ISO 27001 Checklist
There are a number of key documents that you will need for a successful ISO 27001 accreditation, and this brief ISO 27001 Checklist should help you to prepare.
ISO 27001 has a number of clauses that specify ‘documented information, and you must take care to ensure that each of these are addressed.
This ISO 27001 checklist is split into two elements; one listing key documents that you will need to have in place, and the other a list of the documented information that you will have to maintain.
ISO 27001 Checklist
As well as a document defining the broad outline of the Information Security Management System (ISMS), you will need to ensure that, at the very least, you have the following available, whether in documents (such as a spreadsheet) or by using online tools:
- Information Security Policy
- Statement of Applicability
- Risk Assessment and Risk Treatment Plan (often combined with the Risk Assessment in a more general Risk Register)
ISO 27001 Checklist – documented information
The following is not an exhaustive list, but documented information is required for:
- Scope of the ISMS
- Information Security risk treatment process
- Objectives
- Competence
- Criteria and controls for any processes identified during risk assessment and risk treatment, and that are detailed in the Statement of Applicability
- Records towards monitoring and measurement, ensuring information security performance and effectiveness
- Audit programme and audit results
- Management Review
- Nonconformities and Corrective actions – including the nature of the nonconformity and any actions taken
ISO 27001 lists requirements for the creation and maintenance of any documented information including, for example, format & title and document control. This includes the control of documents of external origin.
This list is extensive and, as you prepare for certification, you will find that the number of documents expands, and the difficulty of controlling all increases!
Cambridge Risk Solutions specialises in developing effective and user-friendly information security management systems; contact us today for additional support.
We are happy to answer any questions about Business Continuity, Crisis Management, Information Security, Data Protection and Product Recalls.
How Can Cambridge Risk Solutions Help?
Cambridge Risk Solutions provides a range of services to assist with the implementation of Information Security, and have an experienced ISO 27001 Lead Auditor who can assist with readiness for certification to ISO 27001:2022
View some case studies of recent Information Security and ISO 27001 projects.