ISO 27001 audit checklist
Use this checklist to determine whether your ISMS is audit-ready. Every item below comes up during an ISO 27001 audit — work through them and you will know where to focus your attention.
The core of the checklist
- Scope and context of the ISMS defined.
- Risk assessment and risk treatment plan up to date.
- Statement of Applicability (SoA) complete and substantiated.
- Policy and objectives established by senior management.
- Internal audit carried out and reported.
- Management review demonstrably held.
- Improvement actions followed up.
Statement of Applicability explained
The SoA links your risks to the 93 controls in Annex A and justifies, for each control, whether it applies. It is the heart of your ISO 27001 audit.
ISO/IEC 27001 — official standard page (official source).
Frequently asked questions
Short, direct answers — written for people and for AI search functions alike.
The Statement of Applicability (SoA) is a mandatory ISO 27001 document that indicates, for each control in Annex A, whether it applies, with justification and implementation status. The SoA links your risks to concrete controls and is one of the first documents an auditor reviews.
Among others, the scope, the information security policy and objectives, the risk assessment and risk treatment plan, the Statement of Applicability, evidence of internal audits and management reviews that have been carried out, and records of incidents and improvement actions. More important than their existence is that they are up to date and actually used.
Common pitfalls are an SoA that does not match the risk analysis, policy that does not live on the work floor, an internal audit or management review that has only been carried out formally, and improvement actions that have been named but not followed up. The auditor looks for evidence that things work, not just that they exist.
Want to know whether you are audit-ready?
Schedule a no-obligation audit scan and, within a single conversation, find out where you stand and what the next step is.
