An ISO 27001 readiness checklist is the work you finish before a certification body arrives. It covers the management system in clauses 4 to 10, the risk assessment and treatment, the Statement of Applicability against the 93 Annex A controls, and proof the system has actually run. Readiness is preparation, not the audit.
What is an ISO 27001 readiness checklist?
It is the set of things that must be in place, documented and operating before a Stage 1 audit. Not a sheet you fill in the week before.
ISO 27001:2022 certifies an information security management system, not a product or a one off fix. So readiness has two halves: the management system described in clauses 4 to 10, and the controls you select from Annex A. Both have to exist and both have to run. If you are still deciding what ISO 27001 certifies, start with the ISO 27001 guide and come back to this checklist when you are scoping the work.
What does the ISO 27001:2022 readiness checklist cover?
Every clause from 4 to 10, plus the Annex A controls you select. The standard splits into the management system and the controls, and readiness has to cover both.
| Clause or area | What readiness means | Where teams trip |
|---|---|---|
| Context (clause 4) | Scope written and defensible; interested parties identified, including whether climate change is a relevant issue under the 2024 amendment | Scope drawn too wide |
| Leadership (clause 5) | Top management owns the ISMS; the information security policy is approved; roles assigned | A signed policy no one actually owns |
| Planning (clause 6) | A risk assessment method, a risk treatment plan, the Statement of Applicability, and measurable objectives | An SoA copied from a template with no justification |
| Support (clause 7) | Resources, competence, awareness and the documented information the standard requires | Staff who do not know the ISMS exists |
| Operation (clause 8) | The risk assessment run, treatments implemented, results recorded | Controls live but no records to prove it |
| Performance (clause 9) | Monitoring in place, at least one internal audit done, a management review held | The internal audit skipped to save time |
| Improvement (clause 10) | Nonconformities logged and corrective action working | Findings raised, then no follow up |
| Annex A controls | All 93 controls across the four themes reviewed, then applied or excluded with a reason recorded in the SoA | Excluding a control with no rationale |
Annex A holds 93 controls in the 2022 version, down from 114 in 2013, across four themes: organisational (37), people (8), physical (14) and technological (34). Eleven of them are new. You do not implement all 93 by default. You select against your risk assessment and record each decision, applied or excluded, in the Statement of Applicability. That is the heart of Annex A.
Which documents must you have ready before Stage 1?
The standard names the documented information it expects, and a Stage 1 audit is largely a documentation review. These are what the auditor opens first.
- ISMS scope (clause 4.3)
- Information security policy (clause 5.2)
- The risk assessment and risk treatment processes (clauses 6.1.2 and 6.1.3)
- The Statement of Applicability (clause 6.1.3 d)
- Information security objectives (clause 6.2)
- Risk assessment and risk treatment results (clauses 8.2 and 8.3)
- Evidence of competence (clause 7.2)
- The internal audit programme and results (clause 9.2)
- Management review results (clause 9.3)
- Nonconformities and corrective actions (clause 10.2)
The Statement of Applicability is where auditors spend their time. An excluded control with no reason is a finding waiting to happen, so write the justification as you go, not the night before.
How long must the ISMS run before Stage 2?
Long enough to produce records. ISO 27001 sets no fixed minimum operating period, but Stage 2 tests whether the system works, and you cannot show that with an empty log.
Before Stage 2 you need at least one completed internal audit and one management review, plus risk treatment, monitoring and corrective action records that show the system running rather than just designed. Cybernion’s indicative timeline is 4 to 8 weeks for gap analysis and ISMS design, and 6 to 12 months for full implementation through to certification. For the detail, see how long certification takes and what it costs. Certification then runs on a three year cycle: Stage 1, Stage 2, annual surveillance, recertification in year three.
What do organisations most often get wrong?
They prepare the documents and forget the operating period.
A few patterns repeat. Scope drawn too wide inflates the audit and the control count; a tight, defensible scope is cheaper to certify and to keep. The SoA gets copied from a template with no per control justification. Annex A gets treated as a list to fully implement rather than a set to select from. And the 2024 climate amendment now asks whether climate change is a relevant issue for the ISMS and its interested parties under clauses 4.1 and 4.2, which many older templates miss.
One more. The 2013 to 2022 transition closed on 31 October 2025, so every current certificate is against the 2022 edition. There is no point preparing to the old Annex A structure. Readiness is judged on evidence, not intent.
Frequently asked questions
No. It is not government mandated. Demand is commercial, driven by customers, tenders and partners who ask for it.
No. You select controls against your risk assessment and record what applies, and what does not with a reason, in the Statement of Applicability.
Readiness is the preparation you do. The audit is the independent assessment by an accredited certification body, run as Stage 1 then Stage 2.
Cybernion’s indicative figures are 4 to 8 weeks for gap analysis and ISMS design, and 6 to 12 months for full implementation through to certification, depending on scope and starting maturity.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- ISO/IEC 27001:2022, 2022
- ISO/IEC 27002:2022 (Annex A control guidance), 2022
- ISO/IEC 27001:2022/Amd 1:2024 (climate action amendment), 2024
Last updated: 21 June, 2026