ISO/IEC 27001 Compliance Checklist

Document the Clause 4.3 scope: in-scope locations, business units, networks, and information assets, plus explicit exclusions and the rationale. Auditors look first for scope drift since the prior cycle — new SaaS sub-processors and acquired entities are the usual gaps.

Walk every Annex A:2022 control through the SoA: applicable / not applicable, justification, implementation status, and link to evidence. Not-applicable controls require a written reason — silence on a control is a finding.

Verify the ISMS owner, risk owners per asset class, and incident commander rotation. Departures and reorgs since the last audit are the most common source of orphaned accountabilities.

Re-rate each risk on the documented likelihood/impact scale (Clause 6.1.2) and confirm the treatment decision: accept, mitigate, transfer, or avoid. Every mitigated risk needs a target date and a named owner — open mitigations past their date are the second most common finding after access-review gaps.

Sample joiners since the last audit and confirm background-check completion before access was provisioned. Contractors brought in through staffing agencies are the usual gap — the agency does the check but the evidence never lands in your HRIS.

Reconcile the inventory against MDM, the cloud asset graph (AWS Config / Wiz / Steampipe), and the SaaS catalog. Each asset needs a classification (Public / Internal / Confidential / Restricted) and an owner — unclassified assets get treated as Restricted by default.

Generate the user-access report from Okta / Entra ID and route to system owners for line-by-line attestation. SCIM-deprovisioned apps still require sign-off — the absence of an account today doesn't prove there wasn't one yesterday.

Inventory IAM users with admin policies, GitHub org owners, database superusers, and break-glass accounts. Confirm MFA, last-used dates, and that break-glass credentials remain sealed. Service accounts with long-lived keys are the usual finding.

Confirm the policy specifies approved algorithms (AES-256, RSA-2048+, TLS 1.2+), key lengths, and prohibitions (no MD5, no SHA-1, no static IVs). Annex A 8.24 expects the policy to be operationalized — not just published.

For colocation footprints, request the SOC 2 / ISO 27001 report and the visitor log from the provider. For owned offices, sample badge events for terminated employees and tailgating anomalies.

Reconcile the EDR console (CrowdStrike / SentinelOne / Defender) against the MDM device list. BYOD devices accessing corporate data through unmanaged browsers are the recurring scope-creep gap.

Pull open-finding counts by severity from Tenable / Qualys / Wiz / Snyk against the policy SLA (e.g., Critical = 7 days, High = 30 days). SLA breaches need a documented exception with a compensating control or an extended remediation date approved by the risk owner.

Diff the current security-group / VPC peering / firewall ruleset against the approved network architecture. Long-lived 0.0.0.0/0 rules and wide cross-VPC peering opened for a one-off project are the recurring offenders.

Verify the CI configuration enforces required status checks (Snyk / Semgrep / CodeQL / Dependabot) and that branch protection prevents merging on failure. Forks and bot-authored PRs are common holes in the policy.

Pull current SOC 2 Type II reports, ISO 27001 certificates, and pentest summaries for tier-1 sub-processors. Flag any whose attestation expired or who issued a qualified opinion since the last cycle.

For every sub-processor handling personal data, confirm a current DPA with Standard Contractual Clauses where applicable. New AI / LLM vendors are the usual fresh exposure — many were onboarded without legal review.

Walk a realistic scenario (ransomware on an endpoint, exposed S3 bucket, credential leak in a public repo) through the IR runbook with the on-call rotation. Capture the gaps — most teams discover their PagerDuty schedule routes to a former employee.

Restore the most recent backup of a tier-1 datastore into an isolated environment and validate row counts, application boot, and data integrity. Time the restore against the documented RTO. Backups that succeed nightly but fail to restore are the textbook Annex A 8.13 finding.

Cross-walk the SoA against current evidence in Vanta / Drata / Secureframe (or your manual register). The 2022 revision collapsed 114 controls into 93 across 4 themes — confirm any 2013-vintage mappings have been migrated.