✦ Updated for ISO 27001:2022

ISO 27001 Checklist: All 93 Annex A Controls + Fastest Implementation Path

The most complete ISO 27001 checklist available. Every control, the quickest way to meet it, a printable PDF, certification timeline, and expert FAQ — free.

93
Annex A Controls
4
Control Themes
6–12
Months to Certify
11
New Controls in 2022
↓ Full Checklist Timeline FAQ Download PDF Free Gap Assessment

Free Download: Print or save this checklist as a PDF to use in your audit preparation.

What You Need to Know

How to Use This ISO 27001 Checklist

ISO 27001:2022 requires you to implement the management system (Clauses 4–10) and select applicable Annex A controls based on your risk assessment. You don't have to implement all 93 controls — but you must document your reasoning for any exclusions in your Statement of Applicability (SoA). Use the checklist below to track implementation status, prioritize quick wins, and build your audit evidence package.

📋
Statement of Applicability
Your SoA lists all 93 controls, marks each as applicable or excluded, and justifies exclusions. Auditors use it as their roadmap — if it's not in the SoA, they typically won't check it.
⚠️
Risk Assessment First
Don't implement controls randomly. Conduct your risk assessment first, then select controls that address identified risks. This risk-driven approach is what auditors verify.
🆕
2022 vs 2013
ISO 27001:2022 reduced controls from 114 to 93 and added 11 new ones covering cloud security, threat intelligence, and data leakage prevention. If you're on 2013, transition now — 2013 certs expired October 31, 2025.
🎯
Quick Win Strategy
Each control below shows an effort level (Low/Med/High) and the fastest implementation path. Start with all "Low effort" controls — these can often be completed in days and represent ~40% of the total.
Want a tailored assessment?
Get a personalized implementation timeline, tooling recommendations, and estimated cost based on your company — free.
Complete the Free Gap Assessment →

The Full List

All 93 Annex A Controls

Check off controls as you implement them. Filter by theme or effort level. The "Quickest Implementation" note for each control is the most practical first step for a small to mid-size organization.

0%

Your Implementation Progress

Check boxes as you complete each control. Progress saves in your browser.

0
Done
93
Remaining
5
Organizational Controls
37 controls · A.5.1–A.5.37
A.5.1
Policies for information security
Define, approve, and publish information security policies aligned with business objectives and regulatory requirements.
QUICKESTUse a pre-built policy template pack. Get management sign-off and publish to all staff via email or intranet. Takes 1–2 days with templates.
Low effort
A.5.2
Information security roles and responsibilities
Assign and communicate information security responsibilities across the organization.
QUICKESTCreate a one-page RACI chart assigning an Information Security Owner (CISO or equivalent), Data Protection Officer, and IT Security lead. Document in your ISMS.
Low effort
A.5.3
Segregation of duties
Separate conflicting duties to reduce opportunities for unauthorized or accidental modification of assets.
QUICKESTDocument which roles cannot be held by one person (e.g., developer cannot deploy to production alone). Enforce via access controls and approval workflows.
Low effort
A.5.4
Management responsibilities
Require all managers to enforce security policies within their areas and lead by example.
QUICKESTAdd information security responsibilities to management job descriptions and include in performance reviews. Document the expectation formally.
Low effort
A.5.5
Contact with authorities
Maintain appropriate contacts with relevant authorities (law enforcement, regulators, emergency services).
QUICKESTCreate a contacts list documenting who to contact and when (e.g., ICO/FTC for data breaches, law enforcement for cybercrime). Review annually.
Low effort
A.5.6
Contact with special interest groups
Maintain contacts with security forums, professional associations, and threat intelligence communities.
QUICKESTSubscribe to CISA alerts, join ISAC for your sector, and follow NCSC/NIST advisories. Document participation. Takes 30 minutes to set up.
Low effort
A.5.7
Threat intelligence NEW
Collect, analyze, and act on information about threats to information security relevant to the organization.
QUICKESTSubscribe to free threat feeds (CISA KEV, US-CERT, OTX AlienVault). Assign someone to review weekly and log findings. A GRC platform can automate this.
Med effortNEW
A.5.8
Information security in project management
Integrate information security into project management methodologies and lifecycle processes.
QUICKESTAdd a security review checkpoint to your project kickoff and launch templates. Assign a security reviewer for any project handling sensitive data.
Med effort
A.5.9
Inventory of information and other associated assets
Identify and maintain an inventory of assets and assign ownership.
QUICKESTBuild a spreadsheet listing all systems, SaaS tools, data stores, and hardware with an owner for each. Tools like Vanta or Drata auto-discover cloud assets.
Med effort
A.5.10
Acceptable use of information and other associated assets
Define rules for acceptable use and handling of information assets.
QUICKESTPublish an Acceptable Use Policy (AUP) covering email, internet, devices, and data handling. Require all staff to sign it annually. Template takes 1 day.
Low effort
A.5.11
Return of assets
Ensure employees and contractors return all organizational assets upon termination of employment or contract.
QUICKESTAdd an asset return checklist to your offboarding process. Include company devices, access cards, and any physical documents.
Low effort
A.5.12
Classification of information
Classify information according to security requirements (e.g., Public, Internal, Confidential, Restricted).
QUICKESTDefine 3–4 classification labels and publish a one-page guide on how to apply them. Start with the obvious: customer data = Confidential, public docs = Public.
Med effort
A.5.13
Labelling of information
Develop and implement labelling procedures consistent with the information classification scheme.
QUICKESTApply classification labels to document headers/footers and email subjects for sensitive communications. Microsoft Purview or Google Workspace labels automate this.
Med effort
A.5.14
Information transfer
Define rules for transferring information within and outside the organization across all transfer types.
QUICKESTCreate an Information Transfer Policy covering email, file sharing, and third-party transfers. Require encryption for sensitive data in transit.
Med effort
A.5.15
Access control
Establish, document, and review access control policies based on business and information security requirements.
QUICKESTDocument your access control policy (least privilege, need-to-know). Implement via your IdP (Okta, Azure AD). Conduct a quarterly access review.
Med effort
A.5.16
Identity management
Manage the full lifecycle of identities — creation, maintenance, and deletion — across all systems.
QUICKESTUse SSO (Okta, Google Workspace) as your identity hub. Document your JML (joiner/mover/leaver) process with defined SLAs for provisioning and deprovisioning.
Low effort
A.5.17
Authentication information
Manage authentication information including passwords through a formal management process.
QUICKESTEnforce a password policy (min 12 chars, complexity, no reuse) and require MFA on all accounts. Use a password manager (1Password, Bitwarden) org-wide.
Low effort
A.5.18
Access rights
Provision, review, modify, and revoke access rights following a formal process.
QUICKESTDefine who approves access requests, set a quarterly access review cadence, and log all changes. A GRC tool or even a Jira workflow can track this.
Med effort
A.5.19
Information security in supplier relationships
Define and implement processes to manage information security risks associated with suppliers.
QUICKESTBuild a vendor inventory, categorize by risk, and require security questionnaires for high-risk vendors. Include security requirements in supplier contracts.
Med effort
A.5.20
Addressing information security within supplier agreements
Include relevant information security requirements in supplier agreements.
QUICKESTCreate a standard security addendum for supplier contracts covering data handling, breach notification, audit rights, and encryption requirements.
Med effort
A.5.21
Managing information security in the ICT supply chain
Manage security risks associated with the ICT product and service supply chain.
QUICKESTIdentify critical ICT dependencies (cloud providers, CDNs, DNS). Verify they hold ISO 27001 or SOC 2. Document dependency risks in your risk register.
Med effort
A.5.22
Monitoring, review and change management of supplier services
Regularly monitor, review, and manage changes to supplier services.
QUICKESTSchedule annual supplier reviews, subscribe to status pages of critical vendors, and document any changes to supplier services in your change log.
Low effort
A.5.23
Information security for use of cloud services NEW
Specify, implement, and manage information security for the acquisition, use, management, and exit from cloud services.
QUICKESTDocument your cloud inventory (AWS, Azure, GCP, SaaS), review each provider's security certifications, and establish a cloud exit strategy. Enable cloud security posture management (CSPM).
Med effortNEW
A.5.24
Information security incident management planning and preparation
Plan and prepare for information security incident management by defining roles, responsibilities, and procedures.
QUICKESTWrite an Incident Response Plan using a free template. Define severity levels, roles, escalation paths, and notification timelines. Run a tabletop exercise within 60 days.
Med effort
A.5.25
Assessment and decision on information security events
Assess security events and decide whether to classify them as incidents.
QUICKESTCreate a triage decision tree: what qualifies as an incident vs. a false positive. Document criteria and train first responders on classification.
Med effort
A.5.26
Response to information security incidents
Respond to incidents according to documented procedures, including containment, eradication, and recovery.
QUICKESTDocument your containment, eradication, and recovery runbooks for the top 3 likely incidents (phishing, ransomware, data breach). Practice them in a tabletop.
Med effort
A.5.27
Learning from information security incidents
Apply lessons learned from incidents to strengthen controls and prevent recurrence.
QUICKESTCreate an incident post-mortem template. Require a written lessons-learned document for every P1 incident, with action items tracked to completion.
Low effort
A.5.28
Collection of evidence
Define and apply procedures for identifying, collecting, and preserving evidence related to information security incidents.
QUICKESTDocument your evidence collection procedure: what logs to preserve, chain of custody requirements, and storage location. Ensure logs are retained for 12+ months.
Low effort
A.5.29
Information security during disruption
Plan how to maintain an appropriate level of information security during disruption.
QUICKESTDocument your minimum security baseline during an outage or disruption. Which controls can be relaxed temporarily and which cannot? Include in your BCP.
High effort
A.5.30
ICT readiness for business continuity NEW
Plan, implement, maintain, and test ICT readiness to ensure information availability and continuity during disruption.
QUICKESTDefine RTO/RPO for critical systems, test failover procedures, and document recovery runbooks. AWS/Azure native DR tools cover most of the technical requirements.
High effortNEW
A.5.31
Legal, statutory, regulatory and contractual requirements
Identify and document all legal, statutory, regulatory, and contractual requirements relevant to information security.
QUICKESTCreate a compliance obligations register listing all applicable laws (GDPR, CCPA, HIPAA etc.), contracts, and regulations. Review quarterly. A legal team or GRC consultant can populate this in a day.
Med effort
A.5.32
Intellectual property rights
Implement appropriate procedures to protect intellectual property rights and use of proprietary software.
QUICKESTMaintain a software license register, prohibit unauthorized software installation, and include IP protection clauses in all employment and contractor agreements.
Med effort
A.5.33
Protection of records
Protect records from loss, destruction, falsification, unauthorized access, and unauthorized release.
QUICKESTDefine retention periods for each record type, enforce access controls on document stores, and ensure backups are encrypted and tested regularly.
Med effort
A.5.34
Privacy and protection of personal information
Identify and meet requirements for the preservation of privacy and protection of personal information.
QUICKESTPublish a privacy policy, conduct a data inventory mapping where PII lives, and implement data minimization. OneTrust or Osano can automate consent management.
Low effort
A.5.35
Independent review of information security
Conduct independent (internal or external) reviews of information security at planned intervals.
QUICKESTSchedule an annual internal audit against your ISMS. For a first-time audit, engage a fractional CISO or GRC consultant to conduct the review — typically 1–2 weeks.
High effort
A.5.36
Compliance with policies, rules and standards for information security
Regularly review compliance of information processing and procedures with security policies, rules, and standards.
QUICKESTUse your GRC platform or a quarterly self-assessment checklist to verify controls are operating. Log results and address deviations with corrective action plans.
Med effort
A.5.37
Documented operating procedures
Document, maintain, and make operating procedures available to all who need them.
QUICKESTDocument the top 10 recurring IT and security operations (backups, patching, access reviews, incident response). Use a wiki (Notion, Confluence) for version control.
High effort
Want a tailored assessment?
Get a personalized implementation timeline, tooling recommendations, and estimated cost based on your company — free.
Complete the Free Gap Assessment →
6
People Controls
8 controls · A.6.1–A.6.8
A.6.1
Screening
Conduct background verification checks on all candidates for employment, commensurate with the risk.
QUICKESTUse Checkr or a similar service for criminal background checks, identity verification, and employment history. Takes 2–3 days per candidate. Document your screening criteria by role.
Med effort
A.6.2
Terms and conditions of employment
Include information security responsibilities in employment agreements and contracts.
QUICKESTAdd an information security clause to all employment contracts and NDAs requiring staff to comply with security policies. Review with legal counsel once, then apply to all new hires.
Low effort
A.6.3
Information security awareness, education and training
Ensure all employees receive appropriate awareness, education, and training in information security.
QUICKESTDeploy an annual security awareness training program via KnowBe4, Proofpoint, or free SANS materials. Track completion. 100% completion rate is what auditors verify.
Med effort
A.6.4
Disciplinary process
Establish a formal disciplinary process for employees who violate information security policies.
QUICKESTAdd a security violation section to your HR disciplinary policy. Define consequences proportional to severity. Ensure staff are informed during onboarding.
Low effort
A.6.5
Responsibilities after termination or change of employment
Define and communicate security responsibilities that remain valid after termination of employment.
QUICKESTInclude post-employment security obligations in employment contracts (NDA, confidentiality). Send a termination reminder email highlighting ongoing obligations on last day.
Low effort
A.6.6
Confidentiality or non-disclosure agreements
Identify, document, and review NDAs that reflect the organization's requirements for protection of information.
QUICKESTMaintain a register of all signed NDAs (employees, contractors, partners). Use DocuSign or similar for electronic signing and archiving. Standard legal templates work fine.
Low effort
A.6.7
Remote working NEW
Implement security measures for personnel working remotely.
QUICKESTPublish a Remote Work Security Policy covering VPN use, screen locks, public WiFi rules, and clean desk standards. Enforce MDM on all remote devices.
Med effortNEW
A.6.8
Information security event reporting NEW
Provide a mechanism for employees to report observed or suspected information security events.
QUICKESTCreate a simple security@yourcompany.com mailbox and a Slack channel for incident reporting. Train all staff during onboarding on what to report and how.
Low effortNEW
7
Physical Controls
14 controls · A.7.1–A.7.14
A.7.1
Physical security perimeters
Define and use security perimeters to protect areas containing sensitive information and assets.
QUICKESTDocument your physical perimeter (office, server rooms). Ensure key card or badge access is required for sensitive areas. Map out zones in a floor plan diagram.
Med effort
A.7.2
Physical entry
Secure areas must be protected by appropriate entry controls to ensure only authorized personnel can access.
QUICKESTImplement badge/key card access with logs, a visitor sign-in register, and escort procedures for visitors in secure areas. Review access logs monthly.
Med effort
A.7.3
Securing offices, rooms and facilities
Design and apply physical security for offices, rooms, and facilities.
QUICKESTEnsure server rooms and storage areas have locks, limited access lists, and no external signage identifying them. Document physical security measures for auditors.
Med effort
A.7.4
Physical security monitoring NEW
Premises shall be continuously monitored for unauthorized physical access.
QUICKESTInstall CCTV at entry points and in server/equipment rooms. Enable 24/7 recording with 90-day retention. For remote-first companies, focus on co-location facilities instead.
Med effortNEW
A.7.5
Protecting against physical and environmental threats
Design and implement protection against physical and environmental threats such as fire, flood, and disasters.
QUICKESTVerify fire suppression, flood detection, and UPS systems in server rooms. Document environmental controls. If cloud-only, reference your AWS/Azure region redundancy.
Low effort
A.7.6
Working in secure areas
Design and apply security measures for working in secure areas.
QUICKESTPublish a clean desk policy, screen lock requirements, and rules for who can be in secure areas. Brief all staff at onboarding. Simple and fast to implement.
Low effort
A.7.7
Clear desk and clear screen
Define and enforce clear desk and clear screen rules to reduce risk of unauthorized access.
QUICKESTRequire automatic screen lock after 5 minutes and publish a clear desk policy. Enforce via MDM. Conduct periodic walk-around audits to verify compliance.
Low effort
A.7.8
Equipment siting and protection
Site and protect equipment to reduce risks from environmental threats and unauthorized access.
QUICKESTEnsure servers are in locked racks in access-controlled rooms. Document the location and protection measures for all critical hardware in your asset inventory.
Med effort
A.7.9
Security of assets off-premises
Apply security measures to assets working off-premises, considering the different risks.
QUICKESTRequire full disk encryption and screen lock on all laptops. Enable remote wipe via MDM. Create a portable device policy covering travel and public spaces.
Low effort
A.7.10
Storage media
Manage storage media through its lifecycle: acquisition, use, transportation, and disposal.
QUICKESTMaintain a media register, encrypt all portable media, and use certified destruction (NIST 800-88) for disposal. Prohibit personal USB drives on work systems via MDM.
Med effort
A.7.11
Supporting utilities
Protect equipment from power failures and other disruptions caused by failures in supporting utilities.
QUICKESTInstall UPS for server equipment. Document utility protection measures. For cloud-first companies, reference your cloud provider's infrastructure guarantees and SLAs.
Low effort
A.7.12
Cabling security
Protect power and telecommunications cabling from interception, interference, or damage.
QUICKESTRoute network cables through conduits or under raised floors where possible. Label all cables. For cloud/remote companies, this mostly applies to office network infrastructure.
Low effort
A.7.13
Equipment maintenance
Maintain equipment correctly to ensure its continued availability and integrity.
QUICKESTDocument a maintenance schedule for all hardware. Only use authorized maintenance providers. Ensure sensitive data is removed before sending equipment for repair.
Med effort
A.7.14
Secure disposal or re-use of equipment
Verify that all data has been removed or securely overwritten before disposing of or reusing equipment.
QUICKESTUse DBAN or a certified destruction service for all hardware disposal. Document disposal in your asset register. Cloud environments should focus on secure deprovisioning of instances.
Med effort
8
Technological Controls
34 controls · A.8.1–A.8.34
A.8.1
User endpoint devices
Protect information stored on, processed by, or accessible via user endpoint devices.
QUICKESTEnroll all endpoints in MDM (Jamf for Mac, Intune for Windows). Enforce encryption, screen lock, and automatic updates. Takes 1–2 days to deploy org-wide.
Med effort
A.8.2
Privileged access rights
Restrict and manage the allocation and use of privileged access rights.
QUICKESTImplement a PAM solution (CyberArk, HashiCorp Vault, or AWS IAM with least privilege). Require separate admin accounts. Log all privileged session activity.
Med effort
A.8.3
Information access restriction
Restrict access to information and application system functions in accordance with the access control policy.
QUICKESTImplement RBAC in all key systems. Apply least-privilege principle — users get minimum access needed. Audit permissions quarterly via your IdP.
Low effort
A.8.4
Access to source code
Appropriately manage read and write access to source code, development tools, and software libraries.
QUICKESTRequire branch protection rules in GitHub/GitLab (no direct pushes to main). Use team-based access controls and audit who has repo access quarterly.
Low effort
A.8.5
Secure authentication
Implement secure authentication technologies and procedures based on information access restrictions.
QUICKESTEnforce MFA on all systems using TOTP or hardware keys. Deploy SSO to centralize authentication. Disable password-only auth on all production systems immediately.
Low effort
A.8.6
Capacity management
Monitor and adjust the use of resources, making projections of future capacity requirements.
QUICKESTSet up CloudWatch/Azure Monitor alerts for CPU, memory, and storage thresholds. Document capacity planning in your operational procedures and review quarterly.
High effort
A.8.7
Protection against malware
Implement detection, prevention, and recovery controls to protect against malware.
QUICKESTDeploy an EDR solution (CrowdStrike, SentinelOne, or Microsoft Defender — included in M365 Business Premium) on all endpoints. Enable real-time protection and centralized alerts.
Med effort
A.8.8
Management of technical vulnerabilities
Obtain information about technical vulnerabilities of systems in use, evaluate exposure, and take measures to address them.
QUICKESTEnable AWS Inspector or Azure Defender for cloud scanning. Use Dependabot for code dependencies. Define SLAs: critical = 14 days, high = 30 days. Track in a register.
High effort
A.8.9
Configuration management NEW
Establish, document, implement, monitor, and review configurations for hardware, software, and networks.
QUICKESTUse Infrastructure as Code (Terraform, CloudFormation) to define and version control configurations. Use CIS Benchmarks as your baseline. Enable config drift detection via AWS Config.
Low effortNEW
A.8.10
Information deletion NEW
Delete information stored in systems, devices, or media when no longer required.
QUICKESTDefine data retention periods for each data type and automate deletion using S3 lifecycle policies, database TTLs, or scheduled scripts. Document your data disposal procedures.
Med effortNEW
A.8.11
Data masking NEW
Mask data in accordance with the organization's access control policy and other related policies.
QUICKESTImplement data masking in non-production environments (dev, staging). Use synthetic data generation tools or database masking scripts. Never use real customer data in test environments.
Med effortNEW
A.8.12
Data leakage prevention NEW
Apply data leakage prevention measures to systems, networks, and devices that process, store, or transmit sensitive information.
QUICKESTStart with Microsoft Purview DLP (included in M365 E3+) or Google DLP for email and document scanning. Block uploads of sensitive data to personal cloud accounts via MDM.
High effortNEW
A.8.13
Information backup
Maintain and regularly test backup copies of information, software, and systems.
QUICKESTEnable automated daily backups with cross-region replication. Define RPO/RTO targets, test restore quarterly, and document results. AWS Backup or Azure Backup automates most of this.
Med effort
A.8.14
Redundancy of information processing facilities
Implement sufficient redundancy to meet availability requirements.
QUICKESTDeploy across multiple availability zones in AWS/Azure. Use managed services with built-in redundancy. Document your architecture's failover capabilities and test annually.
High effort
A.8.15
Logging
Produce, store, protect, and analyze event logs.
QUICKESTEnable CloudTrail (AWS) or Activity Logs (Azure) and centralize in CloudWatch or a SIEM. Retain logs for 12+ months. Set up alerts for critical events. This is a top auditor check.
High effort
A.8.16
Monitoring activities NEW
Monitor networks, systems, and applications for anomalous behavior and act on potential incidents.
QUICKESTConfigure AWS GuardDuty or Azure Sentinel for anomaly detection. Set up alerts for failed logins, privilege escalations, and unusual data access patterns. Review alerts daily.
Med effortNEW
A.8.17
Clock synchronization
Synchronize the clocks of all information processing systems to approved time sources.
QUICKESTEnable NTP synchronization on all systems (default on most cloud services). Document your time source. Verify with `timedatectl` or equivalent. Takes 30 minutes.
Low effort
A.8.18
Use of privileged utility programs
Restrict and tightly control the use of utility programs that might be capable of overriding system and application controls.
QUICKESTMaintain an approved list of system utilities. Require approval before installing new tools on production systems. Log and audit all privileged utility usage.
Med effort
A.8.19
Installation of software on operational systems
Implement procedures to control software installation on operational systems.
QUICKESTRestrict installation rights via MDM (only IT-approved software). Maintain a software whitelist. Require formal change approval before any production software changes.
High effort
A.8.20
Networks security
Secure, manage, and control networks to protect information and information processing facilities.
QUICKESTSegment networks into VPCs/subnets (prod, dev, corporate). Apply security groups and NACLs with least-privilege rules. Enable VPC Flow Logs for traffic monitoring.
Med effort
A.8.21
Security of network services
Identify, implement, and monitor security mechanisms for network services.
QUICKESTDocument your network services (VPN, DNS, firewall, WAF) and their security configurations. Verify services are configured to vendor security baselines. Review quarterly.
Med effort
A.8.22
Segregation of networks
Segregate groups of services, users, and systems within the organization's networks.
QUICKESTSeparate production, staging, and development networks. Isolate IoT and guest WiFi on separate VLANs. Restrict cross-segment traffic via firewall rules.
Med effort
A.8.23
Web filtering NEW
Manage access to external websites to reduce exposure to malicious content.
QUICKESTDeploy a DNS filtering solution (Cloudflare Gateway free tier, Cisco Umbrella) to block malicious domains. Takes 30 minutes to configure. Document your filtering policy.
Med effortNEW
A.8.24
Use of cryptography
Define and implement rules for effective use of cryptography to protect information.
QUICKESTPublish a Cryptography Policy defining approved algorithms (AES-256, RSA-2048+, TLS 1.2+). Use AWS KMS or Azure Key Vault for key management. Audit encryption annually.
Med effort
A.8.25
Secure development life cycle
Establish and apply rules for the secure development of software and systems.
QUICKESTPublish a Secure Development Policy requiring code review, SAST scanning (Snyk, SonarQube), and security testing before production release. Integrate into your CI/CD pipeline.
Med effort
A.8.26
Application security requirements
Identify, specify, and approve information security requirements when developing or acquiring applications.
QUICKESTCreate an application security requirements template (OWASP Top 10 checklist). Apply to all new development projects and third-party applications before procurement.
Low effort
A.8.27
Secure system architecture and engineering principles
Establish, document, maintain, and apply principles for engineering secure systems.
QUICKESTDocument your secure architecture principles (defense in depth, least privilege, zero trust, fail secure). Reference NIST SP 800-160. Apply to all system design decisions.
Med effort
A.8.28
Secure coding NEW
Apply secure coding principles to software development.
QUICKESTAdopt OWASP Secure Coding Practices as your standard. Train developers annually. Integrate SAST tools (Snyk, Checkmarx) into CI/CD. Require peer code review for all PRs.
High effortNEW
A.8.29
Security testing in development and acceptance
Define and implement security testing processes throughout the development lifecycle.
QUICKESTAdd automated security scanning to your CI/CD pipeline. Conduct DAST testing (OWASP ZAP, Burp Suite) before major releases. Document test results and remediation.
High effort
A.8.30
Outsourced development
Direct, monitor, and review activities related to outsourced system development.
QUICKESTInclude security requirements in outsourced development contracts (code ownership, NDA, no backdoors clause, security testing requirements). Conduct code reviews before accepting deliverables.
High effort
A.8.31
Separation of development, test and production environments
Separate and apply security controls to development, testing, and production environments.
QUICKESTMaintain separate AWS accounts or resource groups for dev/staging/prod. Block production access from developers by default. Use CI/CD pipelines for controlled deployments.
High effort
A.8.32
Change management
Apply formal change management procedures to information processing facilities and systems.
QUICKESTImplement a change management process requiring approval, testing, and rollback planning for all production changes. Use Jira or ServiceNow tickets as your change log.
High effort
A.8.33
Test information
Select, protect, and manage test information.
QUICKESTNever use real customer data in non-production environments. Implement data masking or synthetic data generation for test datasets. Document your test data policy.
High effort
A.8.34
Protection of information systems during audit testing
Plan and agree on audit tests and other assurance activities to minimize disruption to business processes.
QUICKESTSchedule audits during low-traffic windows. Give auditors read-only access to production. Define a scope agreement before any audit or penetration testing activity begins.
High effort

How Long Does It Take

ISO 27001 Certification Timeline

Most organizations take 6–12 months to achieve ISO 27001 certification from scratch. Your timeline depends on current security maturity, team size, and how much of the implementation you outsource. Here's a realistic phase-by-phase breakdown.

Phase 1 — Months 1–2
Foundation & Scoping
  • Appoint ISMS owner (CISO, CTO, or fractional)
  • Define ISMS scope boundary
  • Complete asset inventory
  • Run gap assessment against Clauses 4–10 + Annex A
  • Write core security policies (ISP, AUP, IR)
  • Enable MFA everywhere
⏱ 4–8 weeks · Heaviest documentation phase
Phase 2 — Months 2–6
Risk Assessment & Remediation
  • Complete formal risk assessment
  • Write Statement of Applicability
  • Implement missing controls in priority order
  • Deploy MDM, SIEM, vulnerability scanning
  • Run security awareness training (100% completion)
  • Write and test Incident Response Plan
⏱ 8–16 weeks · Most costly phase
Phase 3 — Months 5–7
Internal Audit & Evidence
  • Deploy GRC platform (Vanta, Drata, Sprinto)
  • Conduct internal audit against all clauses
  • Remediate audit findings
  • Assemble evidence package
  • Management review meeting
  • Select and contract certification body
⏱ 4–8 weeks · Book auditor 3–6 months early
Phase 4 — Months 7–12
External Audit & Certification
  • Stage 1 audit (document review, 1–2 days)
  • Remediate Stage 1 findings
  • Stage 2 audit (implementation testing, 2–5 days)
  • Address non-conformities
  • Receive certificate (valid 3 years)
  • Publish to trust page / share with customers
⏱ 8–16 weeks · Certificate valid 3 years
After Certification: Annual Maintenance
ISO 27001 requires annual surveillance audits in years 1 and 2, followed by full recertification in year 3. Maintain your ISMS continuously: conduct risk assessments at least annually, run quarterly access reviews, complete annual security training, and perform regular internal audits. A GRC platform dramatically reduces the ongoing effort.
Want a tailored assessment?
Get a personalized implementation timeline, tooling recommendations, and estimated cost based on your company — free.
Complete the Free Gap Assessment →

Common Questions

ISO 27001 FAQ

The most common questions from organizations going through ISO 27001 for the first time.

Do I have to implement all 93 Annex A controls?+
No — you select controls based on your risk assessment. However, you must document every exclusion in your Statement of Applicability with a justified reason. Common valid exclusions include physical controls for cloud-only companies (no on-premises servers) or controls that don't apply to your business model. Auditors will scrutinize your exclusions, so ensure they're defensible.
What's the difference between ISO 27001 Stage 1 and Stage 2 audit?+
Stage 1 is a documentation review — the auditor assesses whether your ISMS is properly designed and documented. It typically takes 1–2 days and results in a list of observations and any gaps to address before Stage 2. Stage 2 is the implementation audit — the auditor verifies that your controls are actually operating effectively through interviews, testing, and evidence review. It takes 2–5 days depending on scope. Both stages are conducted by your chosen certification body.
How much does ISO 27001 certification cost?+
For a 10–50 person organization, expect: Audit fees ($8k–$25k depending on scope and certification body), GRC platform ($6k–$20k/yr), penetration testing ($10k–$20k/yr), and consultant/fractional CISO support if needed ($10k–$40k). First-year total typically ranges from $30k–$80k. Subsequent years are significantly less — mainly the surveillance audit ($5k–$10k) and ongoing tooling.
Do I need ISO 27001 if I already have SOC 2?+
It depends on your customers. SOC 2 is the dominant standard for North American B2B SaaS — US enterprise customers usually ask for SOC 2. ISO 27001 carries stronger international recognition, particularly in Europe, Asia-Pacific, and the Middle East. If you're expanding globally or selling to government or regulated industries internationally, ISO 27001 is often required. The good news: the two frameworks share 70–80% control overlap, so having SOC 2 already puts you significantly closer to ISO 27001 certification.
What is a Statement of Applicability (SoA)?+
The SoA is a mandatory document that lists all 93 Annex A controls and states for each: whether it's applicable to your organization, the justification for inclusion or exclusion, and the current implementation status. It's one of the most important documents in your ISMS — auditors use it as their roadmap. Do not write it from scratch; use a GRC platform or template to generate the first version, then customize it based on your risk assessment results.
Can a small company (under 50 employees) realistically get ISO 27001?+
Yes — ISO 27001 scales to organizations of any size. Small companies often find it easier to implement because there's less complexity, fewer systems to document, and faster decision-making. The main challenge is resource allocation: you need someone to own the ISMS program, even if it's a part-time responsibility. A fractional CISO or GRC consultant can accelerate the process significantly. Many 10–30 person SaaS companies complete certification in 6–9 months.
What's the difference between ISO 27001 and ISO 27002?+
ISO 27001 is the certifiable standard — it defines the requirements for an ISMS and lists the Annex A controls. You get certified against ISO 27001. ISO 27002 is the companion guidance document — it provides detailed implementation guidance for each of the 93 controls, explaining how to apply them in practice. You don't get certified against ISO 27002, but it's invaluable for understanding how to implement the controls that ISO 27001 requires.
How often must ISO 27001 be renewed?+
ISO 27001 certificates are valid for 3 years. However, you must undergo annual surveillance audits in years 1 and 2 to maintain the certificate. In year 3, a full recertification audit is required. Surveillance audits are less intensive than the initial certification — they verify that your ISMS is being maintained and continuously improved. Most organizations align surveillance audits with their annual internal audit cycle.
What happens if I fail an ISO 27001 audit?+
Audit findings fall into three categories: Major non-conformities (serious gaps that prevent certification — must be resolved before certificate is issued), Minor non-conformities (gaps that require corrective action within 90 days), and Observations (improvement opportunities with no mandatory action). Most organizations receive a mix of minor non-conformities and observations on their first audit. Very few fail outright. A good gap assessment before the audit significantly reduces the risk of major findings.
Do I need to hire a consultant to get ISO 27001 certified?+
No — many organizations achieve certification without external consultants, especially if they use a GRC automation platform (Vanta, Drata, Sprinto) and have an internally capable security or engineering leader. That said, a fractional CISO or GRC consultant can significantly compress the timeline and reduce risk, particularly for the risk assessment, SoA creation, and audit preparation phases. The ROI is often positive when you factor in the cost of a prolonged certification process.

Not sure where you stand on ISO 27001?

Run a free gap assessment and get your readiness score across ISO 27001, SOC 2, HIPAA, and 30+ other frameworks in 10 minutes.

Start Your Free Gap Assessment →

Free forever · No sales calls · Instant results

© 2025 Gap Assessment · freegapassessment.com
For informational purposes only. Not legal or audit advice. Consult qualified professionals before making compliance decisions.