GRC Provider - Compliance Software Providers

ISO 27001:2022 Certification Readiness Checklist

This comprehensive checklist is a practical way to test your readiness for ISO 27001:2022 certification. The checklist covers the management system requirements (Clauses 4–10) and the updated Annex A controls. Use this self-assessment checklist to evaluate your information security management system.

Management System

Clauses 4-10 cover the ISMS framework, leadership, planning, support, operations, and continuous improvement

Annex A Controls

93 controls across 4 categories: Organisational, People, Physical, and Technological

Learn More About ISO27001

ISO27001 Benefits

ISO27001 Controls

ISO27001 Accreditation

What Is an ISMS?

Certification Process

ISO27001 History

Clause 4 — Context of the Organisation

Identified external and internal factors affecting information security (SWOT, compliance register)

Documented stakeholder requirements (customers, regulators, suppliers, staff)

Defined ISMS scope with clear boundaries and system diagrams

Established and actively maintained ISMS documentation

Clause 5 — Leadership

Senior management visibly supporting and funding the ISMS

High-level Information Security Policy communicated to all staff

Security roles and responsibilities clearly defined and assigned

Clause 6 — Planning

Repeatable risk assessment and treatment methodology in place

Measurable information security objectives aligned with business needs

Security impacts considered during organizational changes

Clause 7 — Support

Adequate resources (people, tools, budget) allocated for ISMS

Staff have appropriate skills, training, and qualifications

Employee awareness of security policies and consequences

Clear communication channels for ISMS matters

Policies, procedures, and records properly controlled

Clause 8 — Operation

ISMS processes defined, implemented, and managed effectively

Risk assessments carried out regularly and when changes occur

Controls implemented and monitored to address identified risks

Clause 9 — Performance Evaluation

Tracking ISMS performance with security KPIs and metrics

Regular internal audits conducted with documented findings

Senior leadership reviews ISMS results and improvement decisions

Clause 10 — Improvement

Incidents recorded, root causes investigated, corrective actions taken

Ongoing ISMS improvement opportunities tracked and implemented

Annex A — Information Security Controls

The 2022 revision includes 93 controls across four categories

A.5 Organisational Controls (37)

Policies, governance, supplier management, incident response, business continuity

Documented security policies (acceptable use, classification, transfer)

Threat intelligence and incident learning processes

Supplier and cloud service security management

Business continuity and ICT readiness plans

Legal and regulatory compliance (IP, records, PII)

A.6 People Controls (8)

HR and people security

Pre-employment screening procedures

Security training and awareness programs

Confidentiality agreements in place

Defined responsibilities during and after employment

Remote working and teleworking guidelines

A.7 Physical Controls (14)

Secure facilities and physical protections

Security perimeters and entry controls

Protection against fire, flood, and physical risks

Equipment security and secure disposal procedures

Clear desk and clear screen practices

Security monitoring in facilities

A.8 Technological Controls (34)

Access management, technical protections, secure development

Identity and access management (MFA, privileged accounts)

Backup, logging, and monitoring systems

Malware protection and vulnerability management

Cryptographic controls and key management

Secure development, coding, testing, and outsourced development

Completed the Checklist? Ready to Get Certified?

After completing this ISO 27001 checklist, contact us for a quote and timeline for your ISO 27001:2022 certification journey. Download the PDF checklist to share with your team.

ISO27001 Checklist