ISO 27001 Requirements Checklist: Everything You Need for Certification

Every organization we have guided through ISO 27001 certification has asked the same question first: what exactly do we need to have in place? This checklist is our answer — the same one we give clients on day one.

An ISO 27001 requirements checklist is the most practical tool for preparing your organization for certification. The ISO/IEC 27001 standard defines what your Information Security Management System (ISMS) must accomplish, but translating those requirements into actionable tasks requires mapping every mandatory clause and Annex A control to your specific environment. Whether you are starting from scratch or building on an existing security program, this checklist will help you understand every requirement, prioritize your implementation efforts, and avoid the gaps that cause organizations to fail their certification audit.

This guide covers the ISO 27001 standard overview including the 2022 revision, all mandatory requirements in Clauses 4 through 10, the complete Annex A controls checklist organized by theme, a phased implementation roadmap, documentation requirements, and guidance on selecting a certification body.

ISO 27001 Standard Overview

ISO/IEC 27001 is the international standard for information security management systems. Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it provides a systematic approach to managing sensitive information through risk assessment, control implementation, and continuous improvement.

The 2022 revision (ISO/IEC 27001:2022) updated the standard in two significant ways: minor clarifications to the mandatory clauses (4-10) and a complete restructuring of Annex A controls from 114 controls across 14 domains to 93 controls across 4 themes. Organizations certified under the 2013 version had a transition deadline, and all new certifications now follow the 2022 version.

An ISO 27001 certificate demonstrates to customers, partners, and regulators that your organization has implemented a systematic approach to information security that is independently verified by an accredited certification body. The certification is valid for three years with annual surveillance audits.

Mandatory Requirements (Clauses 4-10)

These clauses define what your ISMS must include. Every clause is mandatory — there is no option to exclude any of them.

Clause 4: Context of the Organization

• Identify external and internal issues relevant to your ISMS purpose
• Identify interested parties (customers, regulators, employees) and their requirements
• Define the scope of your ISMS (which parts of the organization, systems, and information are covered)
• Document the ISMS scope statement
• Establish, implement, maintain, and continually improve the ISMS

Clause 5: Leadership

• Top management demonstrates leadership and commitment to the ISMS
• Establish an information security policy that is appropriate to the organization's purpose
• Ensure the policy is documented, communicated, and available to interested parties
• Assign and communicate ISMS roles, responsibilities, and authorities
• Appoint an ISMS manager or team responsible for day-to-day operations

Clause 6: Planning

• Conduct a formal risk assessment identifying threats, vulnerabilities, and impacts to information assets
• Define and document a risk assessment methodology (likelihood x impact scoring, risk appetite, risk acceptance criteria)
• Produce a risk treatment plan for risks exceeding acceptance criteria
• Select controls from Annex A (or other sources) to treat identified risks
• Produce a Statement of Applicability (SoA) documenting which Annex A controls are applicable and why, and which are excluded with justification
• Define information security objectives that are measurable and consistent with the security policy
• Plan how to achieve security objectives (resources, responsibilities, timelines, evaluation methods)

Clause 7: Support

• Determine and provide resources needed for the ISMS
• Ensure personnel performing ISMS work are competent (education, training, experience)
• Maintain records of competence evidence
• Ensure all relevant personnel are aware of the security policy, their contribution to the ISMS, and consequences of non-conformity
• Determine internal and external communications related to the ISMS
• Control documented information (creation, updating, version control, distribution, access, storage, retention, disposal)

Clause 8: Operation

• Plan, implement, and control the processes needed to meet ISMS requirements
• Implement the risk treatment plan
• Implement the controls selected in the SoA
• Conduct risk assessments at planned intervals or when significant changes occur
• Retain documented results of risk assessments and risk treatment

Clause 9: Performance Evaluation

• Monitor, measure, analyze, and evaluate the ISMS and its controls
• Define what needs to be monitored, methods, timing, and who performs analysis
• Conduct internal audits at planned intervals to verify the ISMS conforms to requirements
• Maintain an internal audit program (audit criteria, scope, frequency, methods, auditor selection)
• Conduct management reviews at planned intervals covering audit results, interested party feedback, risk assessment changes, and improvement opportunities
• Retain documented evidence of monitoring results, internal audit results, and management review outcomes

Clause 10: Improvement

• React to nonconformities by taking corrective action
• Evaluate the need for action to eliminate root causes
• Implement corrective actions and review their effectiveness
• Continually improve the suitability, adequacy, and effectiveness of the ISMS

Annex A Controls Checklist

The 2022 version organizes 93 controls into four themes. Your Statement of Applicability must address each control, either implementing it or justifying its exclusion based on your risk assessment.

Organizational Controls (37 Controls)

Control	Title	Key Requirements
A.5.1	Policies for information security	Define, approve, publish, and communicate security policies
A.5.2	Information security roles and responsibilities	Assign and communicate roles across the organization
A.5.3	Segregation of duties	Separate conflicting duties to reduce fraud and error risk
A.5.4	Management responsibilities	Ensure management directs personnel to apply security policies
A.5.5	Contact with authorities	Maintain procedures for contacting relevant authorities
A.5.6	Contact with special interest groups	Maintain contact with security forums and professional associations
A.5.7	Threat intelligence	Collect and analyze information about security threats
A.5.8	Information security in project management	Integrate security into project management processes
A.5.9-5.14	Information inventory through transfer	Asset inventory, acceptable use, return, classification, labeling, transfer
A.5.15-5.18	Access control	Access policy, identity management, authentication, access rights
A.5.19-5.23	Supplier relationships	Supplier security policies, agreements, supply chain management, monitoring, change management
A.5.24-5.28	Incident management	Planning, assessment, response, learning, evidence collection
A.5.29-5.30	Business continuity	ICT readiness for business continuity, planning and testing
A.5.31-5.37	Compliance and reviews	Legal requirements, IP rights, records protection, privacy, independent review, compliance with policies, documented procedures

People Controls (8 Controls)

Control	Title	Key Requirements
A.6.1	Screening	Background verification checks before employment
A.6.2	Terms and conditions of employment	Include security responsibilities in employment agreements
A.6.3	Information security awareness and training	Ongoing awareness program and role-specific training
A.6.4	Disciplinary process	Formal process for security policy violations
A.6.5	Responsibilities after termination	Define and enforce post-employment security obligations
A.6.6	Confidentiality agreements	NDAs for employees and external parties
A.6.7	Remote working	Security measures for remote working arrangements
A.6.8	Information security event reporting	Mechanisms for personnel to report security events

Physical Controls (14 Controls)

Cover physical security perimeters, entry controls, securing offices and facilities, physical security monitoring, protecting against environmental threats, working in secure areas, clear desk and screen, equipment siting and protection, security of assets off-premises, storage media, supporting utilities, cabling security, and equipment maintenance and disposal.

Technological Controls (34 Controls)

Cover user endpoint devices, privileged access rights, information access restriction, source code access, secure authentication, capacity management, malware protection, technical vulnerability management, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, secure coding, network security, security of network services, segregation of networks, and more.

For a deep dive on a specific Annex A control, see our guide on ISO 27001 Annex A Control 5.23. For risk register guidance, see ISO 27001 risk register explained.

Implementation Roadmap

Follow this phased ISO 27001 implementation roadmap to move from initial planning to certification:

Phase 1: Scoping and Planning (2-4 Weeks)

Define your ISMS scope, identify stakeholders, secure management commitment, and select your implementation team. Determine whether you will engage a consultant and select your GRC tooling.

Phase 2: Gap Analysis (2-4 Weeks)

Assess your current state against all mandatory clauses and Annex A controls. Produce a gap report with prioritized remediation recommendations.

Phase 3: Risk Assessment (2-4 Weeks)

Conduct your formal risk assessment using a documented methodology. Identify information assets, threats, vulnerabilities, and calculate risk levels. Produce the risk treatment plan and draft your Statement of Applicability.

Phase 4: Control Implementation (2-6 Months)

Implement policies, procedures, and technical controls to address gaps and treat identified risks. This is typically the longest phase and involves cross-functional collaboration across IT, HR, legal, and operations.

Phase 5: Internal Audit and Management Review (2-4 Weeks)

Conduct an internal audit to verify your ISMS meets all ISO 27001 requirements. Present findings to management for review. Address any nonconformities before scheduling your certification audit.

Phase 6: Certification Audit (1-2 Months)

The certification audit occurs in two stages:

• Stage 1 — Documentation review to verify your ISMS documentation is complete and your organization is ready for the Stage 2 audit
• Stage 2 — On-site assessment to verify that your ISMS is implemented and operating effectively

Documentation Requirements

ISO 27001 requires specific documented information. Missing any of these can block certification:

Mandatory Documents:

• ISMS scope (Clause 4.3)
• Information security policy (Clause 5.2)
• Risk assessment methodology (Clause 6.1.2)
• Risk assessment results (Clause 8.2)
• Risk treatment plan (Clause 6.1.3)
• Statement of Applicability (Clause 6.1.3d)
• Information security objectives (Clause 6.2)

Mandatory Records:

• Evidence of competence (Clause 7.2)
• Monitoring and measurement results (Clause 9.1)
• Internal audit program and results (Clause 9.2)
• Management review results (Clause 9.3)
• Nonconformities and corrective actions (Clause 10.1)

For organizations also pursuing SOC 2, see our SOC 2 compliance checklist and SOC 2 vs. ISO 27001 guide to understand how documentation overlaps.

Choosing a Certification Body

Your certification body (CB) must be accredited by a recognized accreditation body (such as UKAS in the UK, ANAB in the US, or JAS-ANZ in Australia/New Zealand). Accreditation ensures the CB meets international standards for conducting ISO 27001 audits.

When evaluating CBs, consider their experience with organizations of your size and industry, auditor availability and scheduling flexibility, pricing (get at least three quotes), geographic presence if you have multiple locations, and reputation in your industry.

Cost for the certification audit typically ranges from $8,000-$30,000 for the initial certification, with surveillance audits costing 30-50% of that amount annually.

Get Your Complete ISO 27001 Checklist

This article covers the essential requirements, but a complete implementation checklist with detailed control descriptions, evidence requirements, and implementation tips runs to several pages. Download our comprehensive ISO 27001 checklist to track your progress control by control.

Ready to start your ISO 27001 certification journey? Contact Agency for a gap assessment and implementation roadmap tailored to your organization. For cost planning, see our detailed ISO 27001 certification cost breakdown.