Home / Checklists /

ISO 27001 Readiness Checklist

This checklist assesses the maturity level of your organization Information Security Management System (ISMS) against ISO/IEC 27001:2022 requirements. Each item references the corresponding normative clause.

0 of 25 completed

Context and leadership

Internal and external issues relevant to the ISMS have been identified

High4.1

Interested parties and their information security requirements have been determined

High4.2

The ISMS scope is defined and documented, including boundaries and applicability

High4.3

Top management has issued an information security policy aligned with strategic objectives

High5.2

Roles, responsibilities, and authorities for the ISMS have been assigned

High5.3

Risk planning

A documented information security risk assessment process exists

High6.1.2

Risks associated with loss of confidentiality, integrity, and availability have been identified

High6.1.2

A risk treatment plan with assigned owners exists

High6.1.3

The Statement of Applicability (SoA) has been prepared with justification for inclusions and exclusions

High6.1.3

Measurable information security objectives consistent with the policy have been established

Medium6.2

Support and resources

Adequate resources have been allocated for ISMS establishment, implementation, and improvement

High7.1

Personnel with ISMS roles have demonstrable competence (training, experience)

High7.2

An information security awareness program exists for all personnel

Medium7.3

Internal and external communication channels for information security are defined

Medium7.4

ISMS documented information is controlled (versioning, approval, distribution)

High7.5

Operation

ISMS operational processes are planned, implemented, and controlled as intended

High8.1

Risk assessments are performed at planned intervals or when significant changes occur

High8.2

The risk treatment plan is implemented and records of results are retained

High8.3

Selected Annex A controls are implemented and operational

High8.1

Changes that may affect information security are managed in a controlled manner

Medium8.1

Evaluation and improvement

ISMS processes and controls are monitored and measured with defined indicators

Medium9.1

Internal ISMS audits are performed at planned intervals

High9.2

Top management reviews the ISMS at planned intervals to ensure its suitability and effectiveness

High9.3

Nonconformities are recorded, analyzed, and documented corrective actions are taken

High10.1

Opportunities for continual ISMS improvement are identified and actions are implemented

Medium10.2

FAQ

How long does it take to prepare for an ISO 27001 audit

Typical preparation time ranges from 6 to 12 months, depending on organization size, maturity of existing controls, and availability of dedicated resources. A gap analysis allows precise estimation of the required effort.

What are the most frequent nonconformities in ISO 27001 audits

The most recurring nonconformities include: lack of evidence in risk assessment (6.1.2), incomplete Statement of Applicability (6.1.3), absence of control effectiveness indicators (9.1), and deficiencies in the internal audit program (9.2).

Is it necessary to implement all Annex A controls

No. The standard requires the organization to determine which Annex A controls are applicable based on its risk assessment. Controls that do not apply must be justified in the Statement of Applicability (SoA). The selection criteria must be traceable to the documented risk analysis.

Need help with implementation?

Request diagnostic→