Free Download
Compliance & Audit

ISO 27001:2022
Readiness Checklist

Full control coverage: Clauses 4–10 & all 93 Annex A controls
Client Organisation
Client Name Ltd
Document Reference
CYV-27001-CL-2025-01
Audit Date
May 2025
Lead Auditor
Cyvra
Standard Version
ISO/IEC 27001:2022
ISMS Scope
To be confirmed with client
Certification Body
TBC
Report Status
Draft: In Review
This checklist covers all mandatory ISMS clauses (4–10) and all 93 Annex A controls from ISO/IEC 27001:2022. Click any status badge to cycle through YES / PARTIAL / NO / N/A. Evidence and Notes columns are editable in the browser. Use Ctrl+P to print or save as PDF.
Important Notice — Guidance Document Only This document is prepared by Cyvra as an internal working tool to support compliance readiness activities. It is a structured guidance aid, not an official regulatory instrument, and does not constitute legal, regulatory, or professional advice. Cyvra is not a certification body, accreditation authority, or regulator. Completing or scoring this checklist does not constitute certification, audit sign-off, or confirmation of regulatory compliance. The content reflects Cyvra's interpretation of publicly available regulatory requirements at the time of preparation; it may not capture all obligations relevant to your organisation, may not reflect subsequent regulatory updates, and should not be relied upon as a complete statement of applicable law. Cyvra makes no representation or warranty, express or implied, as to the accuracy or completeness of this document. To the fullest extent permitted by law, Cyvra accepts no liability for any loss, penalty, or damage arising from use of or reliance on this document. Organisations must seek independent legal and regulatory advice appropriate to their specific circumstances.
ISO 27001:2022 Readiness Checklist: ISMS Clauses 4–10
Page 2 of 6
0%
0 Compliant
0 Partial
0 Non-Compliant
0 N/A
of 0 controls assessed
How to use: Click a status badge to cycle through YES / PARTIAL / NO / N/A. Click in the Evidence or Notes columns to type directly. The score bar above updates automatically as you complete the checklist.

ISMS Mandatory Clauses

ISO/IEC 27001:2022 Clauses 4–10 | 25 check items
ClauseRequirement & Audit Check PointsStatusEvidence RequiredAuditor Notes
Clause 4: Context of the Organisation
4.1Understanding the Organisation and Its Context
• Internal and external issues affecting IS documented and reviewed at planned intervals?
• Context analysis (PESTLE/SWOT or equivalent) referenced in ISMS scope decisions?
• Climate change and geopolitical factors considered per ISO 27001:2022 update?
Context analysis doc; board minutes
4.2Understanding Needs and Expectations of Interested Parties
• Interested parties (customers, regulators, employees, suppliers) identified and documented?
• IS requirements and expectations of each party recorded?
• Contractual and regulatory IS obligations captured?
Stakeholder register; regulatory obligations register
4.3Determining the Scope of the ISMS
• ISMS scope statement formally documented covering all applicable locations, processes, and systems?
• Exclusions from scope identified and justified with rationale?
• Scope reviewed and updated when organisational changes occur?
ISMS Scope Statement; exclusion justification
4.4Information Security Management System
• ISMS established, implemented, maintained, and continually improved per the standard?
• ISMS processes and their interactions defined and documented?
• Evidence of ISMS operation (records, logs, meeting minutes) retained?
ISMS process map; operational records
Clause 5: Leadership
5.1Leadership and Commitment
• Top management demonstrate commitment through resource allocation, communication, and active participation in ISMS?
• IS policy and objectives established consistent with strategic direction?
• Management actively promote continual improvement?
Board resolution; ISMS budget approval; mgmt review minutes
5.2Information Security Policy
• IS Policy documented, approved by top management, and published?
• Reviewed at planned intervals or after significant changes?
• Communicated to all personnel and relevant external parties?
IS Policy; management approval record; distribution evidence
5.3Organisational Roles, Responsibilities and Authorities
• ISMS roles (CISO, risk owner, data owner, system owner) formally defined and assigned?
• ISMS performance reporting route to top management documented?
• Roles communicated throughout the organisation?
RACI matrix; job descriptions; org chart with IS roles
Clause 6: Planning
6.1.1Actions to Address Risks and Opportunities: General
• Risks and opportunities relevant to IS context and objectives identified?
• Actions planned and integrated into ISMS processes?
• Effectiveness of actions evaluated?
Risk management framework; risk register
6.1.2Information Security Risk Assessment
• Risk assessment methodology documented with acceptance criteria and likelihood/impact scales?
• Assessment conducted at planned intervals AND when significant changes occur?
• Risk owners assigned for each identified risk?
Risk assessment methodology; completed risk register with dates
6.1.3Information Security Risk Treatment
• Risk treatment options selected and treatment plan documented?
• Statement of Applicability (SOA) produced covering all 93 Annex A controls with inclusion/exclusion rationale?
• Residual risks formally accepted by risk owners?
Risk treatment plan; SOA; risk acceptance records
6.2IS Objectives and Planning to Achieve Them
• IS objectives documented at relevant functions and levels, measurable, and consistent with IS policy?
• Plans identify what, who, when, how evaluated?
• Objectives monitored and progress reported to management?
IS objectives register; KPI reports; management review inputs
6.3Planning of Changes
• Changes to the ISMS carried out in a planned and controlled manner?
• IS impact assessments performed for significant organisational or system changes?
Change management log; ISMS change impact assessments
Clause 7: Support
7.1Resources
• Adequate resources (budget, personnel, tools) allocated for ISMS operation?
• Resource requirements reviewed at management review?
ISMS budget; headcount allocation; management review records
7.2Competence
• Competence requirements defined for all IS-relevant roles?
• Training provided and records retained to demonstrate competence?
• Training effectiveness evaluated (tests, certifications, practical assessment)?
Competency matrix; training records; certification evidence
7.3Awareness
• All personnel aware of IS policy, their contribution to ISMS, and consequences of non-compliance?
• Awareness delivered at onboarding and regularly thereafter?
• Phishing simulations or assessments used to measure effectiveness?
Training completion records; phishing simulation results
7.4Communication
• IS communication plan identifies what, when, with whom, and by whom?
• Internal IS communications (policy updates, alerts) delivered effectively?
Communications plan; evidence of IS communications
7.5Documented Information
• Required ISMS documented information identified, controlled (version, approval, distribution)?
• Document control procedure in place (creation, review, update, retention, disposal)?
• External documented information (standards, contracts) identified and controlled?
Document control procedure; document register; version history
Clause 8: Operation
8.1Operational Planning and Control
• ISMS processes planned, implemented, controlled, and documented?
• Outsourced IS processes identified and controlled?
Operational procedures; outsourced process controls
8.2Information Security Risk Assessment (Operational)
• Risk assessments performed at planned intervals AND triggered by significant changes?
• Results retained as documented information?
Risk assessment records with dates; change-triggered assessments
8.3Information Security Risk Treatment (Operational)
• Risk treatment plan implemented with actions, owners, and target dates?
• Treatment effectiveness monitored and reported?
Risk treatment tracker; action completion evidence
Clause 9: Performance Evaluation
9.1Monitoring, Measurement, Analysis and Evaluation
• IS performance metrics defined, monitored, and reported at planned intervals?
• Monitoring methods produce valid and reproducible results?
• Results analysed and used to drive improvement?
IS KPI dashboard; measurement methodology; analysis reports
9.2Internal Audit
• Internal audit programme covering all ISMS areas, with criteria, scope, and frequency defined?
• Auditors selected to ensure objectivity and impartiality (no self-audit)?
• Audit results reported to management; findings tracked to closure?
Audit programme; audit reports; NC tracking log
9.3Management Review
• Management review conducted at planned intervals (at least annually) covering all required inputs?
• Inputs include: audit results, security performance, risk treatment status, stakeholder feedback?
• Outputs (decisions, actions) documented and tracked?
Management review meeting minutes; action register
Clause 10: Improvement
10.1Continual Improvement
• Continual improvement process drawing on audit results, performance data, and management review outputs?
• Improvement initiatives documented with measurable outcomes?
Improvement register; before/after metrics
10.2Nonconformity and Corrective Action
• Process for identifying, documenting, and evaluating nonconformities in place?
• Root cause analysis performed; corrective actions prevent recurrence?
• Corrective action log maintained with status and verification of effectiveness?
Corrective action log; root cause analyses; closure evidence
ISO 27001:2022 Readiness Checklist: Annex A.5 Organisational Controls
Page 3 of 6

Annex A.5: Organisational Controls

37 controls
RefControl Name & Audit Check PointsStatusEvidence RequiredAuditor Notes
A.5.1Policies for Information Security
• IS policy and topic-specific policies documented, approved by management, published, and accessible to all staff?
• Policies reviewed at planned intervals or following significant changes?
• Staff acknowledgement of policies recorded?
IS Policy suite; version history; management approval; staff sign-off log
A.5.2IS Roles and Responsibilities
• IS roles formally defined with written responsibilities (CISO, data owners, system owners)?
• Roles assigned to competent individuals and communicated throughout the organisation?
RACI matrix; job descriptions; org chart
A.5.3Segregation of Duties
• Conflicting duties identified for sensitive processes (finance, access provisioning, admin)?
• Segregation controls implemented; compensating controls where full separation not feasible?
• SoD reviewed periodically and exceptions documented?
SoD matrix; process controls; access reviews
A.5.4Management Responsibilities
• Management actively require staff to apply IS policies?
• Commitment evidenced through security meetings, communications, resource allocation?
Management communications; IS steering committee minutes
A.5.5Contact with Authorities
• Contacts with relevant authorities (regulators, law enforcement, national CERTs) maintained?
• Procedure defining when and how to contact authorities exists and is tested?
Authority contact register; incident escalation procedure
A.5.6Contact with Special Interest Groups
• Organisation participates in relevant IS forums, ISACs, or professional groups?
• Threat intelligence and best practices shared/received through these channels?
Membership records; threat intel subscription evidence
A.5.7Threat Intelligence
• Threat intelligence collected from multiple relevant sources (government, ISAC, commercial feeds)?
• Intelligence analysed and used to update risk assessments and control decisions?
• Threat intelligence process documented and reviewed regularly?
Threat intel sources; analysis reports; risk register updates
A.5.8IS in Project Management
• IS integrated into project management methodology from initiation?
• IS risk assessments conducted for all significant projects?
• IS requirements tracked and verified at project closure?
PM policy; IS risk assessment templates; project closure checklists
A.5.9Inventory of Information and Other Associated Assets
• Complete and current inventory maintained covering information, software, hardware, and services?
• Records include: asset type, location, classification, and owner?
• Inventory reviewed and reconciled at regular intervals?
Asset register; last review date; asset owner sign-offs
A.5.10Acceptable Use of Information and Other Associated Assets
• Acceptable Use Policy (AUP) documented and covering all relevant asset types?
• AUP communicated to all personnel and contractors; acknowledgement recorded?
• AUP violations monitored, reported, and addressed?
AUP document; signed acknowledgements; violation log
A.5.11Return of Assets
• Process for return of assets upon termination or role change documented?
• Asset return checklists completed and signed on offboarding?
• Asset register updated promptly following return?
Offboarding checklist; asset return records; register updates
A.5.12Classification of Information
• Classification scheme documented with clear categories (e.g. Public/Internal/Confidential/Restricted)?
• Classification criteria applied consistently across all information assets?
• Levels aligned to legal, regulatory, and contractual requirements?
Classification policy; asset register with classification; training records
A.5.13Labelling of Information
• Labelling procedure defined and implemented for all classification levels?
• Labels applied to documents, emails, storage media, and systems?
• Labelling compliance audited?
Labelling procedure; DLP/labelling tool config; audit results
A.5.14Information Transfer
• Policies and procedures for information transfer (internal and external) documented?
• Transfer agreements with third parties covering confidentiality and security?
• Encryption used for transfer of sensitive information?
Data transfer policy; NDAs; encryption evidence; transfer logs
A.5.15Access Control
• Access control policy documented based on need-to-know and least privilege?
• Access provisioned and revoked through formal approval process?
• Access rights reviewed at regular intervals (at least annually)?
Access control policy; access request records; periodic access reviews
A.5.16Identity Management
• Formal identity lifecycle management process in place (create, change, suspend, delete)?
• Shared/generic accounts controlled, justified, and audited?
• Identity management integrated with HR joiner/mover/leaver processes?
IAM system records; HR-IT integration evidence; generic account register
A.5.17Authentication Information
• Authentication credentials managed through a formal process?
• Default credentials changed on all systems before deployment?
• Strong password/passphrase policy enforced technically (length, complexity, MFA)?
Password policy; AD/IdP configuration; default credential audit
A.5.18Access Rights
• Access rights granted based on formal approval and business justification?
• Reviewed periodically (quarterly for privileged, annually for standard accounts)?
• Access rights revoked promptly on termination or role change?
Access approval records; access review reports; revocation evidence
A.5.19IS in Supplier Relationships
• Policy for managing IS risks in supplier relationships documented?
• IS requirements identified and assessed before engaging suppliers?
• Supplier IS risk assessments performed and documented?
Supplier IS policy; supplier risk assessments; vendor register
A.5.20IS within Supplier Agreements
• Supplier agreements include IS requirements (data protection, incident notification, right to audit)?
• Agreements reviewed and updated when IS requirements change?
• Compliance with contractual IS clauses monitored?
Supplier contracts with IS clauses; contract review records
A.5.21Managing IS in the ICT Supply Chain
• IS requirements communicated to and through the ICT supply chain?
• Supply chain IS risks assessed (hardware/software provenance, vendor due diligence)?
• Process to verify supplier IS practices and subcontractor controls?
Supply chain risk assessments; procurement IS requirements; SBOM
A.5.22Monitoring, Review and Change Management of Supplier Services
• Supplier IS performance monitored against contractual obligations?
• Supplier service reviews conducted at planned intervals?
• Changes to supplier services assessed for IS impact?
Supplier review minutes; SLA performance reports; change assessments
A.5.23IS for Use of Cloud Services
• Policy for acquisition, use, management, and exit from cloud services documented?
• Cloud agreements reviewed for IS clauses (data location, encryption, audit rights)?
• Cloud services assessed against organisational classification and risk criteria?
Cloud usage policy; provider contracts; cloud risk assessments
A.5.24IS Incident Management Planning and Preparation
• IS incident management procedure documented with roles, escalation paths, and timelines?
• Incident response team defined, trained, and contactable 24/7?
• Procedure tested (tabletop or live exercise) at planned intervals?
Incident response plan; team assignments; exercise reports
A.5.25Assessment and Decision on IS Events
• Process defined for categorising and prioritising IS events against severity criteria?
• Triage performed within defined timeframes?
Event triage procedure; severity classification criteria; event logs
A.5.26Response to IS Incidents
• Incident response playbook covering containment, eradication, and recovery?
• Incidents responded to within defined SLAs?
• Evidence preserved for potential legal or regulatory purposes?
IR playbook; incident records; evidence handling procedure
A.5.27Learning from IS Incidents
• Post-incident reviews (PIRs) conducted for all significant incidents?
• Lessons learned documented and communicated?
• Recurring incidents tracked; root causes addressed through corrective actions?
PIR reports; lessons-learned log; corrective action records
A.5.28Collection of Evidence
• Procedures for collecting, preserving, and handling digital forensic evidence documented?
• Chain of custody maintained for all evidence collected?
Evidence handling procedure; chain of custody forms; training records
A.5.29IS During Disruption
• IS controls maintained during disruptive incidents?
• IS continuity covered within BCP/DRP and tested as part of exercises?
BCP/DRP with IS section; IS continuity test results
A.5.30ICT Readiness for Business Continuity
• ICT recovery objectives (RTO/RPO) defined and documented for all critical systems?
• Redundancy and failover capabilities in place and tested?
• ICT continuity integrated with overall BCP programme?
ICT BCP; RTO/RPO register; DR test results
A.5.31Legal, Statutory, Regulatory and Contractual Requirements
• Applicable legal, regulatory, and contractual IS requirements identified and documented?
• Process for tracking changes to requirements in place?
• Obligations recorded in a compliance register and assigned to owners?
Legal/regulatory obligations register; compliance tracking process
A.5.32Intellectual Property Rights
• Procedures to comply with IP rights (software licensing, copyright, patents) implemented?
• Software licence register maintained and reconciled?
Software licence register; IP policy; training records
A.5.33Protection of Records
• Records retention schedule defined, documented, and implemented?
• IS records protected from loss, destruction, falsification, and unauthorised access?
• Records securely disposed of at end of retention period?
Retention schedule; records management procedure; disposal records
A.5.34Privacy and Protection of PII
• Privacy/data protection policy documented and implemented?
• DPIA process in place for systems processing personal data?
• PII handling requirements embedded in system and supplier contracts?
Privacy policy; DPIA register; DPA agreements; ROPA
A.5.35Independent Review of IS
• Independent IS reviews (internal audit, external assessment) conducted at planned intervals?
• Review results reported to management; findings tracked to closure?
Internal audit reports; external assessment reports; NC tracker
A.5.36Compliance with IS Policies, Rules and Standards
• Regular compliance reviews performed against IS policies and standards?
• Non-compliance documented, remediated, and tracked to closure?
Compliance monitoring reports; management attestations; NC log
A.5.37Documented Operating Procedures
• Operating procedures for IS-relevant processes documented and available to those who need them?
• Procedures reviewed and updated when processes change?
Procedure library; version control records; review logs
ISO 27001:2022 Readiness Checklist: A.6 People Controls & A.7 Physical Controls
Page 4 of 6

Annex A.6: People Controls

8 controls
RefControl Name & Audit Check PointsStatusEvidence RequiredAuditor Notes
A.6.1Screening
• Background screening conducted prior to employment, commensurate with role sensitivity and data access?
• Screening results documented and retained confidentially?
• Re-screening conducted for high-risk roles or significant changes?
Pre-employment screening policy; screening provider records; HR files
A.6.2Terms and Conditions of Employment
• Employment contracts include IS responsibilities, confidentiality, and AUP obligations?
• IS responsibilities communicated before access is granted?
• Contracts reviewed and updated when IS requirements change?
Employment contract template; signed contracts; IS clauses review
A.6.3IS Awareness, Education and Training
• IS awareness programme delivered at onboarding and at regular intervals thereafter?
• Training tailored to different roles (technical, management, general staff)?
• Training effectiveness measured (assessments, phishing simulations, completion rates)?
Training plan; completion records; phishing simulation results; assessment scores
A.6.4Disciplinary Process
• Formal disciplinary process for IS policy violations documented and communicated?
• Applied consistently; actions proportionate and documented?
Disciplinary policy; HR records of IS-related disciplinary actions
A.6.5Responsibilities After Termination or Change of Employment
• IS responsibilities upon termination documented (confidentiality, asset return, access revocation)?
• NDAs and confidentiality obligations surviving termination enforced?
• Offboarding process triggers timely access revocation and asset recovery?
Offboarding checklist; post-termination NDA; access revocation logs
A.6.6Confidentiality or Non-Disclosure Agreements
• NDAs in place for all staff, contractors, and relevant third parties?
• Agreements include specific IS obligations (scope, duration, consequences)?
• Signed NDAs retained and breaches tracked and acted upon?
NDA template; signed NDA register; breach log
A.6.7Remote Working
• Remote working policy documented covering approved locations, devices, and security requirements?
• Remote access controls implemented: VPN, MFA, endpoint encryption, screen privacy?
• Remote working risks assessed and controls verified through monitoring?
Remote working policy; VPN logs; MDM configuration; MFA evidence
A.6.8Information Security Event Reporting
• Clear and accessible mechanism for staff to report IS events?
• Staff trained to recognise and report IS events promptly?
• Reports acknowledged and tracked; reporting volumes monitored?
Reporting channel documentation; training records; event log statistics

Annex A.7: Physical Controls

14 controls
RefControl Name & Audit Check PointsStatusEvidence RequiredAuditor Notes
A.7.1Physical Security Perimeters
• Physical security perimeters defined and documented for all facilities?
• Perimeters protected with appropriate barriers; all entry/exit points controlled and monitored?
Facility plan; access control system records; security inspection reports
A.7.2Physical Entry
• Access to secure areas controlled by authentication (card, PIN, biometric)?
• Visitor access logged, time-limited, and escorted throughout?
• Access logs reviewed regularly for anomalies?
Access control logs; visitor register; access review records
A.7.3Securing Offices, Rooms and Facilities
• Offices protected against unauthorised access?
• IS assets secured when areas unoccupied?
• Cleaning/maintenance staff supervised in sensitive areas?
Physical security policy; inspection records; third-party access logs
A.7.4Physical Security Monitoring
• CCTV or equivalent monitoring in place for critical and sensitive areas?
• Alarms and intrusion detection operational, tested, and monitored 24/7?
• Monitoring records retained per legal requirements and reviewed regularly?
CCTV system spec; alarm test records; monitoring retention policy
A.7.5Protecting Against Physical and Environmental Threats
• Physical/environmental threats identified (fire, flood, power failure, extreme weather)?
• Countermeasures implemented (fire suppression, flood barriers, UPS, temperature controls)?
• Controls tested and maintained at planned intervals?
Environmental risk assessment; fire/flood test records; UPS test logs
A.7.6Working in Secure Areas
• Procedures for working in secure areas defined and communicated?
• Photography/recording restricted; secure areas inspected regularly?
Secure area procedures; inspection records; signage
A.7.7Clear Desk and Clear Screen
• Clear desk and clear screen policy documented and communicated?
• Unattended screens auto-lock enforced via GPO or MDM?
• Compliance audits conducted; findings actioned?
Clear desk policy; GPO/MDM screen lock settings; audit walkthrough reports
A.7.8Equipment Siting and Protection
• Equipment sited to minimise environmental risk and restricted from public view?
• Equipment protected from power fluctuations (surge protection, UPS)?
Facilities plan; equipment placement assessment; power protection evidence
A.7.9Security of Assets Off-Premises
• Policy for assets taken off-premises documented (encryption, tracking, insurance)?
• Off-site assets encrypted at rest and tracked?
• Process for reporting and responding to lost/stolen assets defined and tested?
Off-premises asset policy; encryption evidence; lost/stolen incident records
A.7.10Storage Media
• Removable media managed and controlled (registration, authorisation, tracking)?
• Media sanitised before reuse and securely destroyed when retired?
• Media register maintained and reconciled?
Media management policy; media register; destruction certificates
A.7.11Supporting Utilities
• Critical utilities (power, cooling) protected with redundancy?
• UPS and generator capacity tested at planned intervals?
• Utility failures monitored with automated alerts?
UPS test records; generator test logs; utility monitoring alerts
A.7.12Cabling Security
• Power and network cabling protected from interception, interference, and physical damage?
• Cabling routes documented, labelled, and comms rooms physically secured?
Cabling diagram; physical inspection records; comms room access logs
A.7.13Equipment Maintenance
• Equipment maintained per manufacturer specifications with records kept?
• Third-party maintenance personnel authorised, supervised, and logged?
Maintenance schedule; service records; third-party access logs
A.7.14Secure Disposal or Re-Use of Equipment
• Secure data destruction procedure implemented before equipment disposal or reuse?
• Certificates of destruction obtained from third-party disposal providers?
• Equipment disposal records retained?
Disposal procedure; destruction certificates; disposal register
ISO 27001:2022 Readiness Checklist: Annex A.8 Technological Controls (A.8.1–A.8.17)
Page 5 of 6

Annex A.8: Technological Controls

34 controls | Part 1 of 2: A.8.1 to A.8.17
RefControl Name & Audit Check PointsStatusEvidence RequiredAuditor Notes
A.8.1User Endpoint Devices
• Policy for endpoint device management documented covering corporate and BYOD devices?
• All endpoints enrolled in MDM/EMM with security baseline enforced (encryption, screen lock, AV, patching)?
• Lost/stolen device procedure documented, tested, and remote-wipe capability verified?
Endpoint policy; MDM enrolment report; remote wipe test evidence
A.8.2Privileged Access Rights
• Privileged accounts inventoried, minimised, and reviewed at least quarterly?
• PAM solution in place for admin credential vaulting and session recording?
• Privileged access provisioned on just-in-time or need basis?
Privileged account register; PAM system evidence; quarterly access reviews
A.8.3Information Access Restriction
• Access to information restricted based on least privilege and need-to-know?
• RBAC or equivalent implemented across systems?
• Access restrictions enforced at system level?
Access control configuration; RBAC matrix; access restriction testing
A.8.4Access to Source Code
• Access to source code repositories restricted to authorised developers?
• Source code stored in version-controlled repository with access logging?
• Code changes tracked, reviewed, and approved?
Repository access controls; audit logs; code review records
A.8.5Secure Authentication
• MFA enforced for privileged access, remote access, and cloud services?
• No weak authentication protocols in use (NTLM, basic auth, Telnet)?
• Failed authentication attempts logged, alerted, and investigated?
MFA configuration; authentication protocol audit; failed login alert configuration
A.8.6Capacity Management
• Capacity thresholds defined and monitored for all critical systems (CPU, memory, storage, bandwidth)?
• Capacity forecasts produced at planned intervals?
• Automated alerts triggered before limits are reached?
Capacity monitoring dashboard; threshold alert config; forecast reports
A.8.7Protection Against Malware
• Anti-malware deployed and up to date on all endpoints, servers, and email gateways?
• Definition updates automated with alert on failure?
• Malware incidents logged, responded to per IR procedure, and reviewed?
AV deployment report; update policy; malware incident log
A.8.8Management of Technical Vulnerabilities
• Vulnerability management programme in place with regular scanning (at least quarterly)?
• Vulnerabilities prioritised by CVSS and KEV status; SLAs defined per criticality tier?
• Critical vulnerabilities closed within defined SLAs; progress tracked and reported?
Vulnerability scan reports; SLA policy; remediation tracker; KPI metrics
A.8.9Configuration Management
• Secure configuration baselines (CIS Benchmarks or equivalent) defined for all asset types?
• Configuration compliance monitored via automated scanning?
• Configuration changes managed through formal change control?
Baseline configuration documents; compliance scan results; change records
A.8.10Information Deletion
• Procedure for secure deletion of information at end of retention period implemented?
• Deletion aligned to retention schedule and data subject requests?
• Deletion records maintained (what, when, method)?
Deletion procedure; retention schedule; deletion audit trail
A.8.11Data Masking
• Data masking applied to sensitive data (PII, PCI, credentials) in non-production environments?
• Masking controls verified and tested to prevent re-identification?
• Exceptions from masking documented, approved, and risk-accepted?
Masking policy; non-prod data classification evidence; masking test results
A.8.12Data Leakage Prevention
• DLP technology deployed across email, endpoints, cloud, and web channels?
• DLP policies configured to detect and block/alert on sensitive data exfiltration?
• DLP alerts reviewed and investigated within defined timeframes?
DLP tool configuration; policy ruleset; alert investigation log
A.8.13Information Backup
• Backup policy defined with RTO/RPO requirements per system criticality?
• Backups tested by full restoration at regular intervals (at least annually)?
• Backups stored securely (encrypted), including offsite or immutable cloud storage?
Backup policy; restore test records; backup job success logs; offsite evidence
A.8.14Redundancy of Information Processing Facilities
• Critical systems configured with redundancy (HA, failover, load balancing)?
• Failover tested at planned intervals to verify RTO objectives are met?
• Redundancy capacity adequate to sustain full operations during primary failure?
Architecture diagrams; HA configuration; failover test reports
A.8.15Logging
• Audit logs generated for IS-relevant events: authentication, privilege escalation, data access, admin actions?
• Logs protected from tampering (write-once, SIEM forwarding, integrity checking)?
• Log retention periods defined, enforced, and adequate for regulatory requirements?
Logging policy; SIEM configuration; log integrity controls; retention settings
A.8.16Monitoring Activities
• SIEM/IDS/IPS in place for real-time network and system monitoring?
• Anomalous activities alerted and investigated within defined SLAs?
• Monitoring coverage, thresholds, and use cases reviewed and tuned regularly?
SIEM deployment evidence; alert configuration; investigation records; tuning log
A.8.17Clock Synchronisation
• NTP or equivalent implemented to synchronise all system clocks to an authoritative source?
• All endpoints, servers, and network devices synchronised?
• Clock drift monitored and alerted?
NTP configuration; time sync monitoring; drift alert settings
ISO 27001:2022 Readiness Checklist: Annex A.8 Technological Controls (A.8.18–A.8.34)
Page 6 of 6

Annex A.8: Technological Controls (continued)

Part 2 of 2: A.8.18 to A.8.34
RefControl Name & Audit Check PointsStatusEvidence RequiredAuditor Notes
A.8.18Use of Privileged Utility Programs
• Privileged utility programs (network scanners, admin tools, password utilities) controlled and inventoried?
• Use of utility programs logged and reviewed?
• Unnecessary utility programs removed or disabled from production systems?
Privileged tool inventory; usage logs; software baseline
A.8.19Installation of Software on Operational Systems
• Policy restricting software installation to authorised personnel and approved software?
• Installation controlled via MDM, application whitelisting, or standard images?
• Unapproved software detected via scanning and remediated?
Software installation policy; MDM configuration; software inventory scans
A.8.20Networks Security
• Network security policy documented and implemented?
• Networks segmented by function (production, DMZ, user, guest, OT/IoT)?
• Network access controls (firewalls, ACLs) managed, documented, and reviewed?
Network architecture diagram; firewall ruleset; network security policy
A.8.21Security of Network Services
• Security requirements and SLAs defined for all network services?
• Network service providers assessed for IS compliance?
• Service performance and security monitored against SLAs?
Network service SLAs; provider IS assessment; monitoring evidence
A.8.22Segregation of Networks
• Networks segregated by function and sensitivity (VLAN, DMZ, zero-trust microsegmentation)?
• Traffic between zones inspected by firewall/NGFW?
• Lateral movement between segments monitored and alerted?
Network segmentation diagram; inter-zone firewall rules; NDR/IDS alerts
A.8.23Web Filtering
• Web content filtering deployed to block malicious, phishing, and policy-violating sites?
• Filtering policies documented with categories defined?
• Filter bypass attempts (VPN, DNS-over-HTTPS) detected and investigated?
Web filter configuration; block category policy; bypass attempt logs
A.8.24Use of Cryptography
• Cryptography policy specifying approved algorithms (AES-256, RSA-2048+, TLS 1.2/1.3) documented?
• Encryption applied to data at rest and in transit for sensitive data?
• Key management lifecycle documented (generation, distribution, storage, rotation, revocation)?
Cryptography policy; encryption configuration; key management procedure
A.8.25Secure Development Life Cycle
• IS integrated into SDLC from requirements through design, development, testing, and deployment?
• Security requirements defined at project initiation; threat modelling performed?
• SAST/DAST performed as part of CI/CD pipeline?
SDLC security policy; threat model examples; SAST/DAST scan reports
A.8.26Application Security Requirements
• IS requirements identified, specified, and approved for all applications at design stage?
• Requirements derived from risk assessments and regulatory obligations?
• IS requirements verified through security testing before go-live?
Application IS requirements specs; risk assessments; pre-go-live test reports
A.8.27Secure System Architecture and Engineering Principles
• Secure architecture principles applied (defence-in-depth, zero trust, least privilege, fail-secure)?
• Security design reviews conducted for new and changed systems?
• Architecture decisions documented, reviewed, and approved?
Security architecture standards; design review records; architecture decision records
A.8.28Secure Coding
• Secure coding standards documented and enforced (OWASP Top 10, CERT/SEI)?
• Developers trained in secure coding practices?
• Code reviewed (peer review and/or SAST) before each release?
Secure coding standards; developer training records; code review evidence
A.8.29Security Testing in Development and Acceptance
• Security testing (penetration testing, vulnerability scanning) conducted pre-release?
• Testing results documented and findings tracked to resolution?
• Critical/high findings resolved as acceptance criteria before production deployment?
Pre-release pentest/scan reports; remediation evidence; go/no-go records
A.8.30Outsourced Development
• IS requirements included in outsourced development contracts?
• Outsourced code reviewed (code review/SAST) before acceptance?
• Outsourced developers subject to IS controls (screening, NDAs, access controls)?
Outsourcing contracts with IS clauses; code review records; developer screening
A.8.31Separation of Development, Test and Production Environments
• Development, test, and production environments physically or logically separated?
• Production data prohibited from test environments (or masked where unavoidable)?
• Access controls differ between environments; production access tightly restricted?
Environment architecture; access control comparison; test data policy
A.8.32Change Management
• Formal change management process governing all IS-relevant changes (RFC, impact assessment, approval, CAB)?
• IS impact assessed for all changes?
• Changes tested in non-production before deployment; rollback plans documented?
Change management procedure; RFC records; CAB minutes; rollback plans
A.8.33Test Information
• Production data prohibited from use in test environments by policy?
• Where production-like data needed, is it masked/anonymised before use?
• Test environment data controls documented and enforced?
Test data policy; data masking evidence; test environment access controls
A.8.34Protection of IS During Audit Testing
• Audit and penetration test activities planned, scoped, and approved in advance (Rules of Engagement)?
• Access for audit testing restricted, time-limited, and logged?
• Audit test results and tools protected from unauthorised access?
Rules of Engagement/SOW; test window approvals; audit access logs; report controls
Lead Auditor
Name:
Firm:
Date:
Signature:
Client Representative
Name:
Role:
Date:
Signature:
Audit Summary
Total Controls: 118 (25 Clauses + 93 Annex A)
Compliant: 0
Partial: 0
Non-Compliant: 0
Not Applicable: 0
Score: 0%