
ISO 27001 Requirements & Compliance Checklist

By proceeding, you agree to Be Certified’s Terms of Service and Privacy Policy. You may unsubscribe at any time.
ISO 27001 is one of the clearest ways to show clients, suppliers and regulators that you take cyber security seriously. For many UK businesses, it’s fast becoming the baseline for protecting sensitive data, strengthening reputation, and meeting the expectations of security-conscious buyers.
But when you first look at the requirements, it can feel like a lot. Risk assessments, policies, Annex A controls, audits, records — where do you even start?
That’s where a clear understanding of the core ISO 27001 requirements helps. Once you know what the Standard is asking for, it becomes much easier to build an Information Security Management System (ISMS) that works for your business.
In this guide, we’ll walk you through the core ISO 27001 requirements. From setting your scope and assessing risk to choosing controls, keeping records, and preparing for your audit with confidence.
In this blog:
- What are the core ISO 27001 requirements?
- How did the 2022 update change ISO 27001 compliance?
- Why should you use an ISO 27001 compliance checklist?
- ISO 27001 ISMS requirements
- ISO 27001 documentation requirements
- ISO 27001 mandatory records & evidence
- How to put your ISO 27001 requirements checklist into action
What are the core ISO 27001 requirements?
So, what does the Standard actually ask of you? Once you strip away the complex terminology, the real value of ISO 27001 lies in helping you build better habits around information security. These will help your business protect sensitive information, manage risk, and prove its controls are working.
The fundamentals are covered in Clauses 4-10 of the Standard. Here’s a snapshot of what they actually mean for your business:
- Context (Clause 4) — This is about understanding your organisation before you build your Information Security Management System (ISMS). What information do you handle? Who relies on you to protect it? What legal, contractual or supplier requirements apply? Clause 4 also asks you to define the scope of your ISMS, so it’s clear what parts of your business are covered.
- Leadership (Clause 5) — Accountability starts right at the top of your business. The management team needs to show they’re committed to protecting information security and making sure the right resources are in place. This sends a clear message to the whole company: protecting information is everyone’s responsibility.
- Planning (Clause 6) — This is where you identify information security risks and decide what to do about them. You’ll assess threats, set measurable security objectives, choose suitable controls, and document your decisions in your risk treatment plan and Statement of Applicability.
- Support (Clause 7) — Your team needs the right tools, training, awareness and communication to follow the ISMS properly. This clause also covers documented information, which means keeping the policies, records and evidence you need to show your system is working.
- Operation (Clause 8) — This is where the planning stage turns into tangible actions. You’ll put your risk treatment actions and security controls into operation, manage changes, and keep evidence that your processes are being followed.
- Performance Evaluation (Clause 9) — ISO 27001 isn’t based on good intentions. You need to check whether your ISMS is working through monitoring, measurement, internal audits and management reviews. This helps you spot gaps before they become bigger issues.
- Improvement (Clause 10) — Information security is never finished. When incidents, audit findings or new risks appear, you’ll need to take action, fix root causes, and improve your ISMS over time.
Check out our guide to learn more about what ISO 27001 certification actually is and what it asks of your business.
How did the 2022 update change ISO 27001 compliance?
The previous major version of ISO 27001 was published in 2013, and a lot has changed since then. Cloud systems, hybrid working, supply chain risk, ransomware, and stricter client expectations have all reshaped how businesses need to protect information.
That’s why ISO/IEC 27001:2022 was introduced. The update brought the Standard closer to the way modern organisations actually work, with a stronger focus on practical, risk-based information security.
The biggest change was to Annex A, where the information security controls were updated, reorganised and reduced to 93 controls across four themes: organisational, people, physical and technological. These controls help businesses choose the right safeguards for their risks, from access rights and supplier security to backups, monitoring, secure development and data protection.
For UK businesses, the 2022 update helps make sure your Information Security Management System (ISMS) reflects today’s risks — and that your policies, controls and evidence can stand up to real-world threats, client scrutiny and certification audits.
Here’s what the 2022 update means for ISO 27001 compliance:
- Systems that reflect your business — ISO 27001:2022 keeps the focus on building an ISMS around your real risks, responsibilities and ways of working. Your scope, policies and controls should be tailored to how your organisation handles information day to day.
- Visible leadership — Senior management still needs to do more than sign off a policy. Auditors will expect to see clear responsibilities, suitable resources, and evidence that information security is supported at the top of the business.
- Risk-led planning — Your risks, opportunities and objectives should shape how your ISMS works. That means identifying what could affect your information security, deciding how to respond, and choosing controls that are proportionate to your risks.
- Practical support — Clause 7 focuses on the people, resources, awareness, communication and documented information needed to keep your ISMS running properly. Training records, policy updates and clear communication all help show that information security is understood and supported.
- Controls that fit your operations — The 2022 update refreshed Annex A, with 93 controls grouped across organisational, people, physical and technological themes. The controls you choose should match your risk assessment, business activities and Statement of Applicability — not follow a one-size-fits-all approach.
Why should you use an ISO 27001 compliance checklist?
Working towards ISO 27001 certification can feel like a big task, especially when you’re building your ISMS around everyday business pressures. An ISO 27001 compliance checklist helps bring structure to the process. It shows what needs to be done, helps you spot gaps, and keeps your team focused as you prepare for audit.
Using an ISO 27001 requirements checklist can support your business by helping you:
- Simplify implementation — Break complex requirements into clear, manageable actions, so it’s easier to understand what needs doing and when.
- Strengthen risk management — Spot, evaluate, and treat risks, keeping your most important assets safe from evolving cyber threats.
- Build demonstrable trust — Keep clear evidence of your security practices, so you can show clients, suppliers, auditors and tender panels how your ISMS is working.
- Improve incident readiness — Prepare your business to respond quickly and consistently if something goes wrong, helping reduce disruption and downtime.
- Support competitive advantage — Back up your security claims, helping you win those big contracts where strict data protection is a must-have.
Learn more about the wider benefits of ISO certification here.
ISO 27001 ISMS requirements
To meet the ISO 27001 certification requirements, you’ll need a well-structured Information Security Management System in place. This is the framework your business uses to identify information security risks, decide how to treat them, and keep improving your approach over time.
Annex A controls play an important role in that process. Once you’ve completed your risk assessment, you’ll select the controls that are relevant to your risks and document your decisions in your Statement of Applicability. These controls act as practical safeguards, helping you protect information, reduce risk, and show auditors how your ISMS works in practice.
The 2022 update grouped Annex A controls into four clear areas:
- Organisational controls (37 controls) — Covering areas such as information security policies, roles and responsibilities, remote working, supplier relationships, threat intelligence and business continuity. .
- People controls (8 controls) — Covering employee screening, terms of employment, information security awareness, training, confidentiality, and responsibilities when people join, move roles or leave.
- Physical controls (14 controls) — Focusing on physical security measures such as secure areas, entry controls, equipment protection, clear desk rules, storage media, and secure disposal.
- Technological controls (34 controls) — Covering access control, authentication, malware protection, backups, logging, monitoring, cryptography, data masking and secure system management.
But what does all of this really mean for you?
The good news is that you don’t have to implement every Annex A control. ISO 27001 is risk-based, so your business should assess its own information security risks, select the controls that are relevant, and explain those decisions in your Statement of Applicability.
That way, your ISMS is built around the information you handle, the threats you face, and the way your organisation actually works day to day.
ISO 27001 documentation requirements
To pass your audit, you’ll need a clear paper trail that shows your certification body how your Information Security Management System is planned, managed and reviewed. Your documentation acts as evidence that you understand the ISO 27001 requirements and have built a system that works in practice.
Here is some of the essential documentation you need to have ready:
Scope of the ISMS (Clause 4.3)
Think of this as drawing a fence around the parts of your business that your ISMS will protect. This document defines the exact boundaries of your system and clearly states which physical locations, digital assets, and technologies are covered by your certification.
For example, if you run a marketing agency, your scope might include your main office and your cloud-based client databases, but exclude a secondary warehouse that stores old event brochures. It tells the auditor exactly where they should look and explains why certain aspects of your business aren’t included.
Information Security Policy (Clause 5.2)
This is a high-level document that puts management’s commitment to security down in writing, setting the tone for your entire business.
This doesn’t have to be a 50-page manual. It should clearly explain what information security means to your organisation, your main objectives, and how leadership will support the system with suitable resources, responsibilities and continual improvement.
Risk Assessment Methodology (Clause 6.1.2)
This explains how your organisation identifies, analyses and evaluates information security risks. Instead of relying on guesswork, you need a consistent method for assessing what could go wrong and how serious each risk could be.
For example, you might score risks from one to five based on likelihood and impact, or categorise them by financial, operational, legal or reputational consequences. Whatever method you choose, it should help you assess risks consistently and give auditors confidence that your decisions are evidence-based, not based on gut feeling.
Statement of Applicability (SOA) (Clause 6.1.3)
The Statement of Applicability, often called the SoA, is one of the most important documents in your ISMS. It lists the Annex A controls and explains which ones apply to your organisation, which ones do not, and why.
For each control, you’ll need to show whether it has been selected, whether it has been implemented, and the justification behind your decision. This links your risk assessment to the practical safeguards you’ve chosen.
For example, if your team is 100% remote and you don’t have a physical office, some physical entry controls may not apply. Your SoA would explain why they’ve been excluded, so the auditor can see that the decision is risk-based and appropriate for your business.
Risk Treatment Plan (Clause 6.1.3)
This is your action plan. Once you’ve found the risks, you need to explain what you’re going to do about them. This document details exactly how you’ll mitigate the risks you’ve identified, who is responsible for getting the job done, and the deadlines for when it needs to happen.
For example, if your risk assessment finds that employee laptops are vulnerable to theft, your treatment plan might include installing remote-wipe software on all devices by the end of the month, with the IT manager responsible for completion.
Security Objectives (Clause 6.2)
You’ll also need clear, measurable information security objectives. These help show that your ISMS is not standing still — it’s being monitored, reviewed and improved over time.
Vague goals like “be more secure” are unlikely to be useful. A stronger objective would be: “Achieve 100% completion of phishing awareness training for all staff by the end of Q3” or “Reduce malware incidents by 20% over the next 12 months.”
The key is to make your objectives specific, measurable and relevant to your risks, so you can track progress and show improvement during your audit.
ISO 27001 mandatory records & evidence
Alongside your ISMS documentation, your ISO 27001 certification also requires that you keep specific records. Auditors need written evidence to show that your security operations are routinely monitored, maintained, and improved.
Make sure you keep records of the following:
- Risk assessment reports & treatment results — Evidence that information security risks have been assessed, reviewed and treated in line with your chosen methodology.
- Competence evidence — Records showing that staff have the right education, training, skills or experience to carry out their information security responsibilities
- Monitoring and measurement results — Logs, reports or performance data showing how your ISMS is performing against your objectives and expected outcomes.
- Internal audit programmes & results — Evidence that you carry out planned internal audits, record findings, and take action where gaps or nonconformities are identified.
- Corrective actions — Records showing how your business responds to incidents, audit findings or nonconformities, including what caused the issue, what action was taken, and whether the fix worked.
If you’re wondering how the whole auditing and certification journey flows, find out exactly how getting ISO-certified works here.
How to put your ISO 27001 requirements checklist into action
Having a checklist is great, but actually putting it into practice effectively is what gets you audit ready. Here’s how to use your checklist to manage your information security requirements properly:
- Perform an initial gap analysis — Map out where your business stands today. Check off the requirements you already meet and identify any gaps between your existing processes and the Standard. Then, document the physical, digital and organisational boundaries of your ISMS.
- Risk assessment & treatment — Identify the information assets within your scope, then assess the threats, vulnerabilities, and potential impact if something goes wrong. From there, decide how each risk will be treated and draft your Statement of Applicability by selecting the relevant Annex A controls.
- Implement policies & controls — Get leadership involved, assign clear responsibilities, and allocate the resources your ISMS needs. Create the policies, procedures and controls that support your risk treatment plan, then train your team so everyone understands their role.
- Carry out internal audits and improve — Use your checklist to support your internal audit programme. Look for weak spots, record findings, and put corrective actions in place before your external certification audit. Once your ISMS is ready, you can move into the official Stage 1 and Stage 2 certification audits.
H2: Get audit-ready with Be Certified today
Streamline your path to ISO 27001 certification with our fast, flexible self-serve platform. At Be Certified, we turn complicated jargon into easy-to-understand steps, giving you the confidence you need to focus on running your business.
Choose Be Certified and receive:
- Expert guidance through the ISO 27001 framework.
- A platform created by real ISO consultants.
- Instant access. No waiting around.
- Affordable, transparent pricing.
Get your business audit-ready with our ISO 27001 software today.
Sign up to receive weekly Certification news

Specialising in ISO compliance and quality management systems, Kevin Johnstone brings a wealth of experience and insight built up over many years in the field.