• Available Formats
    • Options
    • Availability
    • Priced From ( in USD )
    • Self Extracting File Format
    • Word Document, Immediate Download
    • $330.00
    • Add to Cart
    • Printed Edition
    • Ships in 1-2 business days
    • $167.00
    • Add to Cart

Customers Who Bought This Also Bought


About This Item


Full Description

This Software Engineering Process Technology (SEPT) checklist list gives an organization the confidence that it has all the artifacts required, recommended, or suggested (as identified by SEPT) by the ISO/IEC 27001:2022 standard. This checklist defines an artifact in terms of policies, procedures, plans, records, documents, audits, and reviews.

For 20 + years SEPT has produced checklists for organizations that require the highest proof that they have all the artefacts required to meet the requirements of a particular standard like ISO/IEC 27001:2022 (which has 371 identified artefacts).

An average SEPT checklist requires over 500 manhours to construct and verify that it is accurate and no nuance of a standard has been overlooked. SEPT senior staff have many years’ experience in developing world class software engineering process standards and checklists.  Every step of a checklist in its construction has been verified.

This checklist will ensure that your organization will have the proof (artefacts) to demonstrate to any public body that the organization has met the requirements of ISO/IEC 27001:2022.

Overview of the base standard

ISO/IEC 27001:2022 provides requirements for organizational information security management system and information security management controls; taking into consideration the organization's information security risk environment(s).  It is designed to be used by organizations that intend to:

  1. seek certification to ISO/IEC 27001:2022,
  2. select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001:2022,
  3. implement commonly accepted information security controls, 
  4. develop their own information security management system.

The requirements included in the ISO/IEC 27001:2022 standard are listed at a high level of detail, with an Annexed reference to ISO/IEC 27002:2022 as appropriate guidance to demonstrate compliance with ISO/IEC 27001:2022. If an organization is interested in testing their compliance with ISO/IEC 27001:2022 this checklist will provide an analysis of the detail in the ISO/IEC 27001 standard.  However, if the organization is only interested in the guidance in ISO/IEC 27002:2022 this checklist provides a list of all items required in Annex A of ISO/IEC 27001 that are derived from the ISO/IEC 27002 guidelines.  They are described in the Introduction to the checklist and in section 9.

How the SEPT checklist was developed and steps for using the checklist 

The SEPT checklists state, in a clear and concise manner, what is required in the form of artefacts to satisfy the standard. These artifacts called out in this checklist, if properly constructed should satisfy any review body that the organization has satisfied the requirements of ISO/IEC 27001:2022.

The artefacts are constructed around a classification scheme of physical evidence comprised of policies, procedures, plans, records, documents, audits, and reviews.  There must be an accompanying record of some type when an audit or review has been accomplished.  This record would define the findings of the review or audit and any corrective action to be taken.  For the sake of brevity this checklist does not call out a separate record for each review or audit.  All procedures should be reviewed but the checklist does not call out a review for each procedure unless the standard calls out the procedure review.  In this checklist, “manuals, reports, scripts and specifications” are included in the document category.  In the procedure category guidelines are included when the standard references another standard for physical evidence. The checklist does not call out the requirements of the referenced standard. 

The SEPT Engineering Department have carefully reviewed the Standard “ISO/IEC 27001:2022 - Information security management systems – Requirements" and defined the physical evidence required based upon this classification scheme. Then the Engineering Department has conducted a second review of the complete list to ensure that the documents’ producers did not leave out a physical piece of evidence that a “reasonable person” would expect to find.  It could certainly be argued that if the document did not call it out then it is not required; however, if the standard was used by an organization to improve its process, then it would make sense to recognize missing documents. 

In ISO/IEC 27001:2022 many requirements are not specific about the type of artefact that would be needed to satisfy it.  SEPT have therefore used the following codification rules:

  1. If the requirement clearly asks for a Procedure, Plan, Document, Record (Documented information), Audit or Review we have made these "Required" items with no appended asterisks. 

If the requirement is unclear about the type of artefact that would demonstrate compliance, then we have "Recommended" one and shown it with 2 asterisks (**) 

  1. appended.  An organization may decide not to follow this recommendation if they satisfy the requirement in a different and visible way.
  2. If there is a suggestion to do something - "should" rather than "shall" we have "Suggested” an appropriate artefact and shown our suggestion with 1 asterisk (*) appended
  3. Sometimes we will add additional "Suggested" artefacts as good practice. Again these are shown with 1 asterisk (*) appended.

If a document is called out more than one time, only the first reference is stipulated. 

There are situations in which a procedure or document is not necessarily separate and could be contained within another document.  For example, the "ISMS Risks and Opportunities Action Integration and Implementation Plan" could be a part of the "ISMS Risks and Opportunities Action Plan."  The authors have called out these individual items separately to ensure that the organization does not overlook any facet of physical evidence.  If the organization does not require a separate document, and an item can be a subset of another document or record, then this fact should be denoted in the detail section of the checklist for that item.  This should be done in the form of a statement reflecting that the information for this document may be found in section XX of Document XYZ.  If the organizational requirements do not call for this physical evidence for a particular project, this should also be denoted with a statement reflecting that this physical evidence is not required and why.  The reasons for the evidence not being required should be clearly presented in this statement.  Further details on this step are provided in the Detail Steps section of the introduction. The size of these documents could vary from paragraphs to volumes depending upon the size and complexity of the project or business requirements.


Clause 6.1.3 of ISO/IEC 27001:2022 requires that an organization determines all controls necessary to implement the information security risk treatment options based on the information security risk assessment results.  A Statement of Applicability of controls based on those listed in Annex A of the standard is also required.

Control objectives and controls are listed in Annex A of ISO/IEC 27001:2022 based on the layout and artefacts needed to satisfy ISO/IEC 27002:2022, specifically related to controls.  ISO/IEC 27002:2022 itself provides much more detail than ISO/IEC 27001:2022 about items needed to demonstrate best information security practices.

To satisfy Clause 6.1.3 of ISO/IEC 27001:2022 SEPT have included in Section 9 a sub set of items identified in the full ISO/IEC 27002:2022 Information security practices standard that are detailed in the related SEPT checklist (for ISO/IEC 27002:2022).  These are listed by Clause of ISO/IEC 27002.  For a fuller treatment of information security practice guidelines see ISO/IEC 27002:2022 and the related SEPT checklist for this standard.  Mostly, buyers of the ISO/IEC 27001 checklist also buy the ISO/IEC 27002 checklist to complement the 27001 checklist to insure that they have a full insight for defining or evaluating a Security Management System.


Document History

  1. SEPT ISO/IEC 27001 Checklist


    Checklist for Standard ISO/IEC 27001:2022 Information Security, Cybersecurity And Privacy Protection - Information Security Management Systems - Requirements

    • Most Recent
  2. SEPT ISO/IEC 27001 Checklist

    Checklist for Standard ISO/IEC 27001:2013, Information Security Requirements

    • Historical Version