Preparation
The ISO 27001 checklist for UK organisations
Every step from a standing start to certification, in the order that avoids rework. The whole checklist is on this page; the PDF version is yours if you want it, and neither is a teaser for a template pack.
1. Scope and mandate
Where every stalled project stalls.
- Board sponsorship secured, with a named executive owner for the ISMS
- Scope defined and written down: which entities, sites, services, systems and people are inside the ISMS boundary
- Interested parties and their requirements identified (customers, regulators, insurers)
- Certification body shortlisted early so audit dates and day counts are known
2. Risk assessment and treatment
The engine of the whole standard.
- Risk methodology agreed: how you identify, score and own information security risks
- Risk assessment completed and recorded, with owners against every material risk
- Risk treatment plan choosing controls for each risk, with dates and owners
- Statement of Applicability drafted: every Annex A control marked applicable or justified out
3. Mandatory documents and policies
What Stage 1 exists to inspect.
- Information security policy approved by leadership and communicated
- The clause-mandated documents in place: scope, risk methodology and results, SoA, objectives, evidence of competence
- Operational policies your people actually follow: access control, supplier security, incident response, acceptable use
- Document control working: versions, owners, review dates
4. Controls operating with evidence
What Stage 2 exists to test.
- Selected Annex A controls implemented and producing evidence as a by-product of normal work
- Access reviews, joiner-mover-leaver records, supplier assessments and incident logs demonstrably running
- Security objectives measured and reported to management
- Staff awareness delivered and recorded
5. Internal assurance
The two clauses everyone leaves too late.
- Independent internal audit (clause 9.2) completed across the full ISMS, with findings recorded
- Nonconformities from the internal audit corrected, with root-cause treatment recorded
- Management review (clause 9.3) held and minuted against the standard's required inputs
- Continual improvement log started: the auditor wants to see the loop turning, not a perfect first lap
Want this as a PDF?
The same checklist, formatted for printing and working through with your team, arrives by email from the contact page. Mention the checklist in your message; no drip campaign follows it.
Go deeper
The checklist items with their own pages
Three items above cause most of the questions, so each has a full treatment: the Statement of Applicability with a worked example, the 93 Annex A controls in plain English, and the clause 9.2 internal audit your certification body is not allowed to do for you.
Or have us run it
Our gap analysis scores your organisation against this entire checklist in about a week and returns a costed, sequenced plan. It is the first block of every engagement and available on its own: how the gap analysis works.
Skip the guesswork
Have us score you against this checklist
A free 45 minute scoping call, then a one-week gap analysis with a costed plan. You will know exactly where you stand.