The ISO 27001:2022 Starter Checklist

A free, practical path to get ISO/IEC 27001:2022 audit-ready in 9 steps. ISO 27001 is the international standard for an Information Security Management System (ISMS) — a documented, risk-based way of protecting your information. Certification proves that an accredited certification body has audited your live program and found it conforms.

Who this is for: founders, IT/security leads, and small teams at startups and MSPs starting their first ISO 27001 effort and wanting a clear path from zero to audit.

Honest note: a checklist and good templates dramatically speed up the documentation work — but they do not make you certified. Certification is issued only by an accredited body after it audits your operating ISMS (Stage 1 + Stage 2). Use this as a roadmap, not a guarantee.

Download the printable PDF

Step 1Define scope & context (Clause 4)

Scope sets the boundary the auditor measures you against — too broad wastes effort, too narrow risks gaps.

  • Identify internal/external issues relevant to your information security
  • List interested parties (customers, regulators, staff) and their requirements
  • Define the ISMS scope boundary (sites, systems, services, teams) in writing
  • Note any exclusions and the justification for each

Step 2Secure leadership & write the ISMS policy (Clause 5)

ISO 27001 requires demonstrable top-management commitment — auditors look for it first.

  • Get documented leadership sign-off and resource commitment
  • Publish a top-level Information Security Policy
  • Assign ISMS roles, responsibilities, and authorities
  • Confirm security objectives align with business goals

Step 3Run a risk assessment (Clause 6)

Every control decision and your Statement of Applicability flow from this — it is the engine of the ISMS.

  • Define a repeatable risk assessment methodology (criteria, scoring, acceptance)
  • Identify the risks to confidentiality, integrity, and availability in scope
  • Assess likelihood and impact; rank the risks
  • Record results in a risk register (this feeds the SoA)

Step 4Build the risk treatment plan (Clause 6.1.3)

It shows auditors how you will actually reduce each risk and by when.

  • Choose a treatment per risk: mitigate, accept, transfer, or avoid
  • Map each mitigated risk to specific Annex A controls
  • Assign owners and target dates for each action
  • Obtain risk-owner approval for residual and accepted risks

Step 5Produce the Statement of Applicability (SoA) (Clause 6.1.3)

The SoA is the single document auditors return to most — it justifies every control in or out.

  • Review all 93 Annex A controls across the 4 themes: Organizational, People, Physical, Technological
  • Mark each control applicable or not — with a written justification
  • Note each control’s implementation status
  • Cross-check the SoA against your risk treatment plan for consistency

Step 6Implement & document the applicable controls (Clause 8)

Auditors verify controls exist and are evidenced — undocumented work does not count.

  • Write the policies and procedures for each applicable control
  • Operationalize controls (access, backups, logging, supplier security, etc.)
  • Establish records/evidence that controls run as designed
  • Maintain version control and document approval

Step 7Train staff & run awareness (Clause 7)

People are a common cause of incidents — competence and awareness are explicit clause requirements.

  • Deliver security awareness training to all in-scope staff
  • Provide role-specific training where needed
  • Keep attendance/competence records as evidence
  • Run reminders (e.g., phishing tests, policy refreshers)

Step 8Internal audit + management review (Clause 9)

ISO 27001 requires you to check yourself before the certification body does — skipping this is a common audit failure.

  • Plan and conduct an internal audit of the ISMS against the standard
  • Log findings, nonconformities, and corrective actions
  • Hold a documented management review of performance and risks
  • Close out actions and capture continual-improvement decisions

Step 9Certification audit: Stage 1 then Stage 2 (Clause 9 → certification)

This is the only step that produces an actual certificate — and only an accredited certification body can.

  • Select an accredited certification body
  • Stage 1 (documentation review): confirm your ISMS documents and readiness
  • Remediate any Stage 1 gaps
  • Stage 2 (implementation audit): demonstrate the ISMS operating in practice with evidence
  • Address findings; receive the certification decision

Skip the blank page on Steps 2–6

The editable ISO/IEC 27001:2022 toolkit gives you the documents behind Steps 2–6 — the ISMS policy, risk methodology, risk treatment plan, a Statement of Applicability pre-listing all 93 Annex A controls, and the supporting control policies — pre-built in Word and Excel, ready to tailor with Find & Replace. Instant download, 24 documents, $99 ($69.30 with code GRANDOPEN30 through June 30, 2026).

View the ISO 27001 toolkit

New to the standard? Read the full ISO 27001 guide, browse compliance terms in the glossary, or see all free resources.

Professional editable templates — not legal advice, and not a certificate. ISO 27001 is referenced descriptively; ComplianceDocs is not affiliated with ISO or any certification body. A product of ExpertEngine LLC.

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.