Skip to main content
ISO 27001 Checklist
Ethan Heller avatar
Written by Ethan Heller
Updated over a week ago

We recommend completing the following checklist in sequential order as you work towards your ISO 27001 year 1 certification audit. The ISMS Plan document is available through the Policy Center.

  1. Complete and approve Policies in the Drata Platform

    1. NOTE: The ISMS Plan is an administrative document, and does not require personnel interaction (review, acknowledgement, acceptance, etc.).

  2. Review monitoring page and ensure tests are passing (this is an iterative step throughout the entire process).

  3. Invite personnel into the Drata Platform

  4. Complete Sections 4 and 5 of ISMS Plan

  5. Complete your annual risk assessment in Drata, including the risk treatment plan for identified risks.

  6. Complete Section 6 (Also include section 8) of ISMS Plan, including the Statement of Applicability within.

    1. For applicable controls complete the Status column, mark one or more of the following columns: LR, CO, BR/BP, RRA based on why the control is applicable, and assign a responsible party.

  7. Complete Sections 7 and 9 of the ISMS Plan

  8. Upload evidence for β€œNot Monitored Controls”

  9. Perform Internal Audit

    1. If the internal audit will be conducted by someone in your organization, you will need to ensure they are independent (i.e. did not build the ISO program, does not own Annex A controls, etc) and have the necessary experience to perform the internal audit.

      1. Document results in Appendix A

      2. Upload internal audit report DCF-165

    2. If the internal audit will be conducted by an outside party, you will need to engage with an auditor or consultant who has the necessary experience to perform the internal audit.

      1. Upload internal audit report to DCF-165

  10. After completion of the internal audit, conduct a formal management review of the internal audit report. Corrective Action Plans should be documented for non-conformities identified during the internal audit. Document the review in Appendix B of the ISMS Plan.

    1. Upload management review to DCF-164

  11. Contract with an ISO 27001 certification body and schedule Stage 1 and Stage 2 audits.

  12. 1-2 weeks prior to the Stage 1 audit, complete pre-stage 1 audit check-in with Drata CSM and Compliance Expert to determine readiness for Stage 1.

  13. Stage 1 audit completed by the certification body

  14. Complete post-stage 1/pre-stage 2 audit check-in with Drata CSM and Compliance Expert to review potential areas of concern identified by the certification body.

  15. Remediate potential areas of concern prior to Stage 2 audit beginning.

  16. Stage 2 audit completed by the certification body

  17. Complete post-stage 2 audit check-in with Drata CSM and Compliance Expert to review identified non-conformities and opportunities for improvement (OFIs)

Did this answer your question?