ISO 27001 Checklist [+Free Template]

Published: February 3rd, 2021

Author: Matt Quinn

Categories: ISO Risk Management

ISO 27001 is one of the world’s most popular information security standards. Following ISO 27001 will help your organization to develop an information security management system (ISMS) that can order your risk management activities.


However, implementing the standard and then achieving certification can seem like a daunting task. Below are some steps (an ISO 27001 checklist) to make it easier for you and your organization.


Also included is a free Risk Register Template, to help you get started with your ISO 27001 gap analysis.


**Free Download: Risk Register Template**


#1 Top Management Commitment


Make sure the top management are committed to implementing ISO 27001:2013 and ensure that sufficient resources are provided (staff, budget and time).


Depending on the size of your organization, ISO 27001 can end up being very expensive.


New hardware, software and other costs related to implementing an information security management system can add up quickly.


Make sure that the Top management knows of the projected costs and the time commitments involved before taking on the project.


Possible list of costs you have to take into account:


·       New Hardware (Hardware Firewalls, Routers, Servers, Storage)

·       New Software (Software Firewalls, Password Managers, Anti-Viruses/Malware)

·       Physical Access Control (Locks, Lockers)

·       Expertise (Information Security Manager/New Hires)

·       Audits (including your certification audit)

·       Time (and possible changes to business processes) to ensure that the requirements of ISO are met.


#2 Identify the scope of the Information Security Management System


Identifying the scope will help give you an idea of the scale of the project. This can be used to determine the necessary resources.


When identifying the scope of the ISMS, consider:


·       The business needs (What are the objectives of your organization?)

·       The physical location(s) (Does it include multiple offices or just a single one?)

·       The structure of the organization

·       The information assets and technology (How sensitive is the information you hold?)

·       Things that are excluded from the scope will have to have limited access to information within the scope. E.g. Suppliers, Clients and Other branches

·       The devices (E.g. laptops, mobile devices and servers)

·       Internal and External Issues

·       The requirements of interested parties


Your organization will have to make the decision on the scope. ISO 27001 requires this. It could cover the entirety of the organization or it may exclude specific parts. Identifying the scope will help your organization identify the applicable ISO requirements (particularly in Annex A).


Beware, a smaller scope does not necessarily mean an easier implementation. Try to extend your scope to cover the entirety of the organization.


This will ensure that your entire organization is protected and there are no additional risks to departments excluded from the scope. E.g. if your supplier is not within the scope of the ISMS, how can you be sure they are properly handling your information?


Your organization’s interactions with any parties outside of the scope must be considered.


#3 Assembling an ISO 27001 Team


With the scope defined, the next step is assembling your ISO implementation team. The process of implementing ISO 27001 is no small task. Ensure that top management or the leader of the team has enough expertise in order to undertake this project.


This may include:


·       Hiring new permanent members to fill the team

·       Assigning additional responsibilities to existing team members

·       Sourcing temporary consultants on a contract basis


Ensure you have a team that sufficiently fits the size of your scope. A lack of manpower and responsibilities could be end up as a major pitfall.


#4 Conduct an ISO 27001 gap analysis/risk assessment


Prior to this project, your organization may already have a running information security management system.


A gap analysis is determining what your organization is specifically missing and what is required. It is an objective evaluation of your current information security system against the ISO 27001 standard.


This will help identify what you have, what you are missing and what you need to do. ISO 27001 may not cover every risk an organization is exposed to.


During this step you can also conduct information security risk assessments to identify your organizational risks.


Create an ISO 27001 risk assessment methodology that identifies risks, how likely they will occur and the impact of those risks.



Evaluate each individual risk and identify if they need to be treated or accepted. Not all risks can be treated as every organization has time, cost and resource constraints.


Use this information to create an implementation plan. If you have absolutely nothing, this step becomes easy as you will need to fulfill all of the requirements from scratch.


(Full disclosure, you can conduct a gap analysis using Apomatix’s Risk Manager! Or you can use the free template provided above.)


Whichever you choose, you should assess your organization against the current requirements of ISO 27001 and receive the corresponding ISO 27002/27003 implementation guidance. Apomatix can also be used to internally audit your organization for a range of ISO standards including ISO 9001, ISO 14001 and ISO 45001.


#5 Create an Implementation Plan


It is now time to create an implementation plan and risk treatment plan. With the implementation plan you will want to consider:


·       The duration of the project (depending on the size and scope of the project)

·       The budget of the project (depending on the size and scope of the project)

·       Assign roles and responsibilities (whom will do what and when)

·       Creating a statement of applicability (A document stating which ISO 27001 controls are being applied to the organization)

·       The information security policy (A document that governs the policies set out by the organization regarding information security)

·       Define how you will measure the effectiveness of controls

·       Plan training and awareness programs (information security is a organization wide effort)

·       Compile necessary documented information (this is great when you are going for certification)

·       The risk treatment plan (A document that lists the risks and corrective actions)

·       ISO 27001 Audit (plan periodic audits for monitoring and measurement)

·       Plan periodic management review for lessons learned and continual improvement.


It is important to have well established plans and clear ISO 27001 checklist when implementing the standard. Being prepared and organized is crucial in successfully implementing ISO 27001. Having an organized and well thought out plan could be the difference between a lead auditor failing you or your organization succeeding.




Understand that it is a large project which involves complex activities that requires the participation of multiple people and departments. ISO 27001 implementation can last several months or even up to a year. Following an ISO 27001 checklist like this can help, but you will need to be aware of your organization’s specific context.


The organization has to take it seriously and commit. A common pitfall is often that not enough money or people are assigned to the project. Make sure that top management is engaged with the project and is updated with any important developments.


ISO 27001 is achievable with adequate planning and commitment from the organization. Alignment with business objectives and achieving goals of the ISMS can help lead to a successful project.


While the implementation ISO 27001 may seem very difficult to achieve, the benefits of having an established ISMS are invaluable. Information is the oil of the 21st century. Protecting information assets as well as sensitive data should be a top priority for most organizations.


Obtaining ISO 27001 certification also brings a wide variety of benefits. Such as showing stakeholders your commitment in information security. As of 2018, there were 31,910 organizations that held ISO 27001 certification.


Information security is expected by consumers, by being certified your organization demonstrates that it is something you take seriously.


If you have found this ISO 27001 checklist useful, or would like more information, please contact us via our chat or contact form

Understand your risks. Reduce the impact. Protect your business.

Apomatix’s Powerful Risk Management Software to help you understand, fix and manage all your organisation’s risks.