ISO/IEC 27001 Compliance Checklist

Document the Clause 4.3 scope: in-scope locations, business units, networks, and information assets, plus explicit exclusions and the rationale. Auditors look first for scope drift since the prior cycle — new SaaS sub-processors and acquired entities are the usual gaps.

Walk every Annex A:2022 control through the SoA: applicable / not applicable, justification, implementation status, and link to evidence. Not-applicable controls require a written reason — silence on a control is a finding.

Push the current policy set to the LMS or HRIS and capture timestamped acknowledgments from every employee and contractor in scope. Track non-acknowledgments — auditors sample this list and a 90%+ rate is the typical bar.

Verify the ISMS owner, risk owners per asset class, and incident commander rotation. Departures and reorgs since the last audit are the most common source of orphaned accountabilities.

Re-rate each risk on the documented likelihood/impact scale (Clause 6.1.2) and confirm the treatment decision: accept, mitigate, transfer, or avoid. Every mitigated risk needs a target date and a named owner — open mitigations past their date are the second most common finding after access-review gaps.

Cover the Clause 9.3 inputs: prior actions, policy changes, audit results, KPIs, risk register changes, and improvement opportunities. Capture decisions and resource commitments in minutes signed by the executive sponsor.

Sample joiners since the last audit and confirm background-check completion before access was provisioned. Contractors brought in through staffing agencies are the usual gap — the agency does the check but the evidence never lands in your HRIS.

Pull the LMS report for the awareness module and any role-specific training (developer secure-coding, admin privileged access). Auditors expect ≥95% completion within 30 days of hire and annually thereafter.

Reconcile the inventory against MDM, the cloud asset graph (AWS Config / Wiz / Steampipe), and the SaaS catalog. Each asset needs a classification (Public / Internal / Confidential / Restricted) and an owner — unclassified assets get treated as Restricted by default.

Pull a sample of Confidential and Restricted assets and confirm encryption at rest, access controls, retention, and disposal match the handling matrix. Shared cloud storage buckets are the recurring offender.

Generate the user-access report from Okta / Entra ID and route to system owners for line-by-line attestation. SCIM-deprovisioned apps still require sign-off — the absence of an account today doesn't prove there wasn't one yesterday.

Inventory IAM users with admin policies, GitHub org owners, database superusers, and break-glass accounts. Confirm MFA, last-used dates, and that break-glass credentials remain sealed. Service accounts with long-lived keys are the usual finding.

Disable the accounts, rotate any associated credentials, and capture the access-log review for the period of orphaning. File a corrective action ticket linked to the access-review run; auditors will follow the trail to closure.

Confirm the policy specifies approved algorithms (AES-256, RSA-2048+, TLS 1.2+), key lengths, and prohibitions (no MD5, no SHA-1, no static IVs). Annex A 8.24 expects the policy to be operationalized — not just published.

Pull the AWS KMS / GCP KMS / Vault rotation history and confirm CMKs rotated within the policy window (typically annual for envelope keys, 90 days for signing keys). Spot-check CloudTrail for unexpected Decrypt calls outside service principals.

For colocation footprints, request the SOC 2 / ISO 27001 report and the visitor log from the provider. For owned offices, sample badge events for terminated employees and tailgating anomalies.

Match the asset disposal log to certificates of destruction from the shredding vendor. Laptops returning from remote employees need wipe attestation tied to the asset tag — a missing certificate per device is a per-device finding.

Reconcile the EDR console (CrowdStrike / SentinelOne / Defender) against the MDM device list. BYOD devices accessing corporate data through unmanaged browsers are the recurring scope-creep gap.

Pull open-finding counts by severity from Tenable / Qualys / Wiz / Snyk against the policy SLA (e.g., Critical = 7 days, High = 30 days). SLA breaches need a documented exception with a compensating control or an extended remediation date approved by the risk owner.

Pull the deploy log from the CD system and reconcile to Jira / Linear change tickets with approval evidence. Emergency changes need a backfilled ticket within the policy window — typically 24-48 hours.

Diff the current security-group / VPC peering / firewall ruleset against the approved network architecture. Long-lived 0.0.0.0/0 rules and wide cross-VPC peering opened for a one-off project are the recurring offenders.

Cross-reference cross-border data flows against the GDPR Article 46 mechanisms in place (SCCs, BCRs). Confirm DLP policy exceptions still have business justification and an owner.

Verify the CI configuration enforces required status checks (Snyk / Semgrep / CodeQL / Dependabot) and that branch protection prevents merging on failure. Forks and bot-authored PRs are common holes in the policy.

Confirm staging and dev databases use masked or synthetic data — production snapshots restored to dev for debugging are the classic Annex A 8.33 gap. Document the masking pipeline and the last successful run.

Pull current SOC 2 Type II reports, ISO 27001 certificates, and pentest summaries for tier-1 sub-processors. Flag any whose attestation expired or who issued a qualified opinion since the last cycle.

For every sub-processor handling personal data, confirm a current DPA with Standard Contractual Clauses where applicable. New AI / LLM vendors are the usual fresh exposure — many were onboarded without legal review.

Present each High-rated vendor with the proposed treatment: compensating controls, contractual remediation, replacement, or formal acceptance signed by the risk owner. Acceptance memos go into the audit binder.

Walk a realistic scenario (ransomware on an endpoint, exposed S3 bucket, credential leak in a public repo) through the IR runbook with the on-call rotation. Capture the gaps — most teams discover their PagerDuty schedule routes to a former employee.

Confirm legal and DPO contacts, the supervisory authority list, and customer-notification templates are current. GDPR Article 33 starts the 72-hour clock at awareness — the runbook needs to define what 'awareness' means operationally.

Restore the most recent backup of a tier-1 datastore into an isolated environment and validate row counts, application boot, and data integrity. Time the restore against the documented RTO. Backups that succeed nightly but fail to restore are the textbook Annex A 8.13 finding.

Re-confirm RTO and RPO targets with service owners and reconcile against the current architecture. Multi-region failover that was documented but never tested is a recurring contributing factor in real outages.

Cross-walk the SoA against current evidence in Vanta / Drata / Secureframe (or your manual register). The 2022 revision collapsed 114 controls into 93 across 4 themes — confirm any 2013-vintage mappings have been migrated.

The internal audit (Clause 9.2) must be independent of the controls being audited — bring in a second-line reviewer or external assessor. Capture findings in the corrective-action register with owner, due date, and root-cause analysis before the certification body arrives.