ISO 27001 Implementation Checklist

How to Use This Checklist

This checklist follows the 8 phases of ISO 27001 implementation — from understanding the standard through to certification. It is designed for Lead Implementers, IT managers, and project teams building an Information Security Management System (ISMS) for the first time or preparing for a certification audit.

Follow the phases sequentially for a new implementation. If you are preparing for an audit against an existing ISMS, use the checklist to verify completeness and identify gaps. Pair this checklist with our ISO 27001 controls guide for detailed Annex A reference.

Most organisations complete the process in 6 to 12 months. Each phase builds on the previous one — do not skip ahead to certification prep without completing the foundational phases.

Phase 1 — Understand the Standard

Before building your ISMS, your team needs a solid understanding of what ISO 27001 requires. This phase ensures everyone involved understands the standard's structure, the Plan-Do-Check-Act cycle, and the relationship between ISO 27001 (requirements) and ISO 27002 (implementation guidance).

• Purchase and review the ISO/IEC 27001:2022 standard
• Obtain ISO/IEC 27002:2022 for guidance on implementing controls
• Understand the PDCA model (Plan-Do-Check-Act)
• Brief your team on ISO 27001's structure and intent

A PECB ISO 27001 Foundation course ($399 AUD) is an efficient way to bring your team up to speed. For the person leading the implementation, the Lead Implementer course ($849 AUD) covers the full methodology. See our ISO 27001 course overview for a comparison of all available training levels.

Phase 2 — Define Scope and Context

Scoping is one of the most important decisions in your certification journey. A well-defined scope keeps the project manageable, reduces audit costs, and ensures the ISMS covers what matters most. Too broad and the project stalls; too narrow and the certificate loses credibility.

• Define the scope of your ISMS (systems, locations, teams, processes)
• Identify internal and external issues (Clause 4.1)
• Identify interested parties and their requirements (Clause 4.2)
• Document your ISMS scope (Clause 4.3)

Consider starting with a focused scope — one product, one location, or one business unit — and expanding after initial certification. This approach reduces costs and accelerates time to certification. See our certification cost guide for how scope affects budget.

Phase 3 — Leadership and Commitment

ISO 27001 requires demonstrable commitment from top management. This is not a tick-box exercise — auditors will assess whether leadership actively supports and resources the ISMS. Without genuine management commitment, implementation stalls and audits fail.

• Appoint top-level ISMS leadership and assign roles (Clause 5.1, 5.3)
• Write and approve an Information Security Policy (Clause 5.2)
• Ensure ISMS responsibilities are integrated into business processes
• Promote awareness and communicate intent from the top

The Information Security Policy is a mandatory document — it must be appropriate to the organisation's purpose, include a commitment to continual improvement, and be communicated to all relevant parties.

Phase 4 — Risk Management

Risk management is the core of ISO 27001. Your risk assessment determines which Annex A controls are applicable and drives the Statement of Applicability — the single most important document in your ISMS. Auditors assess whether your controls are justified by documented risks, not simply copied from the standard.

• Establish a risk assessment methodology (Clause 6.1.2)
• Identify information assets and associated threats
• Assess likelihood and impact of risks
• Determine risk acceptance criteria
• Select appropriate controls (Annex A)
• Create a Risk Treatment Plan
• Complete and maintain your Statement of Applicability (SoA)

The risk assessment methodology must produce consistent, comparable results. ISO 31000 provides a widely adopted framework — see our ISO 31000 guide for the methodology that underpins ISO 27001 risk assessment.

Phase 5 — Required Documentation

ISO 27001 requires specific documented information to be maintained and retained. Auditors will request evidence of each item during the Stage 1 and Stage 2 audits. Missing documentation is one of the most common reasons for audit nonconformities.

• ISMS Scope
• Information Security Policy
• Risk Assessment and Risk Treatment Methodology
• Risk Register
• Statement of Applicability
• Asset Inventory
• Roles and Responsibilities
• Access Control Policies
• Incident Response Procedure
• Internal Audit Program
• Management Review Records
• Corrective Action Register

The PECB Lead Implementer course includes editable templates for all mandatory documents — policy templates, risk registers, SoA trackers, and audit checklists that save weeks of document creation.

Phase 6 — Annex A Controls

ISO 27001:2022 Annex A contains 93 security controls organised into four themes: Organisational (37), People (8), Physical (14), and Technological (34). Your risk assessment determines which controls apply — you do not need to implement all 93, but you must justify every exclusion in the Statement of Applicability.

• Identify applicable controls from the 93 in ISO 27001:2022 Annex A
• Create implementation steps for each applicable control
• Use ISO 27002 as a guide for control implementation
• Document control owners and timelines

For a complete reference of all 93 controls with descriptions and Australian compliance mapping, see our ISO 27001 controls guide. You can also browse controls interactively at ControlStack.

Phase 7 — Monitor, Audit and Improve

ISO 27001 is a living management system, not a one-time project. Clause 9 requires ongoing monitoring, internal auditing, and management review. Clause 10 requires corrective action and continual improvement. These activities must be operating before you can proceed to certification.

• Create an internal audit schedule (Clause 9.2)
• Conduct regular audits and record findings
• Conduct management reviews (Clause 9.3)
• Implement corrective actions for nonconformities (Clause 10.1)
• Plan for continual improvement of the ISMS (Clause 10.2)

Internal audits must be conducted by someone independent of the area being audited. Training an internal team member as a PECB Lead Auditor ($849 AUD) builds permanent audit capability and eliminates recurring external audit costs.

Phase 8 — Certification Prep

Once your ISMS is implemented and operating, you are ready for the certification audit. This is conducted in two stages by a JAS-ANZ accredited certification body. Preparation is key — most nonconformities arise from incomplete documentation or controls that are documented but not effectively implemented.

• Engage a reputable certification body
• Conduct a gap analysis
• Prepare for Stage 1 audit — documentation readiness
• Prepare for Stage 2 audit — full implementation review
• Maintain documentation for surveillance audits

After certification, annual surveillance audits maintain your certificate and a full recertification audit occurs every three years. Budget for ongoing costs — see our certification cost guide for detailed figures.

For a complete walkthrough of the certification process in Australia — including JAS-ANZ accredited bodies, timelines, and costs — see our guide to ISO 27001 certification in Australia.

ISO 27001 Mandatory Clauses Quick Reference

ISO 27001:2022 Clauses 4 through 10 define the mandatory requirements for an ISMS. Every organisation seeking certification must address all seven clauses.