ISO 27001 Free Information Security Readiness Checklist

Scope, context, leadership, policy and roles.

0/0 answered

ISMS scope defined and approved (locations, systems, services, exclusions)?

Business context, interested parties and security requirements documented?

Top management roles, responsibilities and commitment for information security are defined and visible?

Information security policy and supporting policies approved, communicated and periodically reviewed?

Risk assessment, risk register, Annex A controls and SoA.

0/0 answered

Risk assessment methodology defined (criteria, likelihood/impact, appetite) and applied consistently?

Information security risk register in place, with owners, treatments and review dates?

Annex A controls selected based on risk, legal/regulatory and contractual requirements?

Statement of Applicability (SoA) completed with justifications, control status and evidence locations?

Assets, access, suppliers and secure change/development.

0/0 answered

Information assets, systems and services inventoried with assigned owners?

Access control model defined (joiner/mover/leaver, least privilege, privileged access)?

Supplier/third-party security requirements defined and periodically reviewed?

Secure change and development practices in place (change assessment, testing, approvals)?

Logging, backups/DR, vulnerability management and incidents.

0/0 answered

Security logging and monitoring in place for key systems, with alerting on suspicious activity?

Backups, business continuity and disaster recovery plans tested and aligned to RTO/RPO targets?

Vulnerability management process in place (scanning, patching, remediation of high risks)?

Incident response plan defined, tested and improved after real incidents or exercises?

Metrics, internal audit, management review and improvements.

0/0 answered

ISMS objectives and KPIs defined, measured and reported (e.g. incidents, audit findings, training)?

Internal ISMS audits performed to plan, with findings and corrective actions tracked to closure?

Management reviews held covering risks, incidents, changes, audit results and improvement opportunities?

Continual improvement / corrective action log maintained for ISMS issues and opportunities?

ISO 27001 information security readiness checklist (free)