- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
Summary: In this article, we’ll walk you through the ISO 27001 checklist you’ll use en route to your cybersecurity certification. From assigning roles to implementing controls, assessing risks, and documenting your processes for future audits, you can use the ISO 27001 compliance checklist to ensure you’re on the right track for your official audit. You’ll learn why an ISO 27001 requirements checklist is a good idea, what the path to information security looks like, and what the ISO 27001 preparation phase includes for most companies.
ISO 27001 Checklist Overview
The International Standards Organization (ISO) 27001 standard is one of 12 information security standards that are increasingly relevant in a world where companies need to convey their commitment to keeping the intellectual property, sensitive data, and personal information of customers safe.
Certification happens slowly, over the course of multiple ISO 27001 phases. The first step is deciding whether a company stands to benefit most from SOC 2 versus ISO 27001 certification, prepare for the costs of certification, and get an overview of the process when carrying out your ISO 27001 compliance checklist.
However, implementing ISO 27001 certification with or without an ISO 27001 checklist can be an overwhelming process with multiple moving parts. And after downloading the standards, companies can still be at a loss for how to implement them and pass an audit.
So why is an ISO 27001 checklist important? It directs information security teams to practical information about what they’ll need to prepare for certification, step by step. An ISO 27001 audit checklist streamlines the certification process and ensures that teams won’t overlook something over the course of four months (for small teams) to over a year (for large companies).
Finally, an ISO 27001 compliance checklist gives you a bird’s eye view of the recommended steps so you can allocate resources accordingly from the very beginning, saving time and energy.
ISO 27001 Checklist: 10 Steps to Compliance
This ISO 27001 controls checklist offers a framework, but the certification process looks different for every company and their distinct tech stacks. Some differences in the certification process emerge based on a company’s size, existing documentation, and your information security management system (ISMS).
1. Assign roles
Some companies choose an in-house implementation lead and have employees create security documentation and conduct internal audits. Others prefer an outside consultant or contractors. The first step on your ISO 27001 checklist is to make this crucial decision based on your employees’ expertise and your capacity to divert teams from existing priorities for lengthy, in-depth security work.
2. Conduct a gap analysis
A gap analysis looks at your existing ISMS and documentation and compares them to the ISO 27001 standards, and you can get a better sense of what to look for, if conducting your own, with an ISO 27001 gap analysis checklist.
You’ll walk away from the analysis with compliance gaps that should define your preparation process and a timeline for how long it will take to reach compliance. Without this personalized roadmap, companies can spend time and money on projects that aren’t directly tied to certification.
3. Develop and document the parts of your ISMS required for certification
Companies undergoing certification for the first time will need to set up parts of their ISMS and identify the areas requiring protection. Your ISMS will consist of all the internal ISO 27001 policies and procedures in place for cybersecurity. It consists of people, processes, and technology, so it necessitates looking at how information is accessed, when, and by whom.
You’ll find all locations where data is stored, document how it is accessed, and make policies to protect it at these touchpoints (hint: you can find ISO 27001 templates for much of the work you’ll need to present at your audit). Consider both physical and digital data in this step.
4. Conduct an internal risk assessment
Now that you know all about your data, it’s time to document the known risks to that data. An ISO 27001 asset management checklist, ISO 27001 network security checklist, ISO 27001 firewall security audit checklist, or an ISO 27001 risk assessment checklist can help you identify and document these risks.
How likely are they to occur? How severe would the impact be if they occurred? How will you decide? The process starts with determining how you'll identify and rate risks. A risk matrix can help you prioritize high likelihood and high impact risks to sort them accordingly. For each risk, develop a response plan and assign team members accountable for following up. For external data centers, an ISO 27001 data center audit checklist can help you document quality control and security procedures.
5. Write a Statement of Applicability (SoA)
It’s time to dig into the ISO 27001 guidelines. In Annex A, you’ll find a list of 114 possible controls. Select those that address the risks you identified in your risk assessment. Then write a statement about which controls you will apply. You will need this document for the audit process.
6. Implement your controls
Now that you’ve compared your policies and systems to the ISO 27001 controls and applied controls to your own ISMS, it’s time for your workplace’s systems to reflect what you documented.
You may need to update software, procedures, or policies regarding how people handle data. For example, if you have verified that your organization will use cryptography to protect information confidentiality, you’ll need to add that layer to your stack.
7. Train the internal team on your ISMS and security controls
Training is a common pitfall in the implementation process, though data security touches multiple job descriptions and the day-to-day activities of many employees. Regular training is one way to demonstrate your commitment to cybersecurity and cultivate a culture of safety with your team. Employees should get training on the ISMS, security risks, the “why” behind processes, and the implications of failing to maintain compliance.
8. Conduct an internal audit
An internal audit prepares you for the official audit and tests your new systems. Are your controls working? This can be conducted by an internal team that was not a part of setting up and documenting your ISMS, or an independent external reviewer.
An internal audit lets you know and gives you the chance to make changes before the official audit. To get started, try using an ISO 27001 self-assessment checklist or an ISO 27001 internal audit checklist.
9. Have an accredited ISO 27001 lead auditor conduct the ISO 27001 certification audit
You’ll need an accredited ISO 27001 auditor from a recognized accreditation body to conduct a two-step audit: first, they’ll review your documentation and controls. Get a handle on this portion of the audit ahead of time by working through an ISO 27001 stage 1 audit checklist.
Next, the auditor will perform a site audit. They’ll perform tests on your controls to ensure they’re being followed. You guessed it: you can get ahead of this step too, with an ISO 27001 stage 2 audit checklist. You’ll get a list of major and minor nonconformities for each step, and once major nonconformities are addressed, you’ll be issued ISO 27001 certification.
10. Plan for maintaining certification
ISO 27001 certification lasts three years, but you’ll conduct risk assessments and surveillance audits each year while preparing new documentation for your renewal audit in the third year. In addition to updating your policies and systems and managing your ISMS, there’s ongoing employee training to schedule annually.
Overall, the steps you’ll need to fulfill ISO 27001 guidelines can be broken down into multiple smaller checklists. Depending on the needs of your organization, make use of resources like an ISO 27001 Annex A checklist, ISO 27001 evidence checklist, ISO 27001 gap analysis checklist, or ISO 27001 surveillance audit checklist.
ISO 27001 Implementation Tips
ISO 27001 is a detailed standard, and it’s impossible to be familiar with your industry's best practices beforehand. However, some simple tips can get you started on your ISO 27001 checklist.
Study up on ISO 27001 and ISO 27002 standards
The ISO 27002 standards have additional information on each Annex A control you can use to write an expert SoA (step 5 on your ISO 27001 checklist).
Prepare ahead of time
Preparation for the official audit is a large chunk of the certification process. Even with all that prep work, audits can leave your team rushing to find more information to support their processes at the 11th hour.
Get input on your documentation early. Record and track meetings, and implement a project management system that identifies who will do which tasks and when tasks will be completed. Your project management team can take control of working through your ISO 27001 checklist, making sure everything is in order for a complete ISO 27001 implementation roadmap.
Talk to reviewers
During audits, you’ll get information on nonconformities that will later appear in your written report. But, diving into the details in person can help you interpret that report. Get as much clarity and alignment as possible, so you’re confident you know how to make the changes that will lead to better results next time.
By the end of the process, many employees feel they’ve become experts in the process. But, at the onset and along the way, it can be challenging to extrapolate your industry’s and organization’s needs pertaining to certification. Guessing means time and energy spent on tasks that won’t lead to certification. So whether it’s a consultant, hiring the talent to lead certification, or tapping your certification body, choose clarity over making assumptions.
How Can StrongDM Help You with ISO 27001 Certification?
First, stay on top of preparing for an audit by working through the steps of this ISO 27001 checklist. Then, look to StrongDM to help design and implement better security and system audits needed to get and stay ISO 27001-compliant.
We manage and audit access to your databases, servers, clusters, and web applications to cover, manage, and document all those points of contact you identified in your risk assessment. We can help you determine the kinds of controls needed and help you implement them in the most efficient way possible.
Schedule a free demo if you’re ready to work on your security controls without the frustration inherent in going it alone. We can’t wait to show you how StrongDM’s tools can protect your customer data and get your ISO 27001 checklist started on the right foot.
About the Author
Andrew Magnusson, Director, Global Customer Engineering, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.