment states “The organization shall define and apply an information security risk assessment process”. This sentence contains two requirements: 1-do you have a risk assessment process that is defined (read documented) and 2-is this process applied (read “do you have a risk register that’s been updated recently”).

Over the years our ISO consultants have developed a set of tools, templates and techniques to help our clients achieve ISO 27001 as quickly, hassle-free and economically as possible.

We’ve developed a process, a toolkit containing step-by-step guides and many templates. The compliance checklist is one of those tools.

The certification process for ISO 27001 requires two audits to take place, 2-3 months apart. 

  • The first audit (Stage 1) verifies that the documentation you have put in place conforms to the standard to make sure all requirements are covered;  
  • The second audit (Stage 2) verifies that the controls are in place and working, policies and procedures are adhered to and ISMS activities are being tracked and implemented.