ISO 27001 Checklist: Controls, Clauses, and What Auditors Actually Check
An ISO 27001 checklist needs to cover two layers — the management system clauses (4 through 10) and the Annex A control set. Most internet lists cover one or the other. This one walks both, then calls out what a certification body auditor actually asks to see in Stage 1 and Stage 2. Use it to plan the program and to verify readiness.
For context on whether to run ISO 27001 at all, see ISO 27001 for startups.
The Two Halves of ISO 27001
ISO/IEC 27001:2022 is split into two operative parts:
- Clauses 4–10 — the Information Security Management System (ISMS) requirements. How the program is structured, governed, and improved. This half is the management system itself.
- Annex A — the 93 controls across 4 themes (organizational, people, physical, technological). The technical and procedural safeguards you implement to treat identified risks.
A Statement of Applicability (SoA) links the two — it names every Annex A control, states whether you include it in scope, and justifies each inclusion or exclusion. The SoA is the single most-scrutinized document in a Stage 1 audit.
The authoritative reference: ISO/IEC 27001:2022.
Clauses 4–10 — The ISMS Checklist
Clause 4 — Context of the Organization
- Documented understanding of internal and external issues that affect the ISMS
- Identified interested parties (customers, regulators, staff) and their requirements
- Defined ISMS scope — what systems, locations, people are included
Common gap: Scope defined verbally but never written into a document the auditor can sample.
Clause 5 — Leadership
- Information security policy approved by top management
- Defined roles, responsibilities, and authorities
- Leadership commitment documented — not implied
Common gap: Policy drafted by the security lead, never signed or acknowledged by the CEO.
Clause 6 — Planning
- Risk assessment methodology documented and repeatable
- Risk assessment executed and results recorded
- Risk treatment plan covering each identified risk
- Statement of Applicability covering every Annex A control
- Information security objectives defined and measurable
Common gap: Risk assessment treated as a spreadsheet exercise. No methodology, no repeatability, no SoA cross-reference.
Clause 7 — Support
- Resources allocated to the ISMS (budget, headcount)
- Competence requirements defined for ISMS roles; training records retained
- Awareness across the workforce
- Communication plan for internal and external stakeholders
- Documented information controlled — version, review cadence, retention
Common gap: Training happens; records do not. Policy versions drift across multiple storage locations.
Clause 8 — Operation
- Operational planning and control over the ISMS
- Risk assessment re-run at planned intervals and after significant changes
- Risk treatment plan executed and tracked
Common gap: Risk register exists but is never refreshed after the initial assessment.
Clause 9 — Performance Evaluation
- Monitoring, measurement, analysis, and evaluation of ISMS effectiveness
- Internal audit program with documented scope, findings, and corrective actions
- Management review meetings with defined inputs and outputs per Clause 9.3
Common gap: Internal audit skipped or performed by the same person who runs the controls (independence failure).
Clause 10 — Improvement
- Nonconformities logged with root cause analysis
- Corrective actions tracked to completion
- Continual improvement evidence across the ISMS lifecycle
Common gap: Nonconformity log exists; corrective actions marked "in progress" indefinitely.
Annex A — The 93 Controls Grouped by Theme
The 2022 revision organizes Annex A into 4 themes. You are not required to implement every control — the SoA documents which you include and which you justifiably exclude.
A.5 — Organizational Controls (37 controls)
Policies, roles, supplier relationships, threat intelligence, identity management at the policy level, information classification and labeling, access control policy, response to information security incidents, and continuity planning.
What auditors ask first: the information security policy, the supplier list with risk classifications, the incident response plan, and evidence the continuity plan was tested.
A.6 — People Controls (8 controls)
Screening, terms of employment, awareness training, disciplinary process, remote working, and reporting of information security events.
What auditors ask first: training completion records for the last 12 months and the disciplinary policy.
A.7 — Physical Controls (14 controls)
Physical security perimeters, physical entry, protecting against physical and environmental threats, working in secure areas, clear desk and clear screen, equipment siting and protection, security of off-site assets, secure disposal.
What auditors ask first: access logs to data-handling areas (or documented inheritance from cloud provider certifications), and device disposal records.
A.8 — Technological Controls (34 controls)
User endpoint devices, privileged access, information access restriction, secure authentication, capacity management, protection against malware, management of technical vulnerabilities, configuration management, information deletion, data masking, data leakage prevention, backup, redundancy, logging, monitoring activities, clock synchronization, use of privileged utility programs, installation of software on operational systems, network security, segregation of networks, web filtering, use of cryptography, secure development lifecycle, security testing, outsourced development.
What auditors ask first: access review logs, vulnerability management records, backup test evidence, encryption configuration, and secure development evidence (code review logs, pre-production security testing).
Do You Need to Implement Every Control?
No. The Statement of Applicability documents which Annex A controls are in scope and which are excluded, with justification for each exclusion. Common exclusions for cloud-native SaaS startups:
- Physical perimeter controls inherited from the cloud provider (documented as inheritance, not exclusion)
- Application development controls if you do not develop software (rare for SaaS — usually applicable)
- Specific telecommunications controls if you do not operate your own network
What you cannot exclude arbitrarily. Every exclusion needs a documented reason tied to the business context. Auditors challenge weak justifications.
What Stage 1 and Stage 2 Auditors Actually Check
Stage 1 (documentation review): the certification body checks that the ISMS exists on paper. They verify scope, policy, SoA, risk assessment, risk treatment plan, internal audit evidence, and management review minutes. Most Stage 1 findings are documentation gaps — missing SoA rationale, stale policy versions, no evidence of management review.
Stage 2 (operational audit): the certification body samples evidence that controls are operating. Access reviews, change tickets, backup test results, training records, vulnerability scan remediation. Stage 2 is where Annex A gets tested.
The most common Stage 2 findings: access reviews missing for one quarter, change management with gaps in peer review evidence, and internal audit findings with corrective actions that stalled.
How This Overlaps With SOC 2
Annex A technological controls map to roughly 80% of the SOC 2 Common Criteria. Teams running both save significant effort by mapping controls once and sharing evidence across both audits. For the direct comparison, see our ISO 27001 vs SOC 2 guide.
Frequently Asked Questions
How many controls does ISO 27001 have? ISO/IEC 27001:2022 has 93 Annex A controls across 4 themes — organizational (37), people (8), physical (14), and technological (34). The 2013 revision had 114 controls across 14 domains; the 2022 revision consolidated and updated the control set.
What's the difference between clauses and Annex A? Clauses 4–10 define the Information Security Management System itself — how the program is structured, governed, improved, and audited. Annex A is the catalog of specific controls you implement to treat identified risks. You must meet every applicable requirement in the clauses; you document which Annex A controls apply in the Statement of Applicability.
Do I need to implement every control? No. The Statement of Applicability documents which Annex A controls are in scope and which are excluded, with a justification for each exclusion. What you cannot do is exclude controls arbitrarily — every exclusion needs a documented reason tied to the business context, and the certification body auditor will challenge weak justifications.
Ready to Start?
ShieldKey runs managed ISO 27001 programs for startups, often in parallel with SOC 2 to share controls and evidence across both frameworks. For scope, pricing, and delivery model, see our ISO 27001 certification service.