ISO 27001:2022
Readiness Checklist
A comprehensive, enterprise-grade checklist to help your organisation assess readiness for ISO 27001:2022 certification. Covers all mandatory clauses, Annex A controls, gap assessment, and the full certification journey. Built from 700+ enterprise engagements across India and the Middle East.
Overview
What is ISO 27001:2022?
About the Standard
ISO/IEC 27001:2022 is the international standard for Information Security Management Systems (ISMS). It provides a systematic framework for managing sensitive company information, ensuring confidentiality, integrity, and availability. The 2022 revision replaced the 2013 edition with significant restructuring of Annex A controls.
For Indian enterprises, ISO 27001 certification is increasingly a prerequisite for doing business with global clients, meeting regulatory expectations from RBI, SEBI, IRDAI, and CERT-In, and demonstrating security maturity to stakeholders.
Key Changes from 2013 to 2022
- • Annex A restructured from 14 domains to 4 themes: Organisational, People, Physical, and Technological
- • Controls reduced from 114 to 93 controls — merged, updated, and streamlined
- • 11 new controls added: threat intelligence, cloud security, data leakage prevention, monitoring, web filtering, secure coding, configuration management, and more
- • Control attributes introduced: control type, security property, cybersecurity concept, operational capability, and security domain
- • Transition deadline for existing certifications: 31 October 2025
Mandatory Requirements
Clauses 4–10 Checklist
These clauses define the mandatory management system requirements. Every item must be addressed for certification.
Clause 4: Context of the Organisation
Understand the organisation and its context to define the ISMS scope.
- ☐ Identify internal issues relevant to information security (culture, structure, capabilities, technology)
- ☐ Identify external issues (regulatory, legal, competitive, market, geopolitical environment)
- ☐ Identify interested parties and their requirements (clients, regulators, partners, employees)
- ☐ Determine legal, regulatory, and contractual obligations (IT Act 2000, DPDP Act, RBI/SEBI/IRDAI directives)
- ☐ Define the scope of the ISMS — organisational units, locations, assets, and technologies
- ☐ Document ISMS boundaries and applicability, including interfaces and dependencies
- ☐ Establish the ISMS considering internal/external issues and interested party requirements
- ☐ Document processes needed for the ISMS and their interactions
Clause 5: Leadership
Ensure top management commitment and governance structure.
- ☐ Obtain formal top management commitment to the ISMS (board resolution or management directive)
- ☐ Establish an information security policy aligned with business objectives
- ☐ Ensure the policy is communicated, available, and understood across the organisation
- ☐ Define and assign ISMS roles, responsibilities, and authorities (CISO, ISO, risk owners)
- ☐ Ensure management reviews are planned and conducted at defined intervals
- ☐ Allocate adequate resources (budget, personnel, tools) for ISMS implementation and maintenance
- ☐ Promote continual improvement as an organisational objective
- ☐ Integrate ISMS requirements into the organisation's existing business processes
Clause 6: Planning
Address risks and opportunities, and plan for achieving ISMS objectives.
- ☐ Determine risks and opportunities considering Clause 4 context (internal/external issues)
- ☐ Define and document the risk assessment methodology (criteria, likelihood, impact scales)
- ☐ Conduct a comprehensive information security risk assessment
- ☐ Develop a risk treatment plan with selected controls and justifications
- ☐ Prepare the Statement of Applicability (SoA) — map all Annex A controls with inclusion/exclusion rationale
- ☐ Set measurable information security objectives at relevant functions and levels
- ☐ Plan actions to achieve objectives — what, who, when, resources, and evaluation method
- ☐ Plan for changes to the ISMS ensuring controlled and documented transitions
Clause 7: Support
Ensure adequate resources, competence, and documented information.
- ☐ Determine and provide resources needed for ISMS establishment and maintenance
- ☐ Determine required competencies for personnel performing ISMS work
- ☐ Ensure competence through education, training, or experience — maintain evidence of competence
- ☐ Conduct information security awareness programs for all employees and contractors
- ☐ Define internal and external communication processes — what, when, to whom, how
- ☐ Establish documented information requirements for the ISMS
- ☐ Implement document control — creation, updates, version control, approvals
- ☐ Define retention, disposal, and access control policies for documented information
- ☐ Maintain records of training, competency assessments, and awareness activities
Clause 8: Operation
Implement and control the processes needed to meet ISMS requirements.
- ☐ Plan, implement, and control processes needed to meet ISMS requirements
- ☐ Implement the risk treatment plan as defined in Clause 6
- ☐ Conduct risk assessments at planned intervals or upon significant changes
- ☐ Ensure outsourced processes are identified, controlled, and monitored
- ☐ Document operational procedures and maintain operational evidence
- ☐ Manage changes to the ISMS operations in a planned and controlled manner
- ☐ Implement controls to mitigate identified risks per the SoA
- ☐ Maintain records of risk assessment results and risk treatment decisions
Clause 9: Performance Evaluation
Monitor, measure, analyze, and evaluate the ISMS performance.
- ☐ Determine what needs to be monitored and measured — including security objectives and controls
- ☐ Define methods for monitoring, measurement, analysis, and evaluation
- ☐ Establish when monitoring and measuring shall be performed and by whom
- ☐ Conduct internal audits at planned intervals — ensure auditor independence
- ☐ Develop an internal audit program (scope, frequency, methods, reporting)
- ☐ Conduct management reviews at planned intervals with required inputs
- ☐ Document management review outputs — decisions, improvement opportunities, resource needs
- ☐ Evaluate the performance of information security controls and processes
- ☐ Monitor security metrics and KPIs (incident response times, vulnerability remediation, etc.)
Clause 10: Improvement
Drive continual improvement of the ISMS suitability, adequacy, and effectiveness.
- ☐ Establish a process for managing nonconformities and corrective actions
- ☐ React to nonconformities — take action to control and correct; deal with consequences
- ☐ Evaluate the need for action to eliminate the causes of nonconformity
- ☐ Implement required corrective actions and review their effectiveness
- ☐ Make changes to the ISMS based on corrective action results, if necessary
- ☐ Continually improve the suitability, adequacy, and effectiveness of the ISMS
- ☐ Document all nonconformities, corrective actions, and their results
- ☐ Use findings from audits, reviews, and incidents to drive improvement initiatives
Reference Controls
Annex A Control Groups
ISO 27001:2022 restructured Annex A into four themes with 93 controls. Below are key controls from each group that most organisations must address.
A.5 Organisational Controls
| Control | Name | Checklist Item |
|---|---|---|
| A.5.1 | Policies for information security | ☐ Define, approve, publish, and communicate a set of information security policies |
| A.5.2 | Information security roles | ☐ Assign and communicate information security roles and responsibilities |
| A.5.3 | Segregation of duties | ☐ Ensure conflicting duties and responsibilities are segregated |
| A.5.4 | Management responsibilities | ☐ Ensure management enforces security policies among employees and contractors |
| A.5.7 | Threat intelligence | ☐ Collect, analyze, and act on information security threat intelligence |
| A.5.23 | Cloud service security | ☐ Define and manage information security requirements for cloud services (new in 2022) |
| A.5.29 | ICT readiness for continuity | ☐ Plan and prepare ICT to ensure business continuity (new in 2022) |
A.6 People Controls
| Control | Name | Checklist Item |
|---|---|---|
| A.6.1 | Screening | ☐ Conduct background verification checks on candidates prior to employment |
| A.6.2 | Terms of employment | ☐ Include information security responsibilities in employment contracts |
| A.6.3 | Awareness & training | ☐ Provide regular information security awareness education and training |
| A.6.5 | Termination responsibilities | ☐ Define and enforce responsibilities on termination or change of employment |
| A.6.7 | Remote working | ☐ Implement security measures for remote working arrangements (new in 2022) |
A.7 Physical Controls
| Control | Name | Checklist Item |
|---|---|---|
| A.7.1 | Physical security perimeters | ☐ Define physical security perimeters and secure areas (data centers, offices, archives) |
| A.7.2 | Physical entry | ☐ Control physical access with entry controls — badge systems, biometrics, visitor logs |
| A.7.4 | Physical security monitoring | ☐ Monitor premises continuously for unauthorized access (new in 2022) |
| A.7.8 | Equipment siting | ☐ Site and protect equipment to reduce environmental threats and unauthorized access |
| A.7.10 | Storage media | ☐ Manage storage media through lifecycle — use, transport, and disposal |
A.8 Technological Controls
| Control | Name | Checklist Item |
|---|---|---|
| A.8.1 | User endpoint devices | ☐ Secure information stored on, processed by, or accessible via user endpoint devices |
| A.8.2 | Privileged access rights | ☐ Restrict and manage the allocation and use of privileged access rights |
| A.8.5 | Secure authentication | ☐ Implement secure authentication mechanisms (MFA, password policies, SSO) |
| A.8.8 | Vulnerability management | ☐ Identify, evaluate, and remediate technical vulnerabilities in a timely manner |
| A.8.9 | Configuration management | ☐ Establish and maintain secure configurations for hardware, software, and networks (new in 2022) |
| A.8.12 | Data leakage prevention | ☐ Apply data leakage prevention measures to systems and networks (new in 2022) |
| A.8.16 | Monitoring activities | ☐ Monitor networks, systems, and applications for anomalous behaviour (new in 2022) |
| A.8.23 | Web filtering | ☐ Manage access to external websites to reduce exposure to malicious content (new in 2022) |
| A.8.24 | Use of cryptography | ☐ Define and implement rules for cryptography including key management |
| A.8.25 | Secure development lifecycle | ☐ Establish rules for secure development of software and systems (new in 2022) |
| A.8.28 | Secure coding | ☐ Apply secure coding principles to software development (new in 2022) |
Assessment Template
Gap Assessment Tracker
Use this template to document gaps between your current state and ISO 27001:2022 requirements. Print this page to use as a working document.
| Control Area | Current State | Gap Description | Priority | Owner | Target Date |
|---|---|---|---|---|---|
| Information Security Policy | ☐ None ☐ Partial ☐ Full | ☐ H ☐ M ☐ L | |||
| Risk Assessment & Treatment | ☐ None ☐ Partial ☐ Full | ☐ H ☐ M ☐ L | |||
| Asset Management | ☐ None ☐ Partial ☐ Full | ☐ H ☐ M ☐ L | |||
| Access Control | ☐ None ☐ Partial ☐ Full | ☐ H ☐ M ☐ L | |||
| Cryptography | ☐ None ☐ Partial ☐ Full | ☐ H ☐ M ☐ L | |||
| Physical Security | ☐ None ☐ Partial ☐ Full | ☐ H ☐ M ☐ L | |||
| Operations Security | ☐ None ☐ Partial ☐ Full | ☐ H ☐ M ☐ L | |||
| Communications Security | ☐ None ☐ Partial ☐ Full | ☐ H ☐ M ☐ L | |||
| System Acquisition & Development | ☐ None ☐ Partial ☐ Full | ☐ H ☐ M ☐ L | |||
| Supplier Relationships | ☐ None ☐ Partial ☐ Full | ☐ H ☐ M ☐ L | |||
| Incident Management | ☐ None ☐ Partial ☐ Full | ☐ H ☐ M ☐ L | |||
| Business Continuity | ☐ None ☐ Partial ☐ Full | ☐ H ☐ M ☐ L | |||
| Compliance & Legal | ☐ None ☐ Partial ☐ Full | ☐ H ☐ M ☐ L |
Certification Journey
Typical 6–10 Month Timeline
ISO 27001 certification is a structured process. Below is a typical timeline for a mid-size organisation, from initial assessment to certification.
Gap Assessment
Evaluate current security posture against ISO 27001:2022 requirements. Identify gaps, prioritize remediation efforts, and build a project plan.
Remediation
Implement missing controls, update policies and procedures, deploy technical measures, and train staff on new processes.
Documentation
Formalize ISMS documentation — policies, procedures, SOPs, risk register, SoA, and evidence collection.
Internal Audit
Conduct a full internal audit against ISO 27001:2022 requirements. Identify nonconformities and close them before the certification audit.
Stage 1 Audit
Certification body reviews documentation readiness — ISMS scope, policies, risk assessment, SoA, and management review records.
Stage 2 Audit
On-site audit evaluating the effectiveness of the ISMS implementation. Auditors verify controls are operational and effective.
Certification
Receive ISO 27001:2022 certificate upon successful completion. Plan surveillance audits (annual) and recertification (3-year cycle).
Need help with ISO 27001 certification?
Security Brigade has guided 700+ organisations through compliance and certification processes. Our team of CERT-In empanelled experts can help you at any stage of your ISO 27001 journey.