You’re on the United Kingdom website. Choose your country or region to see location-specific content
UK
US
Get a Demo
Free resources
/
ISO 27001 Checklist

The Ultimate ISO 27001 Checklist

A ten-step checklist for building an ISO 27001:2022 information security management system, from scope and risk assessment to the Statement of Applicability and your external audit.

ISO 27001 is the international standard for managing information security across the whole business, not just the cloud stack. That's all 93 controls in the 2022 revision, the people and physical ones included, not the technical third on its own. This checklist lays out the ten steps of building an ISMS that certifies and holds, in plain English, without assuming you arrived with the standard memorised.

What's inside:

  • Team and plan: get leadership backing, set up your ISMS team, and build a certification plan with owners and timelines
  • Scope: define your ISMS boundaries, and the legal and regulatory obligations that apply
  • Asset register: build a digital asset register with risk assessments linked from the start
  • Risk assessment: choose a methodology, identify and evaluate risks, and create your risk treatment plan
  • Controls and evidence: build your Statement of Applicability and start collecting control evidence
  • Policies: create or migrate the mandatory policies and procedures, with a reading and approval regime
  • Audits: run your internal audit, then the Stage 1 and Stage 2 external audit
  • Maintain and mature: keep the ISMS current through years two and three

By the end, you'll have a clear map of the whole-business work ISO 27001 actually involves, what you can evidence today, and what to put in front of an auditor at each stage.

Questions? We've
Got You Covered

Planning an audit? These will help.
For anything else, just ask.

What is ISO 27001?

ISO/IEC 42001 is the international standard for AI management systems. It sets out how an organisation governs the way it develops, deploys and monitors AI — covering accountability, risk, impact assessment and lifecycle controls.

Who is this ISO 27001 checklist for?

Compliance leads, CISOs and engineering managers preparing for a first ISO 42001 audit, or scoping what certification would involve before committing budget to it.

How many controls are in ISO 27001:2022?

No. Both standards share the same management-system structure, so an existing ISMS speeds things up considerably — but ISO 42001 can be implemented and certified on its own.

How long does ISO 27001 certification take?

It depends on how many AI systems are in scope and how mature your governance already is. Most teams plan a few months from gap assessment to audit; the checklist helps you map that work up front.

Is the checklist really free?

Yes. Enter a business email and the download unlocks straight away — no sales call attached.

Get A Demo