ISO 27001:2013 Checklist

ISO 27001:2013 Checklist

Information Technology, Security Techniques & Management Systems


The Organisation

Have you determined internal and external issues that will impact on your information security systems

Interested Parties

Have you determined what internal and external interested parties are relevant to the information security management system and what their requirements are


Have you determined the boundaries of the information security management system and documented the scope.


Leadership & Commitment

Can you demonstrate top management is providing leadership and commitment to the information security management system?

Information Security Policy

Have you documented an information security policy that is communicated and available?

Roles & Responsibilities

Are roles and responsibilities for information security communicate and understood?

Request a Quick Quote

Request an obligation free quote today, tailored specifically to your business’ certification needs and industry.

Get Your ISO Checklist

Training Sessions

Our training course are designed to provide a basic and contextualised introduction to ISO certification as well as provide a practical overview of how it applies to your business.

Contact Us

Speak to one of our helpful team about your certification needs.


Information Security Objective

Have you established information security objectives?

Are your information security objectives available as documented information?

Do you monitor, measure, and communicate them?

Do you have plans to achieve them?

Have you maintained records?

Risk & Opportunity

Have you determined the information security risks and opportunities related to your organisation?

Have you implemented a documented information security risk assessment process?

Statement of Applicability

Have you documented a risk treatment plan and Statement of Applicability with regard to controls?



Have you determined and ensured necessary resources are in place for the information security management system?


Have you ensured that personnel are aware of your policy, relevant objectives, and their responsibilities?

Control of Documents

Do you ensure documents and records are controlled?


Do you ensure competence of personnel?

Do you maintain records?


Have you determined processes for internal and external communication relevant to information security?


Operational Planning & Control

Have you established and maintained procedures to meet the requirements of the information security management system?

Risk Assessment & Treatment

Do you assess risk at planned intervals and when significant changes occur, and do you maintain records?

Have you implemented risk treatment plans, and do you maintain records?

Performance Evaluation

Monitoring & Measurement

Do you monitor things such as processes, operational controls, access, usage, change?

Do you measure things such as KPIs, performance against targets?

Do you analyse this information and maintain records?

Internal Audit

Do you plan and conduct internal audits to ensure the information security system conforms to requirements and is implemented effectively?

Do you maintain records?

Management Review

Does your top management review your information security management system at planned intervals?

Do you maintain records?


Continual Improvement

Do you continually improve the information security management system?

Non-Conformity & Corrective Action

Do we have processes to manage preservation during production such
as controls for packaging, handling, storage and transportation?


A.5.1 Management Direction
A set of information security policies

A.6.1 Internal Organisation
Roles and responsibilities, segregation of duties, contact with relevant authorities, contact with special interest groups, information security implemented in project management

A6.2 Mobile Devices and Teleworking
A policy and measures for mobile devices. A policy and measures for teleworking

A7.1 Prior to Employment
Prescreening of employees, information security terms and conditions of employment

A7.2 During Employment
Management’s responsibility, awareness education and training, disciplinary processes

A7.3 Termination and Change of Employment
Responsibilities post-employment

A8.1 Responsibility for Assets
Asset Inventory, ownership, acceptable use, return of assets

A8.2 Information Classification
Classification of information, labeling information and handling assets

A8.3 Media Handling
Managing removal media, disposal of media, transfer of media

A9.1 Access Control
Access Control Policy, Access to networks and network services

A9.2 User Access Management
Registration and de-registration, provisioning, privileges, authentication, access rights, removal of rights

A9.3 User Responsibility
Authentication responsibilities

A9.4 System and Application Access Control
Access, log-on procedures, password management, utility programs, access to source code

A10.1 Cryptography
Cryptography Policy, Key Management

A11.1 Secure Areas
Physical security perimeters, entry controls, securing offices and facilities, external and environmental threats, secure areas, delivery and loading docks

A11.2 Equipment
Equipment siting, support utilities, cabling, equipment maintenance, removal of assets, securing equipment offsite, unattended user equipment, clear desk and clear screen

A12.1 Operational Procedures and Responsibilities
Documented operational procedures, change management, capacity management, separation of development and testing

A12.2 Malware
Protection against malware

A12.3 Backup
Backups in place and tested regularly

A12.4 Logging and Monitoring
Event logging, storing log in formation, administrator and operator logs, clock synchronisation

A12.5 Operational Software
Protection of installed software

A12.6 Technical Vulnerability Management
Management of vulnerabilities, restrictions on software installation

A12.7 Information Security Audits
Audits and verification of operational systems

A13.1 Network Security Management
Network controls, network services security, segregation in networks

A13.2 Information Transfer
Transfer policies and procedures, external parties, email, confidentiality and non-disclosure agreements

A14.1 Information Systems
Requirements, application services and public networks, application service transactions

A14.2 Development and Support
Development Policy, System change procedures, Operating Platform changes, modification to software
packages, secure system engineering, development
environment, outsourced development, security testing, acceptance testing

A14.3 Test data
Protecting test data

A15.1 Supplier Relationships
Supplier access, supplier agreements, supply chain

A15.2 Supplier Services
Monitor and audit suppliers, changes to supplier services

A16.1 Incidents and Improvements
Incident responsibilities, reporting of incidents, reporting weaknesses, assessment of events, incident response, learnings, collecting evidence

A17.1 Continuity
Continuity requirements, implementation of continuity processes, verifying and evaluating processes

A17.2 Redundancies
Ensuring information processing

A18.1 Compliance with Legal and Contractual Requirements
Documenting requirements, intellectual rights, protecting records, privacy, cryptographic regulations

A18.2 Security Reviews
Independent reviews, compliance with policies, technical compliance review

Have your own Checklist

ISO27001 Information Security

ISO 27001 Information Security

Information Security is essential to the success of operations for any organisation. Standards are designed for companies to oversee asset security and safety from potential threats within the digital world.

What is ISO 27001 Information Security_

What is ISO 27001 Information Security?

ISO 27001 is part of the ISO 27000 certification family and includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation. It’s not all about risk though.

Why do I need ISO 27001 Certification

Why do I need ISO 27001 Certification?

The adoption of these processes gives you, your employees, regulators and clients the confidence that your information security risks are known and adequately managed.

How can I get certified

How can I get certified?

Getting ISO certification is a lot easier than you might think, We take you through the three step audit process from your initial enquiry to the final certification decision.

ISO 27001 Certification Throughout Australia

Compass Assurance Services have offices and staff located throughout Australia including Brisbane, Melbourne, Perth and Sydney.

Want to speak to someone?

Contact Us

Contact us and speak to one of our helpful team about your ISO certification needs. We can offer certification to smaller, niche standards and to other non-accredited (non ISO) standards as well.

Request a Quote

Request an obligation free quote today, tailored specifically to your business’ certification needs and industry.

Our Values

Our Policies