What is the ISO 27001 checklist?

An ISO 27001 checklist is a step-by-step guide covering every requirement you need to fulfil before a certification audit: defining ISMS scope, completing a risk assessment, selecting Annex A controls, writing mandatory documentation, running an internal audit, and more. The full implementation typically spans 14 discrete steps.

How many controls are in ISO 27001:2022 Annex A?

ISO 27001:2022 Annex A contains 93 controls organised into four themes: Organisational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls). This is a reduction from 114 controls in ISO 27001:2013.

What documents are mandatory for ISO 27001 certification?

Mandatory documents include: ISMS scope, information security policy, risk assessment methodology, risk treatment plan, Statement of Applicability (SoA), information security objectives, evidence of competence, operational planning results, internal audit programme and results, management review records, and records of nonconformities and corrective actions.

How long does ISO 27001 implementation take?

Most organisations take 6–12 months to achieve ISO 27001 certification. Small businesses with mature security practices can compress this to 3–6 months. Using compliance automation software typically reduces the implementation phase by 40–60% compared to manual approaches.

What are the most common reasons companies fail the ISO 27001 audit?

The top audit failure reasons are: incomplete or outdated documentation, a mismatch between written policies and actual practice, inadequate risk assessment (no live risk register), insufficient management review evidence, and untested business continuity plans. Auditors flag these non-conformities most frequently.

What is the Statement of Applicability in ISO 27001?

The Statement of Applicability (SoA) is a mandatory document that lists all 93 Annex A controls, states whether each is applicable or excluded, and justifies both decisions. Your auditor uses the SoA as their roadmap — every control marked applicable must have evidence of implementation.

ISO 27001 Checklist: 14-Step Implementation Roadmap for 2026

2026-03-17

By Orbiq Team

ISO 27001 Checklist: 14-Step Implementation Roadmap for 2026

A practical ISO 27001 checklist covering all 14 implementation steps — from gap analysis to certification audit. Includes Annex A controls, documentation requirements, and common failure points.

iso-27001

checklist

compliance

isms

certification

ISO 27001 Checklist: 14-Step Implementation Roadmap for 2026

ISO 27001 certification is not a single event. It is a structured programme that spans months of planning, implementation, documentation, and auditing. The organisations that fail — and many do on their first attempt — almost always stumble on the same preventable issues: incomplete documentation, misaligned policies, or a risk assessment that hasn't been updated since it was first written.

This checklist gives you every step in the right order. Follow it sequentially and you will arrive at your certification audit with no surprises.

What You Need Before You Start

Before you begin any implementation work, confirm three things:

Executive commitment is secured. ISO 27001 Clause 5.1 requires top management to demonstrate leadership and commitment. Without active senior sponsorship — not just sign-off — most ISMS projects stall within 60 days when competing priorities arise.
A budget is allocated. Total costs for a mid-market company typically range from €20,000 to €80,000 across the three-year certification cycle, including consultant fees, the certification audit itself, and annual surveillance audits. Costs are projected to rise approximately 20% in 2026 compared to 2025 [1].
An ISMS owner is assigned. Someone must own this programme day-to-day. This is often a CISO, Head of Information Security, or an appointed Information Security Manager.

The ISO 27001 Implementation Checklist

Step 1: Define the ISMS Scope

What you need to produce: A written ISMS scope document.

The scope defines which parts of your organisation, which locations, which information assets, and which processes fall under the ISMS. Too narrow a scope may satisfy the auditor but leave material risks outside the programme. Too broad a scope makes implementation unmanageable.

Checklist items for Step 1:

Identify the organisational units included in the ISMS
Define which products, services, or processes are in scope
Document internal and external interfaces and dependencies
Confirm scope with management and record approval

Common mistake: Scoping out cloud infrastructure or third-party processors to simplify implementation. Auditors increasingly ask about these explicitly, especially post-DORA and NIS2 where supply chain accountability is mandatory.

Step 2: Conduct a Gap Analysis

What you need to produce: A gap analysis report mapping your current state against ISO 27001:2022 requirements.

A gap analysis compares your existing security controls, policies, and processes against every clause (Clauses 4–10) and every applicable Annex A control. It tells you how much work lies ahead and where to prioritise effort.

Checklist items for Step 2:

Review all 11 clauses of ISO 27001:2022 (Clauses 4–10 are auditable)
Map existing controls to Annex A categories
Identify missing mandatory documentation
Prioritise gaps by risk level and implementation effort
Estimate resource and timeline requirements

A professional gap analysis from an external consultant typically costs €5,000–€15,000 [2]. Automation platforms like Orbiq can run a continuous gap analysis as part of their ISMS monitoring capability, reducing this to an ongoing process rather than a point-in-time exercise.

Step 3: Establish the ISMS Framework

What you need to produce: ISMS policy documents and governance structure.

Before you start writing controls, establish the governance layer:

Checklist items for Step 3:

Write the Information Security Policy (Clause 5.2 requirement)
Define information security roles and responsibilities
Establish the ISMS committee or steering group
Set information security objectives (measurable, Clause 6.2)
Create the ISMS project plan with milestones

The Information Security Policy must be approved by top management, communicated to all employees, and available to relevant interested parties. One page is sufficient if it covers the purpose, objectives, principles, and commitment to continual improvement.

Step 4: Conduct the Risk Assessment

What you need to produce: Risk assessment methodology document + completed risk register.

This is the engine of your ISMS. Everything downstream — which controls you implement, what your Statement of Applicability says, how you prioritise resources — flows from the risk assessment.

ISO 27001:2022 Clause 6.1.2 requires you to:

Define criteria for accepting risks
Establish a repeatable methodology for identifying and evaluating risks
Identify risks related to the loss of confidentiality, integrity, or availability of information
Assess the likelihood and consequence of each risk
Prioritise risks for treatment

Checklist items for Step 4:

Document the risk assessment methodology and criteria
Identify information assets within scope
Identify threats and vulnerabilities for each asset
Evaluate likelihood and impact (use a consistent scale)
Calculate risk levels and rank them
Identify risk owners for each significant risk
Review and sign off the risk register with management

What most guides don't tell you: The risk assessment is not a one-time document. Auditors will check that your risk register has been updated when the business changes — new products, new cloud services, M&A activity, or significant regulatory changes. A risk register that hasn't been touched since initial certification is a red flag that triggers deeper scrutiny.

Step 5: Create the Risk Treatment Plan

What you need to produce: Risk treatment plan + Statement of Applicability (SoA).

For each risk above your acceptance threshold, you must choose a treatment option: mitigate (implement a control), transfer (insurance or contract), accept (document the decision), or avoid (remove the activity).

Checklist items for Step 5:

Select treatment options for all unacceptable risks
Map treatment decisions to specific Annex A controls
Document justifications for controls included and excluded
Create the Statement of Applicability (SoA) — all 93 Annex A controls must appear
Get the risk treatment plan approved by management

The SoA in detail: The Statement of Applicability is arguably the most important document in your ISMS. It must list all 93 Annex A controls from ISO 27001:2022, state whether each is applicable or excluded, justify the decision either way, and — for applicable controls — indicate their implementation status. Your certification auditor will use this document as their primary roadmap.

Step 6: Implement Annex A Controls

What you need to produce: Evidence of implemented controls (policies, procedures, configurations, records).

ISO 27001:2022 Annex A contains 93 controls grouped into four themes [3]:

Theme	Controls	Examples
Organisational	37	Information security policies, asset management, access control policy, supplier relationships
People	8	Screening, terms of employment, information security awareness, disciplinary process
Physical	14	Physical security perimeters, clear desk policy, secure disposal of media
Technological	34	User endpoint devices, privileged access, malware protection, backup, logging, encryption

Not all 93 controls will apply to your organisation. The SoA documents which are applicable and why. However, excluding a control requires a documented justification — "we don't have physical offices" is valid for physical perimeter controls; "it would take too long to implement" is not.

Checklist items for Step 6:

Implement all controls marked applicable in the SoA
Write procedures for each implemented control
Collect and store evidence of implementation (screenshots, configs, records)
Assign control owners responsible for ongoing operation
Review new ISO 27001:2022-specific controls: threat intelligence (5.7), cloud security (5.23), ICT continuity (5.30), data masking (8.11), data leakage prevention (8.12), web filtering (8.23), secure coding (8.28)

Step 7: Write Mandatory Documentation

What you need to produce: A complete set of required documented information.

ISO 27001:2022 specifies mandatory documented information in multiple clauses. Missing any of these is an automatic non-conformity.

Mandatory documents checklist:

Tip: Documentation quality matters as much as quantity. Auditors are experienced at spotting documents that were written to pass an audit and then filed away. Policies should reference real processes; procedures should match what employees actually do.

Step 8: Run the Security Awareness Programme

What you need to produce: Training records and awareness programme documentation.

ISO 27001:2022 Clause 7.3 requires all personnel to be aware of the information security policy, their contribution to ISMS effectiveness, and the implications of non-conformance.

Checklist items for Step 8:

Design and deliver security awareness training for all employees
Conduct role-specific training for high-risk roles (IT, finance, HR)
Record training completion and assessment results
Schedule refresher training (at minimum annually)
Include security awareness in new employee onboarding

Step 9: Implement Monitoring and Measurement

What you need to produce: Monitoring metrics, measurement procedures, and evidence of regular reviews.

Clause 9.1 requires you to determine what needs to be monitored, how to do it, when, and who is responsible. You must be able to demonstrate ongoing control effectiveness — not just initial implementation.

Checklist items for Step 9:

Define KPIs and metrics for key controls (e.g., patch coverage %, access review completion %, incident response time)
Implement technical monitoring (SIEM, vulnerability scanning, access logs)
Document the measurement methodology
Set a cadence for reviewing metrics (monthly recommended, quarterly minimum)
Create management dashboards or reports

Step 10: Conduct the Internal Audit

What you need to produce: Internal audit programme, individual audit reports, and corrective action records.

ISO 27001:2022 Clause 9.2 requires internal audits at planned intervals. Most certification bodies expect at least one full internal audit cycle before the Stage 2 certification audit.

Checklist items for Step 10:

Create a formal internal audit programme covering all ISMS clauses
Plan audit frequency — high-risk areas audited more frequently
Appoint internal auditors who are independent of the areas being audited
Conduct audits against the standard and your own documented procedures
Document all findings, including conformities and non-conformities
Raise corrective actions for every non-conformity
Verify corrective actions have been implemented before certification audit

Timing: Start internal audits at least six months before your planned Stage 2 certification audit. This gives you time to identify and resolve non-conformities before the external auditor arrives.

Step 11: Conduct the Management Review

What you need to produce: Management review minutes and action records.

Clause 9.3 requires top management to review the ISMS at planned intervals. This is not a rubber-stamp exercise — auditors will read your management review minutes carefully to verify genuine senior engagement.

Mandatory inputs to the management review include:

Status of actions from previous reviews
Changes in external/internal issues relevant to the ISMS
Feedback on security performance (audit results, nonconformities, monitoring metrics)
Risk assessment results and risk treatment plan status
Opportunities for continual improvement

Checklist items for Step 11:

Schedule the management review at least 8 weeks before Stage 2 audit
Prepare agenda covering all mandatory inputs (Clause 9.3.2)
Record the meeting with sufficient detail to evidence genuine review
Document outputs: decisions on improvement opportunities, resource needs, ISMS changes
Assign action owners and completion dates

Step 12: Resolve All Non-Conformities

What you need to produce: Corrective action records demonstrating root cause analysis and verified closure.

Before Stage 2, every non-conformity identified through internal audits must be addressed. This means:

Identifying the root cause (not just the symptom)
Implementing a corrective action that addresses the root cause
Verifying the action was effective
Documenting the entire process

Checklist items for Step 12:

Review all open internal audit findings
Conduct root cause analysis for each non-conformity
Implement and document corrective actions
Re-test controls affected by non-conformities
Get corrective action closure signed off by the relevant control owner

Step 13: Stage 1 Audit — Documentation Review

What happens: The certification body reviews your documentation and confirms readiness for Stage 2.

Stage 1 is primarily a desk review. The auditor checks:

That all mandatory documents exist and are current
That your ISMS scope is appropriate
That the Statement of Applicability is complete
That internal audits and management reviews have been conducted

Stage 1 typically runs 1–2 days and results in one of three outcomes: ready to proceed, minor clarifications needed, or major gaps requiring remediation before Stage 2.

Checklist items for Step 13:

Confirm all mandatory documents are complete and approved
Ensure the SoA is current and reflects the risk treatment plan
Verify internal audit and management review records are available
Brief your team on what to expect during auditor interviews
Address any Stage 1 findings before Stage 2

Step 14: Stage 2 Audit — Certification Audit

What happens: The auditor tests implementation effectiveness through interviews, testing, and sampling.

Stage 2 is the full certification audit. The auditor will:

Interview employees at multiple levels
Test technical controls (request screenshots, configurations, logs)
Sample evidence of operational processes
Review records to confirm ongoing operation, not just initial setup

Stage 2 findings fall into three categories:

Major non-conformity: Certification cannot be issued until resolved. Often means a follow-up audit.
Minor non-conformity: Certification can be issued with a corrective action plan due within 90 days.
Observation: Advisory point with no mandatory action required.

Checklist items for Step 14:

Prepare evidence packages for all applicable Annex A controls
Brief employees likely to be interviewed (especially IT, HR, management)
Have all documentation readily accessible — paper and digital
Assign a single point of contact to manage the audit logistics
Plan for post-audit corrective actions in your project schedule

Post-Certification: Maintaining ISO 27001

Certification is not the finish line. ISO 27001 operates on a three-year certification cycle with annual surveillance audits in Years 1 and 2 and a full recertification audit in Year 3.

Ongoing obligations:

Annual surveillance audits (typically 1–2 days, costs €3,000–€7,500 each)
Annual risk assessment review and risk register update
Annual internal audit cycle
Annual management review
Immediate notification to the certification body of significant changes to scope or security posture
Continuous monitoring of controls

The most common reason organisations lose certification between surveillance audits is that they treat the ISMS as a project rather than an ongoing programme. The controls stop being operated, the risk register stops being updated, and the gap that opens in 12 months takes another 6 months to close.

ISO 27001 Cost Summary (2026)

Component	Small Business (<50 staff)	Mid-Market (50–500 staff)	Enterprise (500+ staff)
Gap analysis	€3,000–€8,000	€8,000–€20,000	€20,000–€50,000
Implementation (consulting)	€5,000–€15,000	€15,000–€40,000	€40,000–€100,000
Certification audit (Stage 1+2)	€5,000–€10,000	€10,000–€25,000	€25,000–€60,000
Annual surveillance audit	€3,000–€5,000	€5,000–€7,500	€7,500–€20,000
3-year total (DIY platform)	€15,000–€30,000	€30,000–€80,000	€80,000–€200,000

Costs are projected to rise approximately 20% in 2026 compared to 2025 driven by increased demand and limited availability of accredited auditors [1].

The 7 Most Common ISO 27001 Audit Failures

Knowing why organisations fail helps you avoid the same mistakes:

Incomplete documentation. If a document doesn't exist at audit time, the control doesn't exist. Missing mandatory documents — especially the SoA, risk register, or internal audit report — can end the audit before it begins [4].
Policy and practice mismatch. The access control policy says accounts are reviewed quarterly. The auditor pulls the access review log and finds no reviews in 18 months. This is a major non-conformity.
Stale risk assessment. The business launched three new products, migrated to a new cloud provider, and hired 40 people since the risk assessment was last updated. The risk register should reflect the business you operate today.
Inadequate management review. A two-paragraph email thread does not constitute a management review. Auditors expect documented minutes with substantive discussion of performance metrics and improvement actions.
No corrective action follow-through. Internal audits identified non-conformities but they were logged and never closed. Open corrective actions at Stage 2 are a red flag.
Untested continuity plans. ISO 27001 requires business continuity plans to be tested. A plan that has never been exercised cannot be evidenced as effective [5].
Controls implemented but not operated. A logging policy exists. A SIEM is configured. But nobody has reviewed the SIEM alerts in four months. Implementation without ongoing operation fails the effectiveness test.

ISO 27001 Checklist vs. Competitors: What This Covers

Most ISO 27001 checklists from compliance platforms list 10–14 steps but skip the specifics that actually determine audit outcomes. This guide includes:

The exact mandatory documents required by each clause
The full 93-control Annex A breakdown by theme
Cost benchmarks with 2026 projections
The seven failure patterns that trigger major non-conformities
Post-certification maintenance requirements

For a detailed cost breakdown, see our ISO 27001 Certification Cost guide. For the complete technical deep-dive on the standard, see ISO 27001 Certification: The Complete Guide.

If you want to compress your implementation timeline and automate ongoing evidence collection, Orbiq's ISMS platform automates 70% of the ongoing compliance work — from risk register management to Annex A control monitoring.

Frequently Asked Questions

Do I need a consultant to get ISO 27001 certified?

No, but it helps. Many organisations — particularly those with existing security teams — self-implement using documentation toolkits and automation platforms. The risk with self-implementation is that it is easy to miss the nuance of what auditors actually want to see versus what a checklist tells you to write.

Can ISO 27001 certification be accelerated?

Yes, to a point. Organisations with an existing SOC 2 or NIST CSF programme can leverage significant overlap. ISO 27001:2022 maps closely to both frameworks. However, the minimum time needed to gather sufficient evidence of ongoing ISMS operation — especially for internal audits and management reviews — means 3 months is a realistic floor for the fastest implementations.

What is the difference between ISO 27001:2013 and ISO 27001:2022?

ISO 27001:2022 (published October 2022) reduced Annex A controls from 114 to 93 and reorganised them from 14 categories into 4 themes. It added 11 new controls focused on threat intelligence, cloud security, ICT supply chain, data masking, and secure coding. Organisations certified under the 2013 version had until October 2025 to transition. All new certifications must now use the 2022 version.

How does ISO 27001 relate to NIS2 and DORA?

ISO 27001 is explicitly referenced in both NIS2 (EU 2022/2555) and DORA (EU 2022/2554) as a recognised framework for demonstrating appropriate security measures. Holding ISO 27001 certification does not guarantee NIS2 or DORA compliance, but it covers a significant proportion of the technical and organisational measures required. See our NIS2 compliance guide for the specific mapping.

ISO 27001 Checklist: 14-Step Implementation Roadmap for 2026

ISO 27001 Checklist: 14-Step Implementation Roadmap for 2026

What You Need Before You Start

The ISO 27001 Implementation Checklist

Step 1: Define the ISMS Scope

Step 2: Conduct a Gap Analysis

Step 3: Establish the ISMS Framework

Step 4: Conduct the Risk Assessment

Step 5: Create the Risk Treatment Plan

Step 6: Implement Annex A Controls

Step 7: Write Mandatory Documentation

Step 8: Run the Security Awareness Programme

Step 9: Implement Monitoring and Measurement

Step 10: Conduct the Internal Audit

Step 11: Conduct the Management Review

Step 12: Resolve All Non-Conformities

Step 13: Stage 1 Audit — Documentation Review

Step 14: Stage 2 Audit — Certification Audit

Post-Certification: Maintaining ISO 27001

ISO 27001 Cost Summary (2026)

The 7 Most Common ISO 27001 Audit Failures

ISO 27001 Checklist vs. Competitors: What This Covers

Frequently Asked Questions

Sources & References