The ISO 27001 Compliance Checklist: What You Actually Need in Place

The real ISO 27001 compliance checklist. Ten ordered steps from ISMS scope to surveillance audits, not a vague list of platitudes.


Searching "ISO 27001 compliance checklist" usually turns up a generic list of feel-good statements: have a security policy, train your staff, manage risk. This is not that. This is the actual ordered sequence of what a company has to do to get through certification, from defining scope to passing the two-stage audit and staying certified through three years of surveillance.

TL;DR: ISO 27001 compliance comes down to ten steps, in order: define your ISMS scope, run a formal risk assessment, build a risk treatment plan, select and implement the relevant Annex A controls, write the Statement of Applicability, implement the controls for real, run an internal audit, hold a management review, pass the external Stage 1 and Stage 2 certification audit, and maintain the ISMS through annual surveillance audits. Most teams underestimate step 6, actually implementing the controls, not just documenting them.

ISO/IEC 27001:2022 certifies an Information Security Management System, an ISMS, the set of policies, risk assessments, and controls a company runs to manage information security on an ongoing basis. It is issued by an accredited third-party body after an audit, which is a structural difference from an attestation report like SOC 2, see SOC 2 vs ISO 27001 for how the two actually compare. For the full scope of what the certification covers, see our ISO 27001 framework page.

The ISO 27001 compliance checklist

  1. Define your ISMS scope. Decide which systems, teams, products, and data are actually in scope, and document why. A scope that is too broad slows everything after it down; a scope that quietly excludes something a customer cares about will surface at Stage 1.
  2. Run a formal risk assessment. Identify your assets, the threats against them, and the vulnerabilities that make those threats exploitable, then assess likelihood and impact for each. This is the input every later step depends on.
  3. Build a risk treatment plan. For every risk identified in step 2, decide how it gets addressed: mitigate it with a control, accept it, transfer it, or avoid it. This is a decision record, not a spreadsheet you fill in once and forget.
  4. Select and implement the relevant Annex A controls. The 2022 revision defines 93 controls across four themes: organizational, people, physical, and technological. Select the ones your risk treatment plan calls for, and be ready to justify why any control was excluded, not just why one was included.
  5. Write the Statement of Applicability. This document records every control decision from step 4, in and out, with the reasoning behind each one. It is the document a Stage 1 auditor reads first.
  6. Implement the controls for real. Not a policy that says access reviews happen quarterly while nobody runs one. This is the step most companies underinvest in, because a document is easy to produce and a running control is not.
  7. Run an internal audit. Before the external auditor ever sees your ISMS, someone inside the company, or an independent contractor, checks whether the controls in the Statement of Applicability actually match what is happening. This is where gaps get caught cheaply.
  8. Hold a management review. Leadership formally reviews the ISMS: audit results, risk assessment updates, incidents, and whether the system is still fit for purpose. This is a required input to certification, not a courtesy meeting.
  9. Pass the external certification audit. This runs in two stages: Stage 1 is a documentation review of your ISMS and Statement of Applicability; Stage 2 is an on-site or remote audit of whether the controls are actually operating. Certification is issued for three years on a successful Stage 2.
  10. Maintain the ISMS through annual surveillance audits. The three-year certificate is not a one-time achievement. Annual surveillance audits during that cycle confirm the ISMS is still running, not archived the week after the certificate arrived.
StageWhat happens
Stage 1Auditor reviews your ISMS documentation and Statement of Applicability for readiness.
Stage 2Auditor examines whether the controls are actually implemented and operating.
CertificationIssued for three years upon a successful Stage 2 audit.
Surveillance auditsAnnual checks during the three-year cycle that the ISMS is still live, not archived.

What is the hardest item on the checklist?

Step 6, implementing the controls for real, and step 10, keeping them running for three years, together. Writing a Statement of Applicability that says access reviews happen quarterly is easy. Actually running that review every quarter, on every system in scope, for three years straight through an annual surveillance audit, is the part that determines whether certification survives past year one. Most ISO 27001 failures are not a missing document, they are a control that was true in month one and quietly stopped being true by month eight.

Do I need to complete this in order?

Mostly, yes. Steps 1 through 3, scope, risk assessment, and treatment plan, are prerequisites for step 4, you cannot select the right Annex A controls without knowing what risks you are treating. Steps 7 and 8, the internal audit and management review, exist specifically to catch problems before the external auditor does in step 9, so skipping them straight to the external audit is a way to fail Stage 2 that costs more time than doing them first. Step 10 is not really a discrete step so much as steps 6 through 8 repeating annually.

Does company size change this checklist?

The sequence stays the same regardless of headcount. What changes is scope: a smaller company defines a smaller ISMS boundary in step 1, which means fewer assets in the risk assessment, fewer controls to implement, and a shorter internal audit. The checklist does not get shorter, the work inside each step does. See ISO 27001 for small companies for how that plays out in practice, and ISO 27001 vs SOC 2 if you are deciding which certification to pursue first.

Where Scadable fits

Scadable runs this checklist concierge-style instead of handing over a template to fill in alone. It defines your ISMS scope, runs the actual risk assessment, builds the risk treatment plan, selects and implements the Annex A controls that are genuinely missing, and writes the Statement of Applicability from real decisions, not boilerplate. It keeps the controls running through the internal audit, the management review, and the annual surveillance audits, so the ISMS that passes Stage 2 is the same one still running in year three. If you want to see where your gaps actually are, book a call.

Last reviewed: July 12, 2026.

Frequently asked questions

What is the ISO 27001 compliance checklist in order? Ten steps in practice. Define your ISMS scope, run a formal risk assessment, build a risk treatment plan, select and implement the relevant Annex A controls, write the Statement of Applicability, implement those controls for real, run an internal audit, hold a management review, pass the external Stage 1 and Stage 2 certification audit, then maintain the ISMS through annual surveillance audits.

How many Annex A controls does ISO 27001 have? The 2022 revision defines 93 controls across four themes: organizational, people, physical, and technological. Not every control applies to every company. Which ones apply, and why, gets documented in a Statement of Applicability.

What is the difference between Stage 1 and Stage 2 audits? Stage 1 is a documentation review where the auditor checks your ISMS documentation and Statement of Applicability for readiness. Stage 2 is an operational audit where the auditor examines whether the controls you documented are actually implemented and running.

Does the checklist end once you get certified? No. Certification is valid for three years, but annual surveillance audits during that cycle check whether the ISMS is still live, not just still on paper. An ISMS that quietly stops being followed after the certificate is issued will get caught.

Can a small company complete this checklist? Yes. ISMS scope is defined by the company, not a headcount minimum. A smaller company typically has a smaller scope, which makes every step on this checklist faster, not impossible.