Complete Checklist For ISO 27001 Compliance (2023)

Becoming ISO 27001 certified is a sure-fire way for startups to grow their client base, increase earnings and enforce safety and security. But, attaining your ISO 27001 certification can be complex and overwhelming.

It requires attention to detail and thorough, systematic processes. That’s why an ISO 27001 compliance checklist is just the thing you need to simplify the certification process.

How to comply with ISO 27001

“ISO standards are internationally agreed by experts. Think of them as a formula that describes the best way of doing something.” That’s according to ISO themselves. 

To comply with ISO standards, you need to follow a formula that will ensure that you have all your safety and security protocols in place and that your employees are aware of them. 

The process starts with a clear understanding of your Information Security Management System (ISMS). 

We’ve provided a comprehensive ISO 27001 checklist that you can use to make sure you’ve got all your bases covered as well as a sneak peak of some of the content from our Wiki (the guidebook that supports our online tool, Compleye Online). 

Complete checklist for ISO 27001 compliance

1. Define your ISO 27001 strategy and ambitions

To do #1 – Organisation & Context 

Organisation and Context is a mandatory topic. A good way to get insights for Organisation & Context content is to define your products by defining (per product): 

  • High level description
  • Type of customers 
  • Third parties involved. 

This will lead you to ask:

  • What is the compliance challenge?
  • What are the security requirements? 

If you can answer (and document) these questions, you are complying with ISO 27001.

To do #2 – ISMS Objectives

You’ll need to define, implement and review (on at least an annual basis) your ISMS objectives.  In their article Information Security Objectives in ISO 27001, ISO27001guide.com says that “information security objectives in ISO 27001 allow organisations to set their requirements from the outset and to continuously monitor to ensure they are achieving them.”

2. Determine legal & compliance requirements

To do #1 – Interested Parties & Legal Requirements

Here, you’ll dive into legal requirements that you’ll need to fulfil for your third parties and define the expectations on both sides. The external auditor will expect that you’ve documented how you’ve established this process.

internal and external interested parties

Examples of interested parties (https://www.iso9001help.co.uk/)

To do #2 – Intellectual Property

Intellectual property (IP) is a category of property that includes intangible creations of the human intellect. Typical IP for tech companies could be your source code, AI models, certain databases or a method of working. In brief, IP is anything you want to keep secret for your customers and competitors and that needs to be protected when your team is using it.  

To do #3 – Contracts 

Make sure you have 1 folder with all your contracts so that you have a good overview – and use different folders within that folder for different types of contracts (or stakeholders). Limit the access to these contracts within your organisation. The external auditor can ask to view 1 or 2 contracts (samples) during the audit. 

To do #4 – Global Impact

Entering new markets will need some research on privacy and security requirements. Personal data privacy regulations need to be taken into consideration when contracting or expanding outside of the GDPR geographical area. Additional requirements for your ISMS can be ruled by:

  • Customers 
  • Laws 

To do #5 – GDPR

If you’re a company based in – or performing business in –      Europe, you need to comply with GDPR. As you prepare for certification, you’ll need to:

  • Define on what legal basis you are collecting data.
  • Give an overview of all documentation for users.
  • Have a register to keep track of end-users’ requests e.g. data deletion
  • Create an overview of all data breaches.
  • Have an overview of all Data Process Agreements.

3. Define scope

To do #1 – Define IT Infrastructure Components

ISO 27001 requests a scope for your ISMS, so you’ll need to define what you’ll take in scope. Defining the components of your IT Infrastructure will help you to define your scope. 

To do #2 – Define ISMS Scope

Check out Compleye’s article,  ‘How to Write an ISO 27001 Scope Statement (+3 Examples)’.

4. Chart all risks and opportunities

To do #1 – Suppliers Overview

When implementing a set of controls and processes to address suppliers’ risks, the following could be considered:

  • Executing contractual agreements with each supplier. 
  • Maintaining a current and easily accessible list of suppliers.
  • Formulating a Supplier Management Policy and Procedures document.
  • Implementing suppliers change management processes and controls.
  • Ensuring that suppliers meet the contractual information security requirements. 
  • Determining and adequately documenting, if applicable, whether suppliers have access to your IT infrastructure. 
  • Determining and adequately documenting, if applicable, whether suppliers may be involved in security procedures.
  • Performing the relevant Supplier Risk Security Assessment.

To do #2 – Suppliers Assessment

Supplier Assessment is a very important topic in ISO 27001, especially for technology companies because they make use of so many suppliers. You’ll need to be in control of your suppliers – assess the high risk suppliers on a yearly basis on a number of topics. The owner of the supplier will need to review the supplier on basic information and contracts. 

To do #3 – Vendor Assessment

Follow the following steps:

  • Review existing vendors.
  • Assign each vendor a security rating.
  • Respond to security risks and define vendor performance metrics.
  • Continuously monitor your vendors.

To do #4 – Data Classification

In the context of information security, data classification is based on its level of confidentiality and the impact on the organisation should that data should be disclosed, altered or destroyed without authorisation. Consider the following questions when classifying your information:

  • What stakeholder data does your organisation collect?
  • What data do you create as part of daily operations?
  • What data, if lost, would have a particular impact on your organisation?
  • What data would be classified as confidential?
  • What data qualifies as personal data?
  • Who is responsible for the integrity and accuracy of the data?
  • Who can and should access the data.

To do #5 – Business Continuity Plan

At Compleye, we advise that you perform the BCP before internal audit and management review as this assessment will probably result in the last improvements you need to have in place to be ready for certification. Alternatively, perform the BCP twice: first, when you start implementing your ISMS and second, before your external audit. 

To do #6 – ISRA

The Information Security Risk Assessment (ISRA) is the most important risk assessment in the ISMS and  must be performed with your ISMS team. You’ll need to perform an ISRA on a yearly basis using the same method every year so that you can compare outcomes and results.  

To do #7 – DRP & PEN Tests

Here’s a quick exercise for defining your crisis/disaster DRP: 

Define what you (for your business) consider: 

  • An event 
  • An incident
  • A disaster / crisis

When it comes to pentesting, Breachlock says it best with this great infographic:

To do #8 – GDPR Assessment

GDPR risks and opportunities abound. Three of each can be explored in this comprehensive Comforte article: “Three Risks and Opportunities of GDPR”.

Compleye Online provides a 22-question GDPR Assessment template. 

To do #9 – Data Privacy Impact Assessment

A DPIA might be needed if you have multiple products: perform a DPIA per product (or service). If you work with different types of projects (eg Proof of Concept) you will also need to perform a new DPIA per project. When performing business with e.g. governmental organisations, it is likely that they will ask you to share a copy of your DPIA.

5. Decide on security policies & procedures

To do #1 – Security Policies & Procedures

Before you can add records, you will need to adopt Policies & Procedures. One of the ISO 27001 mandatory policies is the Security Policy – describing the intentions and ambition (objectives) you have defined for your ISMS. 

To do #2 – Templates

There are numerous mandatory policies and procedures that need to be implemented in your ISMS. Creating this documentation can be time consuming and you might not be sure that you’ve covered all the necessary items. Using templates such as those supplied by an online tool like Compleye Online will provide the guidance that you need to meet the requirements to achieve certification. 

To do #3 – Checklists

Your ISMS needs continuous improvement and maintenance. 

Creating checklists is a lean way of keeping track of activities and steps when following improvement and maintenance procedures. 

6. Set up a system for measures and controls

To do #1 – Security Metrics

Security Metrics are ‘KPIs’ defined to check if the information security management system is working effectively. 

You will need to:

  • Define what an incident is;
  • Keep track of your incidents;
  • Address incidents with corrective actions ;
  • Dive into the root cause to define how you will prevent it in future.
  • Keep track of your service levels.

To do #2 – Asset Management

Hardware assets that carry information, servers and data are all assets. To manage these you need to keep track of all of your assets and know what assets are being used and whether they are company-owned. You also need to keep track of changes and the movement of assets.

To do #3 – Controls

Annex A consists of 114 controls. You’ll need to adopt, implement and maintain controls.  There are 2 ways that you can define and implement controls: 

  • Take the ISO 27001 Annex A list and define all the controls at the beginning;  
  • Gradually define controls as you work towards certification and adopt policies/procedures or perform assessments. Check that all Annex A controls are in place at the end.  

To do #4 – Access Management

Access Management in general is an important topic for your ISMS. Not being in control of software access can easily cause incidents turning into data breaches.  
You will need an Access Management Policy and must be in control of different types of access:  

  • Access to the office location 
  • Access to Hardware 
  • Access to Software 
  • Access to Documentation Storage 
  • Access to Data Overall 

7. Implement operational checkpoints and follow-ups

To do #1 – Security Meetings

During Security Meetings with your ISMS team, you can make decisions on all topics related to your ISMS. You will need to assign a security meeting owner, document changes, check controls and evaluate improvements.

To do #2 – Calls to action for follow-ups

Security meetings are a mandatory part of the operational ISMS where the team gets to align, perform periodic checks, work collaboratively on tasks, planning, etc. All follow up tasks required from the ISMS team are defined with Calls to Action following the security meeting. 

8. Take care of roles, responsibilities, leadership and management

To do #1 – Assign ISMS Roles

ISO 27001 requires that you have an ISMS team for set up, implementation and maintenance. You must also have an overview of all team members so security and privacy can be created around people and processes.

To do #2 – Assign Mandatory Security Roles

We advise that you start by assigning a minimum of 2 team members responsible for your ISMS.  Always ensure that there is knowledge of technology and business within your ISMS.  

Also assign a Security Officer (SO), Privacy Officer (PO) and Compliance officer (CO).  

To do #3 – Office Security

If you have an office, you’re responsible for the physical security of your office and for keeping track of who’ll have access to the office (by key/card/code).

To do #4 – New Hires and Contracts

If you hire people, ISO 27001 expects that you’re in control of the number of team members, their job titles and who will lead/mentor each person.  You’ll need to be in control of your labour contracts. If you’re in the scaling phase, it’s handy to have expiry dates etc. in one place.  

To do #5 – Training

You will need to:

  • Demonstrate how you support development of competencies of your (ISMS) Team members.
  • Organise annual security awareness training. 
  • Prove what was on the agenda and who attended the training. 
  • Perform training evaluation.

To do #6 – HR & Organisation

ISO specific HR/Organisation requirements include:

Chapter 5: Top Management Responsibilities

  • Demonstrate leadership and commitment 
  • Establish the Security Policy
  • Establish and communicate responsibilities and authorities for ISMS roles

Chapter 7: Resources- Determine and provide the resources needed for the ISMS implementation, maintenance & continuous improvement.

  • Focus on the Competencies needed to perform the job
  • All ISMS team members should acknowledge their responsibilities as well as their contribution towards an effective ISMS
  • Determine What, When, and How to communicate the ISMS priorities both internally and externally
  • Determine and maintain what needs to be documented (in compliance with this standard).

9. Prepare for the actual ISO 27001 certification

To do #1 – Internal Audit

The goal of internal audit is to make sure that your ISMS conforms to your organisation’s own requirements (information security policy, procedures, security objectives, etc.) as well as to the requirements in ISO 27001 and evaluates whether the ISMS is effectively implemented and maintained. Check out our ‘It’s Internal Audit Time’ article to learn more. 

To do #2 – Management Review

A management review is performed on an annual basis and you will need to assign a person who is responsible for the review. The process, although complex, can be distilled into three steps:

  • MT/CEO meeting is planned to discuss all topics and suggestions for improvement.
  • MT/CEO defines and accepts final improvements.
  • MT/CEO finalises and approves the management review report to be shown as evidence during external audit.

To do #3 – Documentation

Next to the mandatory policies, procedures and records, there are 4 Mandatory Documents that need to be available and ready for the external audit certification: 

  • Management Review
  • Internal Audit Report
  • Scope of ISMS 
  • Statement of Applicability

To do #4 – Statement of Applicability

The SoA is a summary of your organisation’s implementation status on each of the 114 controls of Annex A of ISO 27001 and must define which controls are identified by your organisation to tackle the risks involved in the business. This can be done by conducting an ISO 27001 gap analysis and risk assessment.

10. Organise real-time ISO 27001 certification audit 

To do #1 – Accredited Lead Auditor

Once you’re ready for audit, assign an accredited lead auditor. Lead auditors have been through extensive training, so you’re in good hands.

How to become ISO 27001 Lead Auditor

To do #2 – Plan to Maintain Certification

Once an organisation achieves ISO 27001 certification, it’s important to maintain the Information Security Management System (ISMS) on an ongoing basis to ensure it remains effective, relevant, and aligned with the organisation’s objectives. This is where the Compleye ISO 27001 maintenance package comes in. 

You’re ready to start ticking off your Complete Checklist For ISO 27001 Compliance (2023)

Learn more about how Compleye can help you with your ISO 27001 compliance.

Chat to one of our super sales people and start ticking off your complete checklist for ISO 27001 compliance.

Table of Contents

ISO 27001 Platform for Startups

All-in-One DIY Compliance Platform to help start-ups towards their ISO 27001, ISO 9001, or SOC-2 certification and stronger performance on privacy and security. Ready?