Resources —
ISO 27001 Compliance Checklist Essentials
ISO 27001 checklist tracks scope, leadership, risks, policies, controls, audits, and reviews for ongoing compliance.
Share this article
ISO 27001 Compliance Checklist Essentials
A compliance checklist is only useful if it tells you what to actually check. Most "ISO 27001 checklists" online are restatements of the standard's table of contents — nine vague phases with no detail on what evidence an auditor expects, what most teams get wrong, or how the phases map to actual clause numbers. This is meant to be the version that does that.
ISO 27001:2022 has two parts that a checklist needs to track separately: Clauses 4–10, which define how your Information Security Management System (ISMS) is run, and Annex A, which lists 93 controls across four themes (Organizational, People, Physical, Technological). A checklist that doesn't distinguish between these two is going to leave gaps — usually in the management-system half, since that's the part people assume "doesn't apply to us yet."
1. ISMS Scope Definition (Clause 4)
Before any control work starts, you need a documented scope statement — what's in, what's out, and why. Auditors check this first because a vague scope ("we secure our systems") is an automatic nonconformity.
Checklist items:
Define organizational boundaries (which business units, subsidiaries, locations are in scope)
Define system/data boundaries (which products, environments, and data flows are covered)
Document interfaces and dependencies with anything explicitly excluded
Get the scope statement reviewed and signed off by leadership, not just IT/security
If you haven't worked through what counts as your ISMS yet, see Understanding the ISO 27001 ISMS before filling this section in — scoping mistakes here cascade into every later phase.
2. Leadership Commitment and Governance (Clause 5)
This is the clause most checklists gloss over and most auditors probe hardest, because "leadership commitment" has to be demonstrable, not assumed. A signed policy in a drawer doesn't count.
Checklist items:
Information security policy approved and communicated (not just written)
Roles and responsibilities assigned with named owners, not departments
Evidence leadership reviews security performance — meeting minutes, not just a policy PDF
Resourcing decisions tied to security needs (budget, headcount, tooling)
3. Risk Assessment and Risk Treatment (Clause 6 + Annex A control selection)
This is where most first-time certifications stall. The risk assessment isn't a one-time spreadsheet — it has to produce a defensible Statement of Applicability (SoA), and auditors will ask you to justify every excluded control, not just the included ones.
Checklist items:
Defined risk assessment methodology (qualitative or quantitative, consistently applied)
Asset inventory complete enough to assess risk against (you can't risk-assess what you haven't listed)
Risk treatment plan with owners and target dates per identified risk
Statement of Applicability covering all 93 Annex A controls, with justification for each exclusion
Residual risk formally accepted by someone with authority to accept it
For the mechanics of running this step, Conducting an ISO 27001 Risk Assessment walks through the methodology in more depth.
4. Policies and Procedures (Annex A, Organizational Controls)
Policies are necessary but not sufficient — auditors increasingly look for evidence the policy is followed, not just that it exists. A 40-page access control policy nobody has read is a finding waiting to happen.
Checklist items:
Core policies drafted: information security, access control, acceptable use, incident response, business continuity
Policy review cadence defined and actually followed (annual minimum)
Policies distributed and acknowledged by relevant staff — with a record of acknowledgment
Version control so you can show what was in effect on any given date
Building ISO 27001 Policies with Templates covers structuring these so they hold up under audit scrutiny rather than just existing.
5. Control Implementation and Evidence Collection
This is the largest and most failure-prone phase, because "implemented" and "evidenced" are different things. A control that works but generates no logs, tickets, or records is functionally invisible to an auditor.
Checklist items:
Each applicable Annex A control mapped to a specific implementation (tool, process, or both)
Evidence collection mechanism defined per control — screenshots, logs, ticket exports, config snapshots
Evidence retention policy long enough to cover the certification audit window
Control owners who can speak to why the control is implemented the way it is, not just that it exists
6. Internal Audit (Clause 9.2)
A required step, not optional — and one of the most commonly rushed. Internal audits exist to surface nonconformities before the certification body does, which means a "clean" internal audit with zero findings is usually a sign the audit wasn't rigorous, not that the ISMS is perfect.
Checklist items:
Internal audit plan covering all clauses and applicable controls within the certification cycle
Auditor independence — whoever implemented a control shouldn't be the one auditing it
Findings documented with severity, not just noted verbally
Corrective action assigned to each finding with a deadline
Running an ISO 27001 Internal Audit goes deeper on building an audit schedule that doesn't just rubber-stamp existing controls.
7. Management Review (Clause 9.3)
Leadership has to formally review the ISMS's performance — this is distinct from the leadership commitment in Clause 5, and auditors check for both. Skipping this or treating it as a formality is one of the more common nonconformities in stage 2 audits.
Checklist items:
Review covers: audit results, risk landscape changes, nonconformities, corrective action status, improvement opportunities
Documented minutes with decisions and action items, not just attendance
Review cadence matches what your own policy commits to (usually annual or more frequent)
8. Corrective Actions Tracking (Clause 10)
Findings without follow-through are the single most common reason certifications stall at stage 2. Auditors will specifically ask to see the closure of prior findings, not just that they were logged.
Checklist items:
Centralized log of all nonconformities (internal audit, management review, incidents)
Root cause analysis for each, not just a fix
Verification step confirming the corrective action actually resolved the issue
Trend analysis — recurring findings in the same area indicate a systemic gap, not a one-off
9. Certification Audit Readiness
The final pre-audit check isn't a new phase so much as confirming the previous eight didn't leave gaps. Common stage 1 findings include: missing SoA justifications, scope statements that don't match actual system boundaries, and evidence that's aged out of the audit window.
Checklist items:
All required documentation available and current (not "in progress")
Evidence spot-checked against the SoA — does every "implemented" control actually have a corresponding artifact?
Internal audit and management review both completed within the required window before the certification audit
A named point of contact who can speak to each clause, not just one person fielding every question
For cost and timeline expectations going into this stage, see Estimating ISO 27001 Certification Costs and How Long Does ISO 27001 Certification Take?
Why a Static Checklist Eventually Fails
A checklist you complete once and file away doesn't survive contact with ISO 27001's actual requirement: continuous compliance. Annex A controls need ongoing evidence, not a one-time screenshot from 14 months ago. Risk assessments go stale as your infrastructure changes. New hires need new acknowledgments. The checklist format itself implies a finish line that the standard doesn't have.
If you want the structured version of this checklist as a working document rather than a read-through, download the ISO 27001 compliance checklist — or see how Maintaining ISO 27001 Compliance Year-Round replaces the one-time checklist model with continuous monitoring.
In the Spotlight

Start your ISO 27001 compliance journey with DSALTA's complete checklist.
ISO® 27001 is the international gold standard for information security management systems (ISMS). Certification shows your organization can manage sensitive information securely and reliably.
Although ISO 27001 looks challenging, DSALTA®’s automation makes it easier: mapping risks, collecting evidence, and monitoring controls in real time. This checklist gives you a clear step- by-step roadmap.
Read more about ISO 27001 certificate with DSALTA.
Stop losing deals to compliance.
Get compliant. Keep building.
Join 100s of startups who got audit-ready in days, not months.




