The ISO 27001 Compliance Checklist

ISO 27001 is the global gold standard for ensuring the security of information and its supporting assets. Obtaining ISO 27001 certification can help an organization prove its security practices to potential customers anywhere in the world.

Our ISO 27001 compliance checklist will help your organization successfully implement an Information Security Management System (ISMS) according to the standard, and prepare your org for an independent audit of your ISMS to obtain ISO 27001 certification. Let’s get started!

ISO 27001 Certification Checklist

1. Develop a roadmap for implementation ISO 27001 certification

  • Implement Plan, Do, Check, Act (PDCA) process to recognize challenges and identify gaps for remediation
  • Consider ISO 27001 certification costs relative to org size and number of employees
  • Clearly define scope of work to plan certification time to completion
  • Select an ISO 27001 auditor

2.Set the scope of your organization’s ISMS

  • Decide which business areas are covered by the ISMS and which are out of scope
  • Consider additional security controls for business processes that are required to pass ISMS-protected information across the trust boundary
  • Inform stakeholders regarding scope of the ISMS

3. Establish an ISMS governing body

  • Build a governance team with management oversight
  • Incorporate key members of top management, e.g. senior leadership and executive management with responsibility for strategy and resource allocation

4. Conduct an inventory of information assets

  • Consider all assets where information is stored, processed, and accessible
    • Record information assets: data and people
    • Record physical assets: laptops, servers, and physical building locations
    • Record intangible assets: intellectual property, brand, and reputation
  • Assign to each asset a classification and owner responsible for ensuring the asset is appropriately inventoried, classified, protected, and handled

5. Execute a risk assessment

  • Establish and document a risk-management framework to ensure consistency
  • Identify scenarios in which information, systems, or services could be compromised
  • Determine likelihood or frequency with which these scenarios could occur
  • Evaluate potential impact of each scenario on confidentiality, integrity, or availability of information, systems, and services
  • Rank risk scenarios based on overall risk to the organization’s objectives

6. Develop a risk register

  • Record and manage your organization’s risks
  • Summarize each identified risk
  • Indicate the impact and likelihood of each risk

7. Document a risk treatment plan

  • Design a response for each risk (Risk Treatment)
  • Assign an accountable owner to each identified risk
  • Assign risk mitigation activity owners
  • Establish target dates for completion of risk treatment activities

8. Complete the Statement of Applicability worksheet

  • Review 114 controls of Annex A of ISO 27001 standard
  • Select controls to address identified risks
  • Complete the Statement of Applicability listing all Annex A controls, justifying inclusion or exclusion of each control in the ISMS implementation

9. Create an Information Security Policy, the highest-level internal document in your ISMS

  • Build a framework for establishing, implementing, maintaining, and continually improving the ISMS
  • Include information or references to supporting documentation regarding:
    • Information Security Objectives
    • Leadership and Commitment
    • Roles, Responsibilities, and Authorities
    • Approach to Assessing and Treating Risk
    • Control of Documented Information
    • Communication
    • Internal Audit
    • Management Review
    • Corrective Action and Continual Improvement
    • Policy Violations

10. Assemble required documents and records

  • Review ISO 27001 Required Documents and Records list
  • Customize policy templates with organization-specific policies, process, and language

11. Establish employee training and awareness programs

  • Conduct regular trainings to ensure awareness of new policies and procedures
  • Define expectations for personnel regarding their role in ISMS maintenance
  • Train personnel on common threats facing your organization and how to respond
  • Establish disciplinary or sanctions policies or processes for personnel found out of compliance with information security requirements

12. Perform an internal audit

  • Allocate internal resources with necessary competencies who are independent of ISMS development and maintenance, or engage an independent third party 
  • Verify conformance with requirements from Annex A deemed applicable in your ISMS’s Statement of Applicability
  • Share internal audit results, including nonconformities, with the ISMS governing body and senior management
  • Address identified issues before proceeding with the external audit

13. Undergo external audit of ISMS to obtain ISO 27001 certification

  • Engage an independent ISO 27001 auditor
  • Conduct Stage 1 Audit consisting of an extensive documentation review; obtain feedback regarding readiness to move to Stage 2 Audit
  • Conduct Stage 2 Audit consisting of tests performed on the ISMS to ensure proper design, implementation, and ongoing functionality; evaluate fairness, suitability, and effective implementation and operation of controls

14. Address any nonconformities

  • Ensure that all requirements of the ISO 27001 standard are being addressed
  • Ensure org is following processes that it has specified and documented
  • Ensure org is upholding contractual requirements with third parties
  • Address specific nonconformities identified by the ISO 27001 auditor
  • Receive auditor’s formal validation following resolution of nonconformities

15. Conduct regular management reviews

  • Plan reviews at least once per year; consider a quarterly review cycle 
  • Ensure the ISMS and its objectives continue to remain appropriate and effective
  • Ensure that senior management remains informed
  • Ensure adjustments to address risks or deficiencies can be promptly implemented

16. Calendar ISO 27001 audit schedule and surveillance audit schedules

  • Perform a full ISO 27001 audit once every three years
  • Prepare to perform surveillance audits in the second and third years of the Certification Cycle

17. Consider streamlining ISO 27001 certification with automation

%d bloggers like this: