ISO 27001 auditors start with your Statement of Applicability and then sample evidence from across the 12-month period. Access review records from 9 months ago are as important as last week's.
28 items✎ Click to tick📷 Print / Save PDF
0 / 28 complete (0%)
ISMS Scope & Risk0/0
ISMS scope document written, approved, and kept currentReflects current systems, locations, and data flows.
CRITICAL
Information asset register completed — all significant assets
CRITICAL
Risk assessment documented — threats, vulnerabilities, likelihood, and impact for each asset
CRITICAL
Risk treatment plan — each risk accepted, transferred, avoided, or treated
MAJOR
Statement of Applicability completed — all 93 controls assessedFirst document every ISO 27001 auditor asks for.
CRITICAL
SoA updated after any change in scope, systems, or risk profile
Terminated employee access revoked within 24 hoursAuditors check this for leavers from the last 12 months.
CRITICAL
New employee access provisioned based on approved role — not manager request alone
MAJOR
Policies & Training0/0
Information security policy documented and approved
CRITICAL
Acceptable use policy — communicated to all staff
MAJOR
Data classification policy implemented
MAJOR
Security awareness training for all staff in last 12 monthsAttendance records maintained.
CRITICAL
Phishing simulation or equivalent conducted
STANDARD
Change & Incident Management0/0
Change management process — all system changes logged and approved before deploymentNo undocumented production changes.
CRITICAL
Security incident register maintained — including near-missesNot just breaches — all security events.
CRITICAL
All incidents investigated — root cause and corrective action documented
MAJOR
Breach notification procedure documented and testedDPDP Act also requires breach notification to DPBI.
MAJOR
Vendor & BCP0/0
Vendor / subprocessor list with security assessment for eachSOC 2 or equivalent from key vendors.
MAJOR
Backup and recovery procedure with tested restorationTest the restoration — not just the backup.
CRITICAL
Business continuity plan with defined RTO and RPO
MAJOR
DR drill conducted in last 12 months with results documented
MAJOR
Internal Audit & Review0/0
Annual internal ISMS audit covering all 93 control areas
CRITICAL
Management review conducted with documented decisions on resources and objectives
CRITICAL
All CAPA from last audit closed or active with dates
MAJOR
SoA version number matches current ISMS state
MAJOR
How to use this checklist: Tick each item you currently have in place. Items marked CRITICAL are highest-priority audit findings. Items marked MAJOR will result in a major nonconformance if absent. Use the Print button to save a PDF for your records or to share with your quality team.
This checklist is a readiness guide — not a substitute for a formal gap assessment. Engage a NABCB-accredited CB for a pre-assessment before your formal certification audit. Read the full ISO 27001 guide ↗