Skip to main content

ISO 27001:2022 Checklist

Updated over 2 weeks ago

To streamline your journey toward ISO 27001 Year 1 certification, we recommend following this checklist sequentially. You'll find the essential Information Security Management System (ISMS) Plan document readily available in the Policy Center.

  1. Policy Management

    1. Draft, review, and approve all required ISO 27001:2022 policies in the Policy Center.

    2. Use the: Essential Policy FAQs as an additional resource.

    NOTE: The ISMS Plan is an administrative document, and does not require personnel interaction (review, acknowledgement, acceptance, etc.).

  2. Review Monitoring Tests

    1. Work towards 100% completion of Monitoring Tests.

    Helpful Tip: Use the “Learn More” button on each test for help articles and remediation guidance.

  3. Review Evidence for Not Monitored Controls

    1. Upload documentation to support the controls that are not automatically monitored by the Drata platform.

    2. Reference the Example Evidence for Not Monitored Controls (ISO 27001)

  4. Invite Personnel into the Drata Platform

    1. Drata Personnel Overview - Start with this is a three-part tutorial series to help you configure Drata’s Personnel Section and manage user onboarding, acknowledgements, and training.

  5. Review and complete all sections within the ISMS Plan

    1. Context of the Organization (Clause 4)

    2. Leadership (Clause 5)

    3. Planning (Clause 6)

    4. Support (Clause 7)

    5. Operation (Clause 8)

    6. Performance Evaluation (Clause 9)

    7. Improvement (Clause 10)

    8. Statement of Applicability (SoA) & Annex A – Reference Control Objectives and Controls (93 total, categorized into the four themes below)

      1. A.5 Organizational Controls

      2. A.6 People Controls

      3. A.7 Physical Controls

      4. A.8 Technological Controls

    Note: Please Reference the ISO 27001:2022 Example ISMS Plan for additional guidance.

  6. Appoint and establish ISMS + ISO 27001 Key Stakeholders

    1. Assemble an ISMS team (e.g., security engineers, compliance staff, and executive leadership) to guide strategy and implementation.

    2. Assign clear roles and align the team on the ISMS scope, plan, and responsibilities.

  7. Build your ISMS

    1. Define the ISMS scope (e.g., what departments, systems, data covered)

    2. Create a roadmap outlining tasks, timeline, and responsibilities

  8. Complete Risk Assessment and Risk Management in Drata

    1. Identify, analyze, and treat risks to your information assets, systems, and services.

    2. After risks are identified, scored, and ranked, establish a designated remediation plan.

  9. Complete the Statement of Applicability (SoA)

    1. Review the 93 controls listed in Annex A.

    2. Select and implement controls that are relevant to your organization.

    3. Complete the SoA, provide justification for inclusion or exclusion for each control within the ISMS.

  10. Perform Internal Audit

    1. If the internal audit will be conducted by someone in your organization, you will need to ensure they are independent (i.e., not involved in building the ISMS or responsible for any Annex A controls) and possess appropriate audit competency.

      1. Document results in Appendix A of your ISMS Plan.

      2. Upload your completed internal audit report under DCF-165 to satisfy the requirement for periodic independent assessments.

  11. Review Internal Audit Results

    1. After completion of the internal audit, conduct a formal management review of the internal audit report.

    2. Corrective Action Plans should be documented for non-conformities identified during the internal audit.

      1. Document the review in Appendix C of the ISMS Plan.

      2. Upload your completed management review summary to DCF-164 to demonstrate compliance with Clause 9.3.

  12. Pre-Audit Check-In

    1. Schedule a pre-audit readiness check-in with your Drata Customer Success Manager (CSM) and Compliance Advisor (CA). Ensure that your Drata platform reflects ~100% control completion prior to this call.

  13. Engage an Accredited ISO 27001 Certification Body and Schedule Your Audit

    1. Coordinate with your selected ISO 27001-accredited certification body to schedule both stages of the audit:

      1. Stage 1 Audit – Review of documentation, scope, and readiness

      2. Stage 2 Audit – Evaluation of control implementation and effectiveness

  14. Finalize Agreement and Audit Dates

    1. Finalize your agreement with the selected certification body and confirm audit dates for both Stage 1 and Stage 2.

      1. Reach out to your Drata CSM to schedule advisory meetings around the audit timeline and align on expectations.

  15. Post–Stage 1 Review with Drata

    1. Schedule a debrief with your Drata CSM and CA to analyze feedback from the Stage 1 audit. Address any deficiencies or areas of concern flagged during Stage 1. Clarify and review potential nonconformities, observations, and gaps.

  16. Complete Stage 2 Audit (Certification Assessment)

    1. The certification body performs an in-depth evaluation of your ISMS implementation and control effectiveness during the Stage 2 audit.

  17. Post–Stage 2 Review with Drata

    1. Meet with your Drata team for a final check-in to review any non-conformities or opportunities for improvement (OFIs) identified, and determine next steps for closure and continuous improvement.

Related Articles
ISO 27001:2022
Question to ask a Potential ISO 27001 Certification Body (i.e. Auditor)
ISO 27001:2022 Example ISMS Plan
ISO 27001:2013 Example ISMS Plan
ISO 27001 Certification Review Template
Did this answer your question?