Preparation

The ISO 27001 checklist for UK organisations

Every step from a standing start to certification, in the order that avoids rework. The whole checklist is on this page; the PDF version is yours if you want it, and neither is a teaser for a template pack.

3D illustration of scope and mandate

1. Scope and mandate

Where every stalled project stalls.

  • Board sponsorship secured, with a named executive owner for the ISMS
  • Scope defined and written down: which entities, sites, services, systems and people are inside the ISMS boundary
  • Interested parties and their requirements identified (customers, regulators, insurers)
  • Certification body shortlisted early so audit dates and day counts are known
3D illustration of risk assessment and treatment

2. Risk assessment and treatment

The engine of the whole standard.

  • Risk methodology agreed: how you identify, score and own information security risks
  • Risk assessment completed and recorded, with owners against every material risk
  • Risk treatment plan choosing controls for each risk, with dates and owners
  • Statement of Applicability drafted: every Annex A control marked applicable or justified out
3D illustration of mandatory documents and policies

3. Mandatory documents and policies

What Stage 1 exists to inspect.

  • Information security policy approved by leadership and communicated
  • The clause-mandated documents in place: scope, risk methodology and results, SoA, objectives, evidence of competence
  • Operational policies your people actually follow: access control, supplier security, incident response, acceptable use
  • Document control working: versions, owners, review dates
3D illustration of controls operating with evidence

4. Controls operating with evidence

What Stage 2 exists to test.

  • Selected Annex A controls implemented and producing evidence as a by-product of normal work
  • Access reviews, joiner-mover-leaver records, supplier assessments and incident logs demonstrably running
  • Security objectives measured and reported to management
  • Staff awareness delivered and recorded
3D illustration of internal assurance

5. Internal assurance

The two clauses everyone leaves too late.

  • Independent internal audit (clause 9.2) completed across the full ISMS, with findings recorded
  • Nonconformities from the internal audit corrected, with root-cause treatment recorded
  • Management review (clause 9.3) held and minuted against the standard's required inputs
  • Continual improvement log started: the auditor wants to see the loop turning, not a perfect first lap

Want this as a PDF?

The same checklist, formatted for printing and working through with your team, arrives by email from the contact page. Mention the checklist in your message; no drip campaign follows it.

Go deeper

The checklist items with their own pages

Three items above cause most of the questions, so each has a full treatment: the Statement of Applicability with a worked example, the 93 Annex A controls in plain English, and the clause 9.2 internal audit your certification body is not allowed to do for you.

Or have us run it

Our gap analysis scores your organisation against this entire checklist in about a week and returns a costed, sequenced plan. It is the first block of every engagement and available on its own: how the gap analysis works.

3D rocket illustration for booking a free ISO 27001 scoping call

Skip the guesswork

Have us score you against this checklist

A free 45 minute scoping call, then a one-week gap analysis with a costed plan. You will know exactly where you stand.