ISO 27001 Checklist for UK Audit Preparation

An ISO 27001 checklist helps UK organisations prepare for audits by mapping ISO/IEC 27001 clauses to the evidence a certification body is likely to sample. It also groups evidence by type so you can prepare both documented information and operational records.

Use this as an audit prep guide, not a “tick-box” substitute for risk-based decisions in your ISMS.

Use this checklist to confirm two things before an audit:

1. Required documented information exists, is approved, and is controlled
2. There is recent evidence showing the ISMS and controls operate in practice

Auditors assess effectiveness over time, not just whether documents exist. Work clause by clause, assign an owner, and gather evidence in one place. If something exists but you cannot show recent records (tickets, logs, minutes, reviews), treat it as a gap and fix it before the audit.

This section checks that your ISMS scope and business context are clear and consistent.

Checklist items:

1. Define the ISMS scope (services, systems, locations, data types, key suppliers)
2. Identify interested parties and relevant requirements
3. Describe boundaries and interfaces (shared platforms, group functions, outsourced services)

Typical evidence auditors expect:

1. Approved ISMS scope statement (current, version-controlled)
2. Interested parties/context analysis updated when the business changes
3. High-level service or process maps showing dependencies and interfaces

This section checks that leadership ownership is visible and evidenced.

Checklist items:

1. Information security policy approved and communicated
2. Roles, responsibilities, and authorities defined (including risk ownership)
3. Evidence of leadership commitment to objectives, resources, and oversight

Typical evidence auditors expect:

1. Approved policy plus communication record
2. Role definitions (ISMS owner, risk owners, control owners)
3. Records of leadership decisions (priorities, resourcing, risk acceptance)

This section checks that your risk-based approach is documented and traceable.

Checklist items:

1. Risk assessment method defined and applied
2. Risk treatment plan produced and maintained
3. Statement of Applicability (SoA) completed and aligned to scope

Typical evidence auditors expect:

1. Risk assessment methodology and scoring criteria
2. Current risk register covering the ISMS scope
3. Risk treatment plan with owners and target dates
4. SoA listing Annex A controls, applicability, and justified exclusions

This section checks that competence, awareness, and document control support the ISMS.

Checklist items:

1. Competence needs identified for in-scope roles
2. Training and awareness delivered and tracked
3. Document control in place (approval, versioning, access, retention)

Typical evidence auditors expect:

1. Training completion reports and role-based training records
2. Awareness materials or communications
3. Document index plus examples showing approvals and version control
4. Evidence staff can access current documents when needed

This section checks that controls run as working processes and generate records.

Checklist items:

1. Controls implemented per SoA and risk treatment plan
2. Operating procedures exist for key activities (access, change, backup, supplier checks)
3. Evidence produced through normal work, not audit-only effort

Typical evidence auditors expect:

1. Tickets, approvals, and review outputs
2. Logs or monitoring records, where relevant to scope
3. Supplier checks and contract clauses, where applicable
4. Incident records and follow-up actions

This section checks that you monitor, audit, and review ISMS performance.

Checklist items:

1. Internal audit programme defined and delivered
2. Management review carried out with tracked outputs

Typical evidence auditors expect:

1. Internal audit plan, reports, and follow-up actions
2. Sampling approach and independence, where feasible
3. Management review minutes covering risks, incidents, audit results, metrics
4. Decisions and actions with owners and due dates

This checklist section confirms issues are recorded, corrected, and followed through so the ISMS improves over time.

Checklist items:

1. Nonconformities recorded, assessed, and corrected
2. Corrective actions tracked and verified as effective

Typical evidence auditors expect:

1. Nonconformity and corrective action procedure (documented and used)
2. Corrective action log with root cause, actions, owners, and deadlines
3. Evidence actions were completed and checked for effectiveness
4. Corrective actions raised from incidents (where applicable) and tracked to closure

This section helps organise Annex A evidence so auditors can sample efficiently.

Policy evidence:

1. Approved policies, standards, or procedures mapped to SoA items

Technical evidence:

1. Configuration outputs or reports (for example: MFA status or backup jobs)
2. Screenshots are used sparingly and supported by records over time

Operational evidence:

1. Tickets, approvals, registers, review notes, minutes, or trackers showing routine operation
2. Recurring proof, such as access reviews, supplier reviews, or incident reviews

1. An ISO 27001 checklist works best when it maps clauses to specific evidence
2. Auditors sample both documents and operating records over time
3. Clause 6 links scope, risks, controls, and the SoA, and auditors often treat it as central to audit readiness
4. Clause 8 depends on repeatable processes that generate records through normal work
5. Clauses 9 and 10 show the ISMS is monitored, reviewed, and improved