Free ISO 27001 Readiness Checklist - Score Your ISMS in 15 Minutes

Tell us about your environment

A few details to tailor your roadmap. Required fields are marked *.

Organisation name *

Your name *

Email (where to send your PDF copy) *

Primary sector *

Organisation size (FTE) *

Microsoft licensing tier

What is prompting you to look at ISO 27001 now? *

When do you need to be audit-ready?

1.Governance & ISMS Foundation0/4 2.Annex A Controls & SoA0/5 3.Security Operations & Resilience0/4 4.Audit, Measurement & Improvement0/2

📋

Governance & ISMS Foundation

Scope, leadership, policy, and risk methodology.

Progress

0/4

ISMS scope is defined and approved — covering locations, systems, services, and explicit exclusions

A clear scope statement is the first thing an auditor checks. Vague or missing scope is the most common Stage 1 finding.

View evidence examples ->

One-page scope statement listing sites, cloud environments, core systems, and customer-facing services in scope
Diagram showing boundaries — e.g. "Production AWS + corporate M365 in scope; personal devices and lab environments out"
Documented exclusions with justification and any compensating controls

Top management has assigned roles, committed resources, and is visibly engaged in security governance

Auditors want evidence that security is owned at executive level — not just delegated to IT.

View evidence examples ->

ISMS governance chart showing sponsor, ISMS owner, risk owners, and control owners
Leadership-approved policy statement and management review minutes showing security on the agenda
Resourcing decisions (budget, roles, priorities) tied to documented security risks

Information security policy and supporting policies are current, approved, communicated, and reviewed periodically

Policies must be version-controlled, dated, and demonstrably acknowledged by staff.

View evidence examples ->

InfoSec policy with version control, approval date, and next review date documented
Supporting policies covering access control, incident response, change management, supplier security, and acceptable use
Evidence of communication — intranet links, staff acknowledgements, onboarding training records

Risk assessment methodology is defined and applied consistently — with criteria, scoring, and risk appetite documented

Repeatability matters more than complexity. The same method should produce comparable results regardless of who runs the assessment.

View evidence examples ->

Risk matrix with likelihood and impact definitions, plus scoring guidance for each level
Documented risk acceptance thresholds — who can approve risks at what level
Worked example showing two assessors producing comparable ratings using the methodology

🔐

Annex A Controls & SoA

Controls, SoA, assets, access, and supplier risk.

Progress

0/5

A live risk register is maintained — with named owners, treatment plans, due dates, and review cadence

Auditors look for a register that is actively maintained — not a spreadsheet last updated at certification.

View evidence examples ->

Risk register entries showing description, affected assets, owner, treatment plan, due date, and current status
Monthly or quarterly review cadence with updates and decisions documented
Linked evidence — tickets, remediation plans, change records, or signed risk acceptance forms

Statement of Applicability is complete — included/excluded controls, justifications, status, owner, and evidence pointers

The SoA is the audit index. A weak SoA undermines an otherwise strong ISMS.

View evidence examples ->

Each Annex A control marked applicable / not applicable with documented justification
Implementation status (Implemented / In Progress / Excluded) and named control owner
Direct link to evidence location — SharePoint folder path, configuration export, or system report

Information assets and systems are inventoried, classified, and have assigned owners

You need to know what you have and what matters most before you can prioritise protection.

View evidence examples ->

Asset inventory covering applications, infrastructure, data stores, endpoints, and key SaaS tools
Data classification or "crown jewels" register identifying critical systems and sensitive data
Lifecycle process — onboarding, periodic review, and retirement documented

Access control is governed — joiner/mover/leaver process, role-based access, MFA, and privileged access controls

Access reviews and privileged access governance are among the most heavily sampled controls in ISO 27001 audits.

View evidence examples ->

Documented joiner/mover/leaver process with timelines, approvals, and audit trail
Role-based access groups with periodic access reviews — quarterly for sensitive systems
Privileged access separated, with MFA, just-in-time elevation (e.g. Entra PIM), and centralised logging

Third-party and supplier security is governed — risk tiering, contract clauses, and ongoing review

Supply chain risk is increasingly scrutinised — especially after SolarWinds, Log4j, and MOVEit.

View evidence examples ->

Vendor risk assessment process tiering suppliers by criticality and data access
Contract clauses covering security obligations, breach notification, audit rights, and sub-processor controls
Annual review of critical suppliers — SOC reports, ISO certificates, questionnaires, incident history

🛡️

Security Operations & Resilience

Logging, vulnerabilities, incidents, backups.

Progress

0/4

Centralised security logging and alerting is in place for identity, endpoints, cloud, and critical applications

Logs must support both detection and investigation. Without log retention and review evidence, controls fail audit testing.

View evidence examples ->

Centralised logging covering Entra/SSO, endpoints, cloud audit logs, and key applications
Alert rules for high-risk patterns — impossible travel, admin role changes, excessive failed logins
Documented log retention period and access controls; evidence of alert review and triage

A repeatable vulnerability management process is in place — scanning, patching, prioritisation, and verified closure

Auditors want to see SLAs being met or exceptions being managed — not just that scanning happens.

View evidence examples ->

Regular vulnerability scanning across infrastructure and applications, with documented frequency and scope
Patch SLAs (e.g. critical within 14 days) with a documented exception process
Remediation tracking — tickets and evidence that high/critical vulnerabilities are resolved or formally accepted

Incident response plan is documented, tested, and improved after exercises or real incidents

Plans that have never been tested often fail when needed. A tabletop exercise outcome is strong evidence.

View evidence examples ->

Incident response runbook covering roles, severity levels, escalation paths, and contact list
Tabletop exercise outcomes with lessons learned and an action plan
Post-incident review records showing improvements made after incidents or near-misses

Backups are configured, monitored, and restore-tested — with RTO and RPO targets aligned to business needs

Untested backups are not evidence — auditors will sample restore test records.

View evidence examples ->

Defined RTO and RPO per critical system
Backup schedule, scope, and monitoring/alerts for failed jobs
Documented restore tests and DR/BCP exercises with outcomes and improvements

📊

Audit, Measurement & Improvement

Internal audit and management review.

Progress

0/2

Internal ISMS audits are performed against a plan — with findings tracked to verified closure

Internal audit is mandatory under ISO 27001. The audit must cover all clauses and a sample of Annex A controls.

View evidence examples ->

Annual internal audit plan covering ISO 27001:2022 clauses 4–10 and a rotating sample of Annex A controls
Audit reports with findings, root cause, corrective actions, owners, and due dates
Evidence that corrective actions are verified closed — not just marked "done"

Management reviews are held at planned intervals — covering risks, incidents, KPIs, audit results, and improvements

Management review minutes are mandatory evidence and one of the first documents auditors request.

View evidence examples ->

Management review agenda and minutes covering all required ISO 27001 inputs
Recorded decisions on resourcing, policy changes, risk acceptance, and improvement priorities
Action register with owners, due dates, and closure tracking

Overall readiness

Answer questions to score

Governance & ISMS Foundation -

Annex A Controls & SoA -

Security Operations & Resilience -

Audit, Measurement & Improvement -

0 of 15 questions answered

Available once all questions are answered

ISO 27001 Readiness Checklist

Tell us about your environment

Governance & ISMS Foundation

Annex A Controls & SoA

Security Operations & Resilience

Audit, Measurement & Improvement

Your report is ready