liminfo

ISO 27001 Checklist

Free web tool: ISO 27001 Checklist

Overall Progress0/35 (0%)

A.5Information Security Policies

0/1 (0%)

A.6Organization of Information Security

0/2 (0%)

A.7Human Resource Security

0/3 (0%)

A.8Asset Management

0/3 (0%)

A.9Access Control

0/4 (0%)

A.10Cryptography

0/1 (0%)

A.11Physical and Environmental Security

0/2 (0%)

A.12Operations Security

0/7 (0%)

A.13Communications Security

0/2 (0%)

A.14System Acquisition, Development and Maintenance

0/3 (0%)

A.15Supplier Relationships

0/2 (0%)

A.16Information Security Incident Management

0/1 (0%)

A.17Business Continuity Management

0/2 (0%)

A.18Compliance

0/2 (0%)

About ISO 27001 Checklist

The ISO 27001 Checklist is an interactive compliance tracking tool that maps all 114 controls from ISO/IEC 27001:2013 Annex A across 14 control categories — from A.5 (Information Security Policies) to A.18 (Compliance). Each category shows individual control checkboxes with a progress bar that updates in real time, and an overall progress indicator at the top gives you an instant view of your organization's ISMS readiness.

Information security managers, IT auditors, compliance officers, and consultants preparing organizations for ISO 27001 certification use this tool to track gap assessments, internal audits, and pre-certification readiness reviews. Because it runs entirely in the browser without requiring sign-up or data storage, it can be used freely during sensitive pre-audit preparation without concern about information leakage.

The tool covers all 14 Annex A domains: A.5 Policies, A.6 Organization, A.7 Human Resource Security, A.8 Asset Management, A.9 Access Control, A.10 Cryptography, A.11 Physical Security, A.12 Operations Security, A.13 Communications Security, A.14 System Development, A.15 Supplier Relationships, A.16 Incident Management, A.17 Business Continuity, and A.18 Compliance. Each control is identified by its standard clause ID (e.g., A.9.2, A.12.6) to align directly with official ISO documentation.

Key Features

  • Full coverage of ISO 27001:2013 Annex A — all 14 control domains with individual control checkboxes
  • Per-category progress bar showing checked vs. total controls for each domain
  • Overall progress indicator tracking aggregate completion across all 114 controls
  • Controls identified by official clause IDs (A.5.1 through A.18.2) for direct ISO documentation alignment
  • Strikethrough styling on completed items for clear visual distinction between done and pending
  • 100% browser-based — checklist state is maintained locally with no server communication
  • No account or login required — use freely during confidential pre-audit preparation
  • Dark mode support and responsive layout for use in any environment

Frequently Asked Questions

What is ISO 27001 and why does it need a checklist?

ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). Annex A lists 114 controls organized into 14 domains that organizations must assess during certification. A structured checklist ensures no control is overlooked during gap analysis, internal audits, or pre-certification reviews.

Which version of ISO 27001 does this checklist cover?

This checklist covers ISO/IEC 27001:2013 Annex A with control domains A.5 through A.18. Note that ISO 27001:2022 introduced a restructured set of 93 controls in 4 themes. If your organization is working toward the 2022 version, treat this checklist as a gap analysis starting point rather than a complete mapping.

How do I use this checklist for a gap analysis?

Work through each control domain (A.5 to A.18) and check off only the controls that your organization has formally implemented and documented. Controls left unchecked represent gaps that need to be addressed before certification. The per-category progress bars help you identify which domains need the most attention.

Does checking a control mean we are certified for it?

No. Checking an item is a self-assessment indicator only. ISO 27001 certification requires an accredited third-party auditor to independently verify that controls are properly documented, implemented, monitored, and continually improved. This tool is for internal tracking and preparation, not certification evidence.

Can I save or export my checklist progress?

The tool maintains your progress during the current browser session. If you reload the page, progress is reset. For persistent tracking, take a screenshot before closing, or use the browser's print-to-PDF function to save a snapshot of your current completion status.

What is the difference between A.9 Access Control and A.12 Operations Security?

A.9 Access Control (4 sub-controls) covers policies for who can access what — business requirements, user access management, user responsibilities, and system access control. A.12 Operations Security (7 sub-controls) covers the operational practices that keep systems running securely: change management, malware protection, backups, logging/monitoring, operational software control, vulnerability management, and audit considerations.

Is A.10 Cryptography the same as just using HTTPS?

Not entirely. A.10.1 Cryptographic Controls covers the broader policy and procedures for cryptographic key management, including which algorithms are approved, how keys are generated, stored, distributed, retired, and destroyed. HTTPS is one implementation of cryptographic controls, but the domain also encompasses encryption of stored data, code signing, and digital certificates.

How long does it typically take to achieve ISO 27001 certification?

The timeline varies significantly by organization size and existing security maturity. Small organizations with fewer systems typically take 6–12 months; larger enterprises may take 18–24 months or more. A gap assessment using a checklist like this one at the start of the project helps estimate the effort required across each of the 14 control domains.