ISO 27001 certification requires a specific set of documents, operational controls, and audit evidence. The standard is explicit about what is mandatory — and auditors know exactly what to ask for. This checklist consolidates everything into a single reference you can use to track your implementation from the start of your ISMS project through to the Stage 2 certification audit.
It is organised into four phases: documentation, controls and operations, evidence collection, and audit readiness. Work through each phase in order — but note that evidence collection starts from the moment you implement a control, not in the final weeks before audit.
Phase 1: Mandatory Documentation
ISO 27001 requires documented information in two forms: those explicitly required by the standard (mandatory documents) and those needed to support effective ISMS operation. The following list covers the documents required by clauses 4–10 and by the Statement of Applicability.
Mandatory ISMS Documents — Clauses 4–10
ISMS Scope Statement
Information Security Policy
Risk Assessment Methodology
Risk Register
Risk Treatment Plan
Statement of Applicability (SoA)
Information Security Objectives
Competence Records
Internal Audit Programme & Reports
Management Review Minutes
Corrective Action Log
Annex A Control Documentation
In addition to the clause-level documents, your Statement of Applicability will reference Annex A controls that require their own documented policies or procedures. The most common ones include:
Commonly Required Annex A Policy Documents
Access Control Policy
Cryptography Policy
Clear Desk and Clear Screen Policy
Information Classification Policy
Acceptable Use Policy
Incident Management Procedure
Business Continuity Plan
Supplier Security Policy
HR Security Policy (onboarding/offboarding)
Vulnerability Management Procedure
Change Management Procedure
Backup Policy
Phase 2: Operational Controls
Documentation alone does not satisfy auditors. Controls must be implemented and operating. The following are the operational items auditors verify are in place and functioning — not just described in a policy document.
- User access provisioning and de-provisioning process in operation
- Quarterly (or more frequent) access reviews with records
- Multi-factor authentication enforced on critical systems
- Patch management process with evidence of patching activity
- Antivirus/EDR deployed across endpoints with monitoring
- Backup schedule in place with tested restore capability
- Encryption applied to sensitive data at rest and in transit
- Logging and monitoring enabled on critical systems
- Security awareness training delivered to all staff with completion records
- Supplier contracts include information security requirements
- Incident log maintained (even if no incidents occurred)
- Vulnerability scanning conducted with remediation tracking
- Change management records for system changes
- Physical security controls documented (if applicable to scope)
Phase 3: Evidence Collection
Evidence is what transforms a documented ISMS into a certifiable one. The Stage 2 auditor will ask to see evidence that each implemented control has been operating over a meaningful period — not just set up in the week before the audit. Start collecting evidence from day one of implementation.
| Evidence Item | What Auditors Look For |
|---|---|
| Access review records | Dated records showing who reviewed access, when, and what action was taken |
| Training completion logs | Names, dates, and topic for all staff security awareness training |
| Patch records | Logs showing critical patches applied within policy timeframe |
| Backup test results | At least one successful restore test with date and outcome recorded |
| Incident log | All reported incidents with dates, description, response, and closure |
| Internal audit report | Full report covering all ISMS clauses, findings, and corrective actions |
| Management review minutes | Signed minutes from the Clause 9.3 review meeting |
| Risk register history | Evidence of review at planned intervals, not just at certification time |
| Supplier assessment records | Security questionnaires or assessments for key suppliers |
| Vulnerability scan results | Reports showing scans were run and findings were tracked |
The most common reason organisations fail the Stage 2 audit is not missing documentation — it is missing evidence. Policies exist on paper but there is no record that anyone followed them. Build evidence collection into your operational processes from the start, not as a pre-audit exercise.
Phase 4: Audit Readiness
In the final weeks before your Stage 1 audit, verify the following are in order:
- All mandatory documents are version-controlled, dated, and approved
- Statement of Applicability is finalised and signed off
- Risk register reviewed within the last three months
- Internal audit completed and report issued
- All internal audit nonconformities have corrective actions (even if not yet closed)
- Management review completed and minutes documented
- All staff have completed security awareness training
- Evidence portfolio is organised and accessible for the auditor
- ISMS owner can explain the scope, risk methodology, and control selection rationale
- Certification body has confirmed Stage 1 date and document requirements
Using This Checklist
This checklist reflects the requirements of ISO/IEC 27001:2022. If you are working from the 2013 version, the Annex A control references will differ — see our guide to the 2022 changes for a full comparison.
The document items on this checklist map directly to our ISO 27001 template library — each template is pre-structured to satisfy the clause or control it covers. If you want support working through the checklist with an experienced practitioner, our ISO 27001 consulting service uses this checklist as the basis for the implementation programme.