ISO 27001 has a lot of moving parts — clauses, controls, documents, audits — and it is easy to lose track of what still needs doing. A compliance checklist imposes order, breaking the standard into a sequence of concrete tasks you can work through and tick off. It is one of the most useful planning tools a first-time team can have.
This guide presents a complete ISO 27001 compliance checklist, phase by phase, so you can track your progress toward iso 27001 certification and be confident nothing essential has been missed.
How to use a compliance checklist
A checklist is a planning and tracking tool, not a substitute for understanding the standard. Use it to sequence work, assign owners, and monitor progress — but remember that ticking a box should mean the underlying work is genuinely done and evidenced, not just acknowledged.
The best checklists follow the natural order of a project, so each completed item sets up the next. Pair the checklist with a risk-driven mindset, since many items (especially controls) depend on what your risk assessment found.
Treat it as a living document you update as you go, and it becomes the backbone of your project management.
Phase 1: Scope and context
The checklist opens with foundations: secure leadership commitment and an executive sponsor; define and document the ISMS scope; identify internal and external issues; and list interested parties and their requirements.
These items are quick but pivotal, because scope and context shape everything that follows. Completing them produces a clear scope statement and a context analysis — the first documents an auditor will review.
Do not rush past these to reach the ‘real’ work; getting them right prevents expensive rework later.
Free resource
ISO 27001 Compliance Checklist
A step-by-step Excel checklist covering every clause and Annex A control you need for certification.
Phase 2: Risk assessment and treatment
Next come the risk items: define a risk assessment methodology; identify risks to confidentiality, integrity, and availability; analyse and evaluate them against your criteria; and decide a treatment for each. The output is a risk treatment plan.
This phase is the engine of the checklist, because the controls you will implement later all flow from it. A thorough, documented risk assessment makes every subsequent item defensible.
Tick these only when the assessment genuinely traces risks to planned treatments — not when a spreadsheet merely exists.
Phase 3: Policies and documentation
The documentation items cover the mandatory documents: the information security policy and supporting topic policies, the risk methodology, the risk treatment plan, the Statement of Applicability, and your security objectives.
Using tailored templates makes this phase far faster. The checklist here is about ensuring every required document exists, is approved, is version-controlled, and reflects what you actually do.
A complete, current documentation set is what carries the Stage 1 review, so this phase deserves real attention.
Phase 4: Implement Annex A controls
Driven by your risk treatment plan, the control items cover implementing the Annex A controls you selected: access control and MFA, encryption, logging and monitoring, change management, vulnerability management, supplier security, incident response, HR security, and physical controls as applicable.
Each control item should be ticked only when the control genuinely operates and produces evidence — not when a policy about it exists. This is where the bulk of the implementation effort sits.
Assign each control an owner so accountability is clear and nothing is orphaned.
Phase 5: Training and awareness
People-focused items ensure staff are competent and aware: deliver security awareness training, confirm role-specific competence, communicate policies, and record completion. Awareness is both an Annex A control area and a practical necessity, since many controls depend on everyday behaviour.
The checklist captures both the activity and its evidence, since training records are exactly what auditors sample to confirm the competence and awareness requirements are met.
Completing these items also reduces the human risk that undermines technical controls.
Phase 6: Evidence collection
Running in parallel with implementation, the evidence items ensure the ISMS produces proof it operates: access review records, change approvals, logs, scan and remediation tickets, training completions, and supplier reviews.
The key checklist discipline here is continuous collection — capturing evidence as normal work happens rather than reconstructing it before the audit. Automation makes this far easier to sustain.
By the time you reach the audit, this evidence should already exist across the operating period. Getting this right is a significant part of a smooth path to iso 27001 certification.
Phase 7: Internal audit and management review
Before the external audit, the checklist requires you to conduct an internal audit covering the ISMS, log and address any findings, and hold a management review with leadership. Both are mandatory clause requirements (9.2 and 9.3).
Treat the internal audit as a genuine rehearsal: it surfaces gaps while you can still fix them. The management review produces records that the external auditor expects to see.
These items are easy to under-prioritise and costly to skip, so give them the weight they deserve.
Phase 8: Certification audit
The final items prepare for and complete certification: confirm documents and evidence are ready, undergo the Stage 1 documentation review, close any Stage 1 findings, undergo the Stage 2 operational audit, and address any nonconformities to receive the certificate.
Booking the certification body early is itself a checklist item, since their availability can otherwise become the final bottleneck. With the earlier phases genuinely complete, this stage becomes a confirmation rather than a scramble.
Ticking the last box means a certificate — and the start of the maintenance cycle.
Beyond the checklist: maintenance
A good checklist does not end at certification. Add recurring maintenance items: scheduled access and risk reviews, ongoing evidence collection, annual internal audits and management reviews, and preparation for surveillance audits. The ISMS must keep operating to stay certified.
Turning these into a recurring maintenance checklist or calendar is the simplest way to keep the certificate valid without an annual scramble. Certification is a milestone on the checklist, not its final item.
This is where many teams relax too soon — a maintenance checklist keeps the discipline going.
The bottom line
An ISO 27001 compliance checklist turns the standard into an ordered, trackable project: scope and context, risk assessment, documentation, control implementation, training, evidence, internal audit and review, certification, and then ongoing maintenance.
Used well — with each tick meaning genuinely completed, evidenced work — it ensures nothing essential is missed and keeps the whole team aligned on progress.
Download our free ISO 27001 compliance checklist to work through every step, and pair it with expert support from ISpectra — including free VAPT and a multi-framework discount — to move through it efficiently.
Turning the checklist into a project plan
A checklist becomes far more powerful when you attach owners and dates to each item, converting it into a lightweight project plan. Assign every phase an owner, estimate durations, and identify which items can run in parallel — documentation can progress while controls are being implemented, for example.
Reviewing the plan in a short weekly check-in keeps momentum and surfaces blockers early, which is usually what determines whether a project finishes in five months or drifts to twelve. The checklist supplies the ‘what’; the plan adds the ‘who’ and ‘when’.
Used this way, the checklist is not just a memory aid but the operating system of the whole certification effort.
Free consultation
Need help with ISO 27001?
Talk to our certified compliance team — we’ve supported 200+ audits.