ISO 27001 Requirements Checklist


This checklist is your comprehensive guide to achieving and maintaining ISO 27001 certification with confidence. The checklist covers all the critical requirements outlined in the ISO 27001 standard, ensuring that every aspect of your information security management system is thoroughly addressed.  

What is included?

Who is this template for?

Frequently asked questions

The checklist is an Excel spreadsheet listing every single requirement in the standard, including those in the Annex A controls. You’ll find requirements covered for:

  • Context (interested parties, issues, scope) (clause 4)
  • Roles and responsibilities in regards to information security (clause 5)
  • Risk management framework (clause 6)
  • Competence, awareness, communication and documented policies and procedures (clause 7)
  • Risk management processes (clause 8)
  • Internal audit and performance evaluation of your ISMS (clause 9)
  • Managing nonconformities and continuous improvement (clause 10)
  •  Annex A Controls:
    • Human resources management
    • Asset management
    • Access control (to systems and premises)
    • Cryptography
    • Environmental security & equipment
    • IT procedures (change management, backups, event logging, vulnerability management, malware protection, etc)
    • Network security
    • Information transfer
    • System acquisition and development
    • Supplier management
    • Incident management
    • Business continuity and disaster recovery
    • Compliance with legal obligations

We have extracted every single instance of the word “shall” being used across the ISO/IEC 27001:202022 and entered it as a row in the checklist, including those in Annex A listing the 93 potential controls.

That means this requirements checklist covers 100% of the requirements in ISO 27001. We have also added some information from ISO 27002 to guide our consultants when assessing if the requirements are met. You’ll find that information invaluable.

You can use it at the beginning of your implementation to perform a gap analysis and assess how much work you have to do. A gap analysis is useful if you already have a number of policies and procedures in place. For example, you might already have some of the core information security policies and procedures such as:

  • Information security policy

  • Acceptable use policy

  • Access control policy

  • Asset management policy

  • Change management procedure

  • Disaster recovery and business continuity plan

  • Incident management procedure

  • Network security policy

  • Supplier management Policy

  • Teleworking policy

You can also use the checklist to manage your ISO 27001 implementation project – it’s a complete list of all the requirements you need to meet so a good starting point as a project management tool.

Finally, it’s a good tool to do a final review just before your Stage 1 audit to make sure you have everything in place.

We use this requirements checklist at the very beginning of a consultancy engagement to find out what documentation and controls are already in place and determine how much work there is to do.

We use it during the implementation as a project plan, to keep track of progress, determine who’s responsible for doing what, determine where each requirement is documented or what evidence there is that it’s met.

Finally, we also use it just before an audit to list where everything is and verify that we’re ready. This spreadsheet is our core consultancy tool!

An ISO 27001 requirement is where the word “shall” is used in the text of the standard. For example, clause 6.1.2 Information security risk assessment states “The organization shall define and apply an information security risk assessment process”. This sentence contains two requirements: 1-do you have a risk assessment process that is defined (read documented) and 2-is this process applied (read “do you have a risk register that’s been updated recently”).

Over the years our ISO consultants have developed a set of tools, templates and techniques to help our clients achieve ISO 27001 as quickly, hassle-free and economically as possible.

We’ve developed a process, containing all the steps to achieving certification. The compliance checklist is one of those tools.

The certification process for ISO 27001 requires two audits to take place, 2-3 months apart. 

  • The first audit (Stage 1) verifies that the documentation you have put in place conforms to the standard to make sure all requirements are covered;  
  • The second audit (Stage 2) verifies that the controls are in place and working, policies and procedures are adhered to and ISMS activities are being tracked and implemented. 

Add-ons you might like

30 Minute consultation with an ISO 27001 consultant


Templates you might like

Do you have a free version of this Requirements Checklist?


Lite version


Pro version


Detailed guidance page which explains how to use the checklist.

Coloured fields which indicate whether a requirement is met, partly met, or not met 

Full list of controls (4-10) in the ISO 270001 Standard 

Full list of standard requirements

Full list of requirements in Annex A

Additional fields which help to manage implementation

Summary scores for each control