ISO 27001 audit checklist

Are you looking to streamline your ISO 27001 certification process? Discover our comprehensive Seven-step ISO 27001 audit checklist designed to guide you through each phase, ensuring your organisation meets the highest standards of information security management.

ISO 27001 audit checklist

If you’re preparing for ISO 27001 certification, the process only works if you’re genuinely ready before your external auditor arrives. For any Australian business handling sensitive data, ISO 27001 is one of the clearest ways to show your information security management is built on solid ground.

This ISO 27001 audit checklist covers everything your team needs to check as part of your information security management system (ISMS). Whether you’re working through the ISO 27001 prerequisites before implementation, running a regular internal audit, or preparing for your certification audit, this guide gives you a clear, step-by-step framework to follow.

What is an ISO 27001 audit checklist?

An ISO 27001 audit checklist is a structured tool that maps the requirements of the standard to a series of checkpoint questions. Sometimes called simply an ISO 27001 checklist, it’s used by internal teams to assess whether their ISMS is designed correctly and operating effectively. It’s also used by businesses preparing for external certification audits to check their readiness before the auditor arrives.

The standard is built around a risk-based approach to managing sensitive data. That means the checklist isn’t just asking ‘does this exist?’ It’s asking whether what exists is working, documented, reviewed, and genuinely improving your security posture over time.

Used well, an ISO 27001 audit checklist helps your organisation:

  • Identify gaps before an external auditor does.
  • Collect objective evidence that controls are operating as intended.
  • Ensure consistency across ISMS processes and documented controls.
  • Document corrective actions and track them to resolution.
  • Prepare for management review with organised performance data.
  • Plan and track your internal audit program so nothing falls through the cracks.

ISO 27001 prerequisites: what you need before you start

Before working through the ISO 27001 audit checklist, your organisation should have the foundational elements of your ISMS in place. Strictly speaking, these aren’t formal requirements of the standard itself, but without them, your audit will quickly surface gaps.

  • Executive commitment: top management must be actively engaged, not just nominally supportive.
  • A defined ISMS scope: this determines which parts of the business, systems, and information assets are covered.
  • A completed risk assessment: identifying security risks, threats, and vulnerabilities relevant to your scope.
  • A risk treatment plan: documenting how each identified risk is addressed and which Annex A controls apply.
  • Core ISMS policies documented and communicated: your information security policy must be in writing and understood across the organisation.
  • Regular training in place: your people need to understand their role in maintaining data security and complying with security standards.
  • An internal audit plan: you must be able to demonstrate that internal audits are planned, not ad hoc.

If any of these aren’t in place, your audit will surface it quickly, so it’s worth getting them sorted first. Working through an ISO 27001 gap analysis is the most efficient way to find out where you stand before you commit to the ISO 27001 implementation process.

Internal audit vs certification audit: what’s the difference?

Both rely on an audit checklist, but they serve different purposes and sit at different points in the ISO 27001 process.

Your internal audit is run by your own team, or a qualified independent auditor, on a planned basis. It checks that your ISMS is working as designed, surfaces improvement opportunities, and generates the evidence your external auditor will review. Conducting regular audits is a requirement of the standard, not an optional extra.

Your certification audit is run by an accredited certification body, like Citation Group, which independently verifies that your ISMS meets the requirements of ISO 27001. Surveillance audits then follow annually throughout your three-year certification cycle.

7-step ISO 27001 certification checklist

Are you looking to streamline your ISO 27001 certification process? Here’s a comprehensive seven-step ISO 27001 checklist designed to guide you through each phase, ensuring your organisation meets the highest standards of information security management.

1. Assign roles

First, assemble an implementation team and assign specific roles to each member. Appoint a team leader to manage the implementation of the information security management system. This should be someone who is highly knowledgeable in information security matters and able to lead a team and collaborate with managers.

Check:

  • Is an ISMS owner or information security manager appointed with clearly defined authority?
  • Are roles and responsibilities for information security documented and communicated?
  • Has top management demonstrated active commitment to the ISMS?
  • Have human resources responsibilities around information security been defined, including onboarding, offboarding, and regular training?

Clear accountability is what makes your ISMS stick. It’s one of the first things an auditor checks.

2. Create the implementation plan

The second step involves planning for the implementation of the ISMS. The project manager leads the implementation team to define the information security objectives and create a risk register, as well as an ISMS plan that covers:

  • Roles and responsibilities.
  • Communication through internal and external channels.
  • Methodology for continual improvement.

Check:

  • Are information security objectives defined, documented, and measurable?
  • Is there a risk register in place that captures identified risks and their owners?
  • Does the ISMS plan define how roles, responsibilities, and communication channels operate?
  • Is there a documented methodology for continual improvement?

3. Define the ISMS scope

This step involves defining the ISMS framework to gain a broader understanding of how the standard works. Create standards, policies, procedures, and guidelines that align with your information security system. The ISMS scope must be correctly defined. Too small and you leave gaps, too complex and it becomes unmanageable.

Check:

  • Has the ISMS scope been defined and documented?
  • Does the scope correctly reflect the organisation’s boundaries, information assets, and critical sectors?
  • Have internal and external issues relevant to information security been identified?
  • Have interested parties and their requirements been documented?
  • Does the scope account for cloud services and any externally provided processes or supplier relationships?

4. Develop a risk management process

The sole concept behind an ISMS is risk management. Most aspects of your ISMS are based on the risks and vulnerabilities you’ve detected, making risk management a key factor for any organisation seeking ISO 27001 compliance. Implementing this standard helps define your risk management processes, which technically involve five steps:

  • Develop a risk evaluation framework.
  • Identify risks.
  • Assess risks.
  • Evaluate risks.
  • Choose a risk management approach.

Check:

  • Is there a documented risk assessment methodology?
  • Have information assets been identified and their owners assigned?
  • Have security threats and vulnerabilities been systematically identified?
  • Has an overall risk assessment been completed, with risks evaluated against defined criteria?
  • Is there a risk treatment plan that documents how each risk is addressed – whether through controls, transfer, avoidance, or acceptance?
  • Does the risk treatment plan reference the relevant controls from Annex A?

Your risk assessment and risk treatment plan are two of the most closely scrutinised documents in any ISO 27001 audit. They need to be thorough, current, and clearly connected to the controls you’ve implemented.

5. Implement a risk management plan

Once you’ve developed a working risk management process, implement a risk management plan to ensure potential risks are kept at bay. This means developing and implementing appropriate security controls to mitigate the risks you’ve identified, both technical and organisational.

Check:

  • Are ISMS policies documented, approved by top management, and communicated across the organisation?
  • Are operational controls implemented and consistently applied across the organisation?
  • Are access control policies in place, and is access to sensitive data appropriately restricted?
  • Are network security measures implemented and monitored?
  • Are data protection and data security considered in the design and operation of systems?
  • Are supplier relationships managed with appropriate security controls?
  • Is there a documented incident response process, including how data breaches are detected, reported, and managed?
  • Does the organisation have continuous monitoring of its security posture?
  • Are cloud security considerations addressed, particularly for cloud services handling sensitive data?

6. Conduct an internal audit

ISO 27001 requires organisations to conduct internal audits at planned intervals. Conducting an internal audit is essential. It helps prepare your organisation for the official audit and is an excellent way to test whether your controls are working appropriately. An internal audit can be conducted by an independent external auditor or an internal team that was not involved in documenting and setting up the ISMS.

Check:

  • Is there a documented audit plan covering all ISMS processes?
  • Are internal auditors sufficiently independent from the areas they’re auditing?
  • Are audit findings documented, including non-conformances and corrective actions?
  • Are corrective actions tracked to resolution and verified as effective?
  • Are audit results reported to management and feeding into management review?
  • Are external audits and surveillance audits planned and resourced appropriately?
  • Are resource allocation decisions – including budget for security tools and training – made as part of management review?

7. Engage an accredited certification body

When you’re ready for the official audit, not all certification bodies are equal, and who you choose matters. Once you choose a suitable certification body, such as Citation Group, they’ll conduct your ISO 27001 certification audit. Citation Group’s certification process focuses on two critical areas:

  • First, they’ll evaluate your documentation to ensure it’s in good order.
  • Second, they’ll check your controls to see if they are being followed.

You’ll then be given a list of non-conformities that should be addressed before being awarded ISO 27001 certification.

Check:

  • Have you selected a JAS-ANZ accredited certification body?
  • Is your documentation ready for Stage one review – scope, risk assessment, risk treatment plan, ISMS policies?
  • Are all controls implemented and operating effectively ahead of Stage two?
  • Is your internal audit program complete and documented?
  • Are corrective actions from internal audits resolved before the certification audit?

ISO 27001 requirements checklist: documentation you need in place

Before your certification audit, the following documented information should be in place and readily accessible for your auditor. This isn’t an exhaustive ISO 27001 requirements checklist, but these are the core items.

Clause Required documented information
4.3 ISMS scope statement.
5.2 Information security policy.
6.1.2 Risk assessment process and results.
6.1.3 Risk treatment plan.
6.1.3 Statement of Applicability (SoA) – lists all Annex A controls and justifies inclusions/exclusions.
7.2 Evidence of competence for relevant roles.
7.5 Documented information required by the standard and deemed necessary by the organisation.
8.1 Operational planning and control records.
9.1 Performance monitoring and measurement results.
9.2 Internal audit program, audit plan, and audit reports.
9.3 Management review records.
10.1 Non-conformances, corrective actions, and evidence of effectiveness.

The Statement of Applicability is one of the most important documents in any ISO 27001 audit. It must clearly explain which Annex A controls are applicable to your organisation, which have been implemented, and why any controls have been excluded. Auditors scrutinise it closely.

What your auditor will look for

When your external auditor conducts their assessment, they’re looking for objective evidence – not just that procedures exist, but that they’re working. Here’s what they pay particular attention to:

Focus area What auditors check Common issues
Risk assessment Is it current, thorough, and connected to real security risks? Outdated assessments, risks not linked to controls.
Access control Is access to sensitive data appropriately restricted and regularly reviewed? Excessive access rights, no review process.
Incident response Is there a documented process? Has it been tested? No test evidence, unclear escalation paths.
Supplier relationships Are security requirements built into supplier agreements? Missing contractual security clauses.
Internal audits Are they independent, planned, and findings acted on? Audits not covering all processes, no corrective actions.
Management review Is top management actively engaged and reviewing ISMS performance? Superficial reviews, no decisions documented.
Continual improvement Is improvement systematic and evidenced, not aspirational? Non-compliance with continual improvement requirements, corrective actions not closed out.

Gap analysis vs audit checklist: what you need and when

These two tools serve different purposes at different stages of your ISO 27001 journey.

  • A gap analysis is conducted before your ISMS is fully built. It tells you where you stand relative to the requirements of the standard and what needs to be put in place before you’re ready for certification.
  • An audit checklist is used once your ISMS is operational, either as part of your internal audit program or to prepare for an external certification audit. It assumes the system exists and checks whether it’s working as required.

If you’re unsure which applies to your business right now, the best starting point is to talk to a certification body. Citation Group conducts a gap analysis as the first step of the certification process. This gives you a clear, honest picture of where you stand before you commit to anything, including on ISO 27001 certification cost.

After the internal audit: what happens next

Completing your ISO 27001 internal audit checklist is the beginning of the process, not the end. Once the audit is done:

  • Compile your audit report: document findings, non-conformances, evidence reviewed, and scope covered.
  • Raise corrective actions: for every non-conformance, identify the root cause and define what’s needed to fix it.
  • Track to resolution: follow up on corrective actions and verify they’re effective.
  • Maintain records: your audit report, findings, and corrective action evidence must be retained as documented information.
  • Feed into management review: audit results are a mandatory input to your next management review meeting.
  • Update your audit plan: areas with recurring issues or significant security risks should be audited more frequently.

Maintaining compliance after certification

ISO 27001 certification isn’t a one-off achievement. Once certified, your organisation must demonstrate ongoing compliance through surveillance audits conducted annually, and a recertification audit at the end of your three-year cycle.

Staying on top of compliance requirements is an ongoing commitment. Ongoing compliance requires:

  • Continuing to run regular audits at planned intervals.
  • Keeping your risk assessment and risk treatment plan current as your environment and security threats evolve.
  • Ensuring ISMS policies remain documented and up to date.
  • Maintaining evidence of continually improving your ISMS – not just corrective actions, but proactive enhancements to data security.
  • Participating in annual surveillance audits with your ISO 27001 certification company.
  • Keeping threat intelligence in mind and updating controls as cyber threats change.
  • Keeping your people up to date with regular training so security standards are understood and consistently applied.

Certification made simple

Ready to implement your ISO 27001 certification checklist? Citation Group offers exclusive training and support systems to help on your certification journey and ensure maximum information protection, from your first gap analysis through to your certificate and beyond.

Get in touch with our team to find out where your organisation stands and what’s needed to get certified.

 

FAQs

What should an ISO 27001 internal audit checklist cover?

An ISO 27001 internal audit checklist should cover all key areas of the standard. This includes ISMS scope and context, information security policy, risk assessment and risk treatment, operational controls (including access control, network security, data protection, and incident response), performance evaluation, and continual improvement. It should generate clear, objective evidence that your ISMS is working as designed and genuinely improving over time.

How often should internal audits be conducted under ISO 27001?

ISO 27001 requires internal audits at planned intervals but doesn’t specify a fixed frequency. Most organisations conduct regular audits at least annually, with higher-risk processes or areas with recurring issues reviewed more often. Your audit plan should cover all ISMS processes across the certification cycle, and the plan itself must be documented.

What is a Statement of Applicability, and is it required?

Yes, the Statement of Applicability (SoA) is a mandatory document under ISO 27001. It lists every control from Annex A, states whether each is applicable or excluded, and explains why. It’s one of the first documents your external auditor will request, and it must be accurate, current, and clearly connected to your risk treatment plan.

What’s the difference between a major and minor non-conformance in an ISO 27001 audit?

A major non-conformance is a significant failure to meet a requirement of the standard – one that could compromise the integrity of your ISMS or your ability to protect information assets. A minor non-conformance is an isolated lapse that doesn’t represent a systemic failure. In a certification audit, major non-conformances must be resolved before your certificate is issued. Both should be documented in internal audits, with root cause analysis and corrective actions assigned and tracked.

Do small businesses need to implement all of the Annex A controls?

No. ISO 27001 takes a risk-based approach, which means the controls you implement should reflect the risks your organisation has identified. Your Statement of Applicability documents which Annex A controls are applicable and why any have been excluded. Small businesses with a limited risk profile and a focused ISMS scope can exclude controls that aren’t relevant. But those exclusions must be justified in the SoA.

Handshake icon

Certification made simple

Contact Citation Certification if you are ready to implement your ISO 27001 certification checklist. We offer exclusive training and support systems to help on your certification journey and ensure maximum information protection.

Take your business to the next level

This field is for validation purposes and should be left unchanged.
What are you interested in?
HR
Your data will be processed inline with our Privacy Policy.