What is an ISO 27001 checklist?

An ISO 27001 checklist is a structured list of requirements and controls that organisations use to prepare for an ISO 27001 compliance audit. It covers ISMS documentation (policies, procedures, risk register, Statement of Applicability), Annex A controls across 93 control areas, risk assessment and treatment, internal audit evidence, management review records, and corrective action tracking. The checklist helps teams ensure nothing is missed before the auditor arrives.

What are the key areas in an ISO 27001 audit checklist?

An ISO 27001 audit checklist covers five key areas: ISMS Documentation (policies, scope, risk methodology, Statement of Applicability), Risk Management (risk register, treatment plans, residual risk acceptance), Annex A Controls (93 controls across organisational, people, physical, and technological themes), Operational Controls (access control, vulnerability management, incident response, backup, change management), and Monitoring & Improvement (internal audits, corrective actions, metrics, continual improvement objectives).

What is the difference between ISO 27001 Stage 1 and Stage 2 audits?

Stage 1 is a documentation review where the auditor checks that your ISMS documentation, policies, risk assessment, and Statement of Applicability are in place and adequate. Stage 2 is the main certification audit where the auditor tests whether your controls are actually operating as documented by examining evidence, conducting interviews, and verifying configurations. Both stages are required for initial ISO 27001 certification.

How many controls are in ISO 27001 Annex A?

ISO 27001:2022 Annex A contains 93 controls organised into four themes: Organisational Controls (37), People Controls (8), Physical Controls (14), and Technological Controls (34). Not all controls are mandatory for every organisation. The Statement of Applicability (SoA) documents which controls apply based on your risk assessment and which are excluded with justification.

← Back to Blog

Compliance26 March 202613 min read

ISO 27001 Checklist: Compliance Audit & ISMS Requirements Guide

This ISO 27001 checklist covers everything you need for a compliance audit: Annex A controls, ISMS requirements, risk assessment, documentation, and common non-conformities. Whether you are pursuing initial ISO 27001 certification, preparing for a Stage 1 or Stage 2 audit, or getting ready for a surveillance audit, this checklist keeps your team focused on what auditors actually look for.

Use this as your ISO 27001 compliance checklist for tracking progress across all requirement areas, or as an IT audit checklist when conducting internal reviews of your Information Security Management System (ISMS).

What is ISO 27001 & Why It Matters

ISO/IEC 27001 is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).

Certification demonstrates to clients, partners, and regulators that your organisation manages information security risks in a structured, repeatable way. It is increasingly required in supply-chain due diligence, public-sector procurement, and regulated industries such as finance and healthcare.

The standard follows a risk-based approach rather than prescribing specific technologies. This means your controls should be proportional to the risks your organisation actually faces, making the framework adaptable to companies of any size.

The 2022 revision updated the Annex A controls from 114 across 14 domains to 93 across 4 themes: Organisational, People, Physical, and Technological. If your ISMS was built against the 2013 version, you will need to map your existing controls to the new structure during your next surveillance or recertification audit. Organisations also pursuing SOC 2 can often reuse significant portions of their ISO 27001 evidence base; see our SOC 2 compliance guide for details on overlap.

Overview of the Certification Process

Certification is carried out by an accredited certification body and follows a two-stage audit process. Understanding each stage helps you plan timelines and resource allocation.

Stage 1 – Documentation Review

The auditor reviews your ISMS documentation, scope statement, risk assessment methodology, and Statement of Applicability (SoA). They confirm your organisation is ready for a full audit and identify any gaps that must be resolved before Stage 2.

Stage 2 – Implementation Audit

The auditor tests whether your controls are operating effectively in practice. This includes interviewing staff, reviewing evidence of control operation, examining incident records, and verifying that risk treatment plans are being followed. Non-conformities raised here must be resolved within an agreed timeframe.

Surveillance Audits (Ongoing)

After certification, your certification body conducts annual surveillance audits covering a subset of controls. A full recertification audit is required every three years. Continuous improvement evidence is essential at every visit.

Key Annex A Control Categories

Annex A of ISO 27001:2022 contains 93 controls organised into four themes. Your Statement of Applicability must address every control, either implementing it or justifying its exclusion.

A.5 – Organisational Controls (37 controls)

Policies, roles & responsibilities, threat intelligence, asset management, access control policies, supplier relationships, information security in project management, and cloud service usage. These controls form the governance backbone of your ISMS.

A.6 – People Controls (8 controls)

Screening, terms & conditions of employment, awareness training, disciplinary processes, responsibilities after termination, confidentiality agreements, and remote working arrangements. Auditors frequently test awareness by interviewing employees.

A.7 – Physical Controls (14 controls)

Physical security perimeters, entry controls, securing offices & rooms, monitoring, protection against environmental threats, equipment maintenance, clear desk & clear screen policies, and secure disposal of storage media.

A.8 – Technological Controls (34 controls)

Endpoint devices, privileged access, information access restriction, secure authentication, capacity management, malware protection, vulnerability management, logging, network security, web filtering, cryptography, secure development lifecycle, and data masking.

Risk Assessment Requirements

Clause 6.1.2 requires a documented risk assessment process. This is the foundation of your ISMS and the area where auditors spend the most time.

Define a risk assessment methodology that produces consistent, comparable results
Identify information security risks associated with the loss of confidentiality, integrity, and availability
Assign risk owners who are accountable for treating each identified risk
Evaluate the likelihood and impact of each risk using your chosen criteria
Determine your risk acceptance criteria and obtain management sign-off
Select appropriate controls from Annex A (or other sources) to treat unacceptable risks
Document all decisions in a risk treatment plan and link them to the Statement of Applicability

Tip: Auditors will verify that your risk register is a living document. If the last review date is months old or the register does not reflect recent changes (new systems, incidents, or organisational changes), expect a non-conformity.

Documentation Requirements

ISO 27001 requires a set of mandatory documented information. Missing or outdated documents are among the most common audit findings.

ISMS Scope (Clause 4.3)

Clearly defines the boundaries of your ISMS, including locations, business units, technologies, and any exclusions. The scope must consider internal and external issues (Clause 4.1) and interested party requirements (Clause 4.2).

Information Security Policy (Clause 5.2)

A top-level policy approved by management that sets the direction for information security. It must include a commitment to continual improvement and to satisfying applicable requirements.

Risk Assessment & Treatment (Clauses 6.1.2, 6.1.3)

The risk assessment methodology, risk register, risk treatment plan, and evidence of management approval. These must be reviewed at planned intervals and whenever significant changes occur.

Statement of Applicability (Clause 6.1.3 d)

Lists every Annex A control with a justification for inclusion or exclusion and the implementation status. The SoA is often called the "single most important document" in the ISMS.

Internal Audit Programme (Clause 9.2)

A schedule of internal audits covering the full ISMS over a planned cycle. Internal audit results, corrective actions, and evidence of auditor independence must be documented.

Management Review Records (Clause 9.3)

Minutes or reports from management review meetings that demonstrate top management engagement. These must cover audit results, risk status, improvement opportunities, and resource adequacy.

Common Non-Conformities & How to Avoid Them

Understanding where organisations frequently stumble helps you focus your preparation. The following issues appear consistently in external audit reports.

Stale risk register. The risk assessment has not been updated after major changes such as cloud migrations, new services, or security incidents. Schedule quarterly reviews and trigger reviews after significant events.
Incomplete Statement of Applicability. Controls are marked as "not applicable" without proper justification, or the SoA does not align with the risk treatment plan. Cross-reference every exclusion against your risk assessment.
Lack of awareness evidence. Employees cannot demonstrate basic security awareness when interviewed. Run regular training sessions and keep completion records with dates and attendee lists.
Missing corrective action follow-up. Previous non-conformities or internal audit findings have not been resolved or verified. Maintain a corrective action log with deadlines and closure evidence.
Insufficient access reviews. User access rights are not reviewed periodically, or leavers still have active accounts. Implement quarterly access recertification with documented approvals.
Weak management review. Management review meetings are superficial or do not cover mandatory input topics such as audit results, incident trends, and resource requirements. Use a standing agenda that maps to Clause 9.3 inputs.

Tip: Categorise each non-conformity as major or minor early. Major non-conformities must be resolved before certification can be granted, while minor ones require a corrective action plan with a deadline.

Preparing for Surveillance Audits

Surveillance audits happen annually and cover a rotating selection of controls. They also verify that previous findings have been resolved. Treat them as an opportunity to demonstrate continual improvement rather than a box-ticking exercise.

Review and close all corrective actions from the previous audit cycle
Update the risk register to reflect any changes since the last review
Ensure the SoA version matches the current control implementation status
Conduct an internal audit covering the controls likely to be sampled
Hold a management review meeting within three months of the surveillance date
Prepare evidence packs for each control area: policies, logs, screenshots, and sign-off records
Brief staff who may be interviewed on key policies, incident reporting procedures, and their role in the ISMS

Tip: Ask your certification body which clauses and controls they plan to focus on. Most auditors share a high-level audit plan in advance, giving you time to gather evidence and address any gaps.

Quick-Reference Audit Checklist

Use this condensed checklist to verify readiness before any external audit. Each item maps to a clause or control that auditors routinely examine.

Governance & Leadership

ISMS scope documented and approved
Information security policy signed by top management
Roles and responsibilities clearly defined and communicated
Management review minutes available for the current cycle

Risk Management

Risk assessment methodology documented and consistently applied
Risk register current, with identified owners and treatment decisions
Risk treatment plan aligned with Statement of Applicability
Residual risk formally accepted by management

Operational Controls

Access control policies enforced and reviewed quarterly
Vulnerability management process with evidence of patching
Incident management procedure tested with recent incident records
Backup and recovery procedures documented and tested
Change management process covering ISMS scope changes

Monitoring & Improvement

Internal audit programme scheduled and executed
Corrective actions tracked to closure with evidence
Security metrics reported to management
Continual improvement objectives defined and measured

Tools for Tracking Compliance

Managing an ISMS across spreadsheets quickly becomes unsustainable as control counts grow. Dedicated compliance platforms help you centralise evidence, automate review reminders, and maintain audit-ready documentation year-round.

SecPortal supports compliance-focused engagement types that let security teams map findings directly to ISO 27001 controls. You can track control implementation status, attach evidence, and generate reports that align with auditor expectations, reducing preparation time from weeks to days. If your organisation is also considering SOC 2 attestation, see our SOC 2 compliance guide for startups.

Track your ISO 27001 checklist in one platform

SecPortal maps findings to Annex A controls, tracks remediation with owner assignment and SLAs, runs built-in vulnerability scans for evidence, and generates audit-ready compliance reports with AI. Replace your spreadsheet-based checklist with a structured compliance workflow.

Start Your Free Trial See ISO 27001 Features

Free tier available. No credit card required.