Powered by
Streamline your information security management system through automated and organized documentation via web and mobile.
Why SafetyCulture digital checklists?
Free to use for up to 10 users
Eliminate paperwork with digital checklists
Generate reports from completed checklists
Published 11 Jun 2026
Article by
7 min read
An ISO 27001 checklist is used by information security officers to correct gaps in their organization’s Information Security Management System (ISMS) and evaluate their readiness for ISO 27001 certification audits. Assuming that the organization has implemented the necessary changes to meet the standard security requirements of ISO 27001, a checklist will help raise security awareness and identify gaps in the organization.
The ISO 27001 standard is an internationally-recognized set of guidelines that focuses on information security and provides a framework for the Information Security Management System (ISMS). Adhering to the ISO 27001 standard can help the organization protect its data in a systematic way and maintain the confidentiality, integrity, and availability of information assets to stakeholders.
The main differences between ISO 27001:2013 and its 2022 version are as follows:
Mandatory clauses – ISO 27001:2022 introduces new requirements for understanding the needs of interested parties, identifying necessary processes and their interactions, and planning changes within the ISMS.
Annex A – The revision of Annex A in ISO 27001:2022 includes 93 controls grouped into organizational, people, physical, and technological controls.
ISO 27002:2022 impact – Changes in ISO 27002:2022 have influenced ISO 27001:2022, particularly in clauses 4 to 10, with minor updates and terminology changes. Particularly in these clauses:
Clause 4.2 Understanding the needs and expectations of interested parties
Clause 4.4 Information Security Management System
Clause 6.2 Information security objectives and plans to achieve them
Clause 6.3 Planning of changes
Clause 8.1 Operational planning and control
Clause 9.3 Management review
Clause 10 Improvement
Transition – Existing ISO/IEC 27001 certificates are not affected by the changes in ISO 27001:2022. However, individuals seeking certification against the new version should consider the updated training courses available.
It takes a lot of time and effort to properly implement an effective ISMS and more so to get it ISO 27001-certified. Here are some steps to take for implementing an ISMS that is ready for certification:
Step 1: Review processes and ISO 27001 – Familiarize staff with the international standard for ISMS and know how your organization currently manages information security and information systems.
Step 2: Get employee buy-in – Help employees understand the importance of ISMS and get their commitment to help improve the system.
Step 3: Conduct risk assessments – Determine the vulnerabilities and threats to your organization’s information security system and assets by conducting regular information security risk assessments and using an iso 27001 risk assessment template.
Step 4: Implement controls – Information or network security risks discovered during risk assessments can lead to costly incidents if not addressed promptly.
Step 5: Conduct gap analysis – Use an ISO 27001 audit checklist to assess updated business processes and new controls implemented to determine other gaps that require corrective action.
Step 6: Do internal audits and employee training – Regular internal ISO 27001 audits can help proactively catch non-compliance and aid in continuously improving information security management. Information gathered from internal audits can be used for employee training and for reinforcing best practices.
Step 7: Contact your auditor for certification – Prepare your ISMS documentation and contact a reliable third-party auditor to get certified for ISO 27001.
Before you get anywhere near a certification audit, you need the right documentation in place. ISO 27001 isn't just about implementing security controls — auditors want a clear paper trail showing how your ISMS was built, reviewed, and maintained. Missing even one mandatory document is enough to delay certification.
ISO 27001:2022 requires a specific set of documents. Some are mandatory — you must have them. Others are recommended but not required by the standard.
The mandatory documents you need before an external audit:
ISMS scope — defines which parts of your business, systems, and locations fall under the ISMS
Information security policy — a high-level document signed off by senior management
Risk assessment process — documents how you identify, analyze, and evaluate risks, along with the documentation of results
Results of the information security risk assessment -
Risk treatment plan — records the decisions made to address identified risks
Statement of Applicability (SoA) — maps all 93 Annex A controls to your organization, with justification for each inclusion or exclusion
Information security objectives — measurable targets aligned with your security policy
Evidence of competence — records showing staff have the skills required for their ISMS roles
Results of monitoring and measurement — how you track ISMS performance over time
Internal audit results — documented findings from each audit cycle
Management review records — minutes or reports from senior leadership reviews of the ISMS
Nonconformity and corrective action records — documented incidents and how they were resolved
The ISO/IEC 27001:2022 standard specifies these across Clauses 4 through 10. Depending on which Annex A controls apply to your organization, additional documented evidence may also be required.
Defining your ISMS scope is one of the first — and most consequential — steps in the certification process. Get it wrong and you'll either be audited against systems you weren't ready for, or leave significant gaps outside the boundary.
The scope defines exactly which assets, departments, processes, and locations your ISMS covers. Under Clause 4.3, you need to document it clearly enough for an auditor to verify. Scope documents should reference your organizational context (Clause 4.1), the needs of interested parties (Clause 4.2), and any interfaces with systems outside the scope.
A common mistake: scoping too narrowly to make certification easier, then finding that excluded systems interact directly with in-scope ones. Auditors look for this. Your risk assessment process should inform where the boundary sits — not the other way around.
The SoA is the document that ties everything together. It lists all 93 controls from Annex A and, for each one, states whether it applies to your organization and why.
For each control, record:
Whether it's included or excluded
The justification for that decision, linked back to your risk treatment plan
Current implementation status
The 93 controls in the 2022 version fall into four themes: Organizational (37), People (8), Physical (14), and Technological (34). The SoA doesn't require exhaustive explanations, but it does need to be defensible — auditors will cross-reference it against your risk assessment findings.
The SoA is also a living document. Every time your risk profile changes — a new system, a new supplier, a change in scope — review whether any controls need to be added, removed, or updated. Platforms like SafetyCulture make it easier to keep this documentation current alongside your corrective actionworkflows.
Determine if the organization understands the context of the information security management system.
Verify if there is adequate leadership and policies in place to demonstrate the organization’s commitment.
Check if the organization has a system in place to identify and understand risks.
Gauge if the competency of employees, resources available, awareness, and communication are suitable.
Determine if the organization plans, implements, and controls processes in a manner that meets the ISMS requirements.
Confirm if the organization has a system in place to monitor, measure, analyze, and evaluate the ISMS.
Verify if nonconformities are addressed with corrective actions.
Provide comments and recommendations.
Use a table format for the risk assessment register to improve reporting accuracy.
Sign off with name and signature as completion of the audit.
Share with key stakeholders and use the information gathered from the audit.
Here’s an example of what a completed ISO 27001 report looks like:
Search, filter, and customize 60,000+ templates across industries and use cases.
