‘Wellness Washing’ is the new in-term. But what is it?
Most of the time, wellness washing isn’t intentional – it’s a mismatch between good intent...
If you’re preparing for ISO 27001 certification, the process only works if you’re genuinely ready before your external auditor arrives. For any Australian business handling sensitive data, ISO 27001 is one of the clearest ways to show your information security management is built on solid ground.
This ISO 27001 audit checklist covers everything your team needs to check as part of your information security management system (ISMS). Whether you’re working through the ISO 27001 prerequisites before implementation, running a regular internal audit, or preparing for your certification audit, this guide gives you a clear, step-by-step framework to follow.
An ISO 27001 audit checklist is a structured tool that maps the requirements of the standard to a series of checkpoint questions. Sometimes called simply an ISO 27001 checklist, it’s used by internal teams to assess whether their ISMS is designed correctly and operating effectively. It’s also used by businesses preparing for external certification audits to check their readiness before the auditor arrives.
The standard is built around a risk-based approach to managing sensitive data. That means the checklist isn’t just asking ‘does this exist?’ It’s asking whether what exists is working, documented, reviewed, and genuinely improving your security posture over time.
Used well, an ISO 27001 audit checklist helps your organisation:
Before working through the ISO 27001 audit checklist, your organisation should have the foundational elements of your ISMS in place. Strictly speaking, these aren’t formal requirements of the standard itself, but without them, your audit will quickly surface gaps.
If any of these aren’t in place, your audit will surface it quickly, so it’s worth getting them sorted first. Working through an ISO 27001 gap analysis is the most efficient way to find out where you stand before you commit to the ISO 27001 implementation process.
Both rely on an audit checklist, but they serve different purposes and sit at different points in the ISO 27001 process.
Your internal audit is run by your own team, or a qualified independent auditor, on a planned basis. It checks that your ISMS is working as designed, surfaces improvement opportunities, and generates the evidence your external auditor will review. Conducting regular audits is a requirement of the standard, not an optional extra.
Your certification audit is run by an accredited certification body, like Citation Group, which independently verifies that your ISMS meets the requirements of ISO 27001. Surveillance audits then follow annually throughout your three-year certification cycle.
Are you looking to streamline your ISO 27001 certification process? Here’s a comprehensive seven-step ISO 27001 checklist designed to guide you through each phase, ensuring your organisation meets the highest standards of information security management.
First, assemble an implementation team and assign specific roles to each member. Appoint a team leader to manage the implementation of the information security management system. This should be someone who is highly knowledgeable in information security matters and able to lead a team and collaborate with managers.
Check:
Clear accountability is what makes your ISMS stick. It’s one of the first things an auditor checks.
The second step involves planning for the implementation of the ISMS. The project manager leads the implementation team to define the information security objectives and create a risk register, as well as an ISMS plan that covers:
Check:
This step involves defining the ISMS framework to gain a broader understanding of how the standard works. Create standards, policies, procedures, and guidelines that align with your information security system. The ISMS scope must be correctly defined. Too small and you leave gaps, too complex and it becomes unmanageable.
Check:
The sole concept behind an ISMS is risk management. Most aspects of your ISMS are based on the risks and vulnerabilities you’ve detected, making risk management a key factor for any organisation seeking ISO 27001 compliance. Implementing this standard helps define your risk management processes, which technically involve five steps:
Check:
Your risk assessment and risk treatment plan are two of the most closely scrutinised documents in any ISO 27001 audit. They need to be thorough, current, and clearly connected to the controls you’ve implemented.
Once you’ve developed a working risk management process, implement a risk management plan to ensure potential risks are kept at bay. This means developing and implementing appropriate security controls to mitigate the risks you’ve identified, both technical and organisational.
Check:
ISO 27001 requires organisations to conduct internal audits at planned intervals. Conducting an internal audit is essential. It helps prepare your organisation for the official audit and is an excellent way to test whether your controls are working appropriately. An internal audit can be conducted by an independent external auditor or an internal team that was not involved in documenting and setting up the ISMS.
Check:
When you’re ready for the official audit, not all certification bodies are equal, and who you choose matters. Once you choose a suitable certification body, such as Citation Group, they’ll conduct your ISO 27001 certification audit. Citation Group’s certification process focuses on two critical areas:
You’ll then be given a list of non-conformities that should be addressed before being awarded ISO 27001 certification.
Check:
Before your certification audit, the following documented information should be in place and readily accessible for your auditor. This isn’t an exhaustive ISO 27001 requirements checklist, but these are the core items.
| Clause | Required documented information |
|---|---|
| 4.3 | ISMS scope statement. |
| 5.2 | Information security policy. |
| 6.1.2 | Risk assessment process and results. |
| 6.1.3 | Risk treatment plan. |
| 6.1.3 | Statement of Applicability (SoA) – lists all Annex A controls and justifies inclusions/exclusions. |
| 7.2 | Evidence of competence for relevant roles. |
| 7.5 | Documented information required by the standard and deemed necessary by the organisation. |
| 8.1 | Operational planning and control records. |
| 9.1 | Performance monitoring and measurement results. |
| 9.2 | Internal audit program, audit plan, and audit reports. |
| 9.3 | Management review records. |
| 10.1 | Non-conformances, corrective actions, and evidence of effectiveness. |
The Statement of Applicability is one of the most important documents in any ISO 27001 audit. It must clearly explain which Annex A controls are applicable to your organisation, which have been implemented, and why any controls have been excluded. Auditors scrutinise it closely.
When your external auditor conducts their assessment, they’re looking for objective evidence – not just that procedures exist, but that they’re working. Here’s what they pay particular attention to:
| Focus area | What auditors check | Common issues |
|---|---|---|
| Risk assessment | Is it current, thorough, and connected to real security risks? | Outdated assessments, risks not linked to controls. |
| Access control | Is access to sensitive data appropriately restricted and regularly reviewed? | Excessive access rights, no review process. |
| Incident response | Is there a documented process? Has it been tested? | No test evidence, unclear escalation paths. |
| Supplier relationships | Are security requirements built into supplier agreements? | Missing contractual security clauses. |
| Internal audits | Are they independent, planned, and findings acted on? | Audits not covering all processes, no corrective actions. |
| Management review | Is top management actively engaged and reviewing ISMS performance? | Superficial reviews, no decisions documented. |
| Continual improvement | Is improvement systematic and evidenced, not aspirational? | Non-compliance with continual improvement requirements, corrective actions not closed out. |
These two tools serve different purposes at different stages of your ISO 27001 journey.
If you’re unsure which applies to your business right now, the best starting point is to talk to a certification body. Citation Group conducts a gap analysis as the first step of the certification process. This gives you a clear, honest picture of where you stand before you commit to anything, including on ISO 27001 certification cost.
Completing your ISO 27001 internal audit checklist is the beginning of the process, not the end. Once the audit is done:
ISO 27001 certification isn’t a one-off achievement. Once certified, your organisation must demonstrate ongoing compliance through surveillance audits conducted annually, and a recertification audit at the end of your three-year cycle.
Staying on top of compliance requirements is an ongoing commitment. Ongoing compliance requires:
Ready to implement your ISO 27001 certification checklist? Citation Group offers exclusive training and support systems to help on your certification journey and ensure maximum information protection, from your first gap analysis through to your certificate and beyond.
Get in touch with our team to find out where your organisation stands and what’s needed to get certified.
An ISO 27001 internal audit checklist should cover all key areas of the standard. This includes ISMS scope and context, information security policy, risk assessment and risk treatment, operational controls (including access control, network security, data protection, and incident response), performance evaluation, and continual improvement. It should generate clear, objective evidence that your ISMS is working as designed and genuinely improving over time.
ISO 27001 requires internal audits at planned intervals but doesn’t specify a fixed frequency. Most organisations conduct regular audits at least annually, with higher-risk processes or areas with recurring issues reviewed more often. Your audit plan should cover all ISMS processes across the certification cycle, and the plan itself must be documented.
Yes, the Statement of Applicability (SoA) is a mandatory document under ISO 27001. It lists every control from Annex A, states whether each is applicable or excluded, and explains why. It’s one of the first documents your external auditor will request, and it must be accurate, current, and clearly connected to your risk treatment plan.
A major non-conformance is a significant failure to meet a requirement of the standard – one that could compromise the integrity of your ISMS or your ability to protect information assets. A minor non-conformance is an isolated lapse that doesn’t represent a systemic failure. In a certification audit, major non-conformances must be resolved before your certificate is issued. Both should be documented in internal audits, with root cause analysis and corrective actions assigned and tracked.
No. ISO 27001 takes a risk-based approach, which means the controls you implement should reflect the risks your organisation has identified. Your Statement of Applicability documents which Annex A controls are applicable and why any have been excluded. Small businesses with a limited risk profile and a focused ISMS scope can exclude controls that aren’t relevant. But those exclusions must be justified in the SoA.