The ISO 27001:2022 checklist is the practical starting point every business needs before beginning the certification journey — and most organisations discover they are further along than they expected. ISO 27001:2022 is the international standard for Information Security Management Systems (ISMS). Published in October 2022, it replaced ISO 27001:2013 and introduced a restructured set of 93 Annex A controls — reorganised into four themes and updated to address cloud security, threat intelligence, and data masking requirements that were absent from the 2013 edition.
Certification to ISO 27001:2022 demonstrates to customers, partners, regulators, and procurement teams that your organisation manages information security risks systematically and verifiably. In the GCC market, ISO 27001:2022 certification is increasingly a commercial prerequisite for financial services, healthcare, government contracting, and cloud services.
This ISO 27001:2022 checklist covers the five practical steps to certification — what each step requires, the most common gaps, and what auditors will look for at each stage.
WHAT CHANGED IN ISO 27001:2022 VS ISO 27001:2013?
Before working through the ISO 27001:2022 checklist, understand the headline changes from the 2013 edition:
Annex A controls restructured:
→ 2013: 14 control categories, 114 controls
→ 2022: 4 control themes, 93 controls
Four control themes in ISO 27001:2022:
→ Organisational controls (37 controls)
→ People controls (8 controls)
→ Physical controls (14 controls)
→ Technological controls (34 controls)
11 new controls introduced in ISO 27001:2022:
→ Threat intelligence (5.7)
→ Information security for use of cloud services (5.23)
→ ICT readiness for business continuity (5.30)
→ Physical security monitoring (7.4)
→ Configuration management (8.9)
→ Information deletion (8.10)
→ Data masking (8.11)
→ Data leakage prevention (8.12)
→ Monitoring activities (8.16)
→ Web filtering (8.23)
→ Secure coding (8.28)
If your organisation was certified to ISO 27001:2013, all certificates should now be updated to 2022 — the transition deadline of October 2025 has passed. If you are certifying for the first time, you certify directly to ISO 27001:2022.
The ISO/IEC 27002:2022 companion standard provides detailed implementation guidance for all 93 Annex A controls.
THE ISO 27001:2022 CHECKLIST — 5 STEPS TO CERTIFICATION
Step 1 — Scope, Context, and Interested Parties (Clauses 4.1, 4.2, 4.3)
Every ISO 27001:2022 implementation begins with defining what is in scope — and this is where many organisations make their first critical mistake.
Context analysis (Clause 4.1):
Document internal and external issues relevant to information security. This includes regulatory requirements — PDPL Saudi Arabia, UAE data protection law, GDPR where applicable — contractual security obligations, and the threat landscape relevant to your sector and region.
Interested parties (Clause 4.2):
Identify all parties with information security interests: customers, regulators, employees, shareholders, suppliers, and relevant authorities. Document their specific requirements. Add these to your legal compliance register alongside applicable legislation.
Scope definition (Clause 4.3):
Define precisely which assets, systems, locations, and business processes are included in the ISMS. Scope that is too broad makes certification difficult. Scope that is too narrow may not satisfy customer requirements.
Most common gap at Step 1:
Organisations define scope based on what is convenient — not what is necessary. Auditors will specifically check whether critical systems or processes with significant information security risk have been excluded from scope without documented justification.
Step 2 — Information Security Risk Assessment and Treatment (Clause 6.1)
The risk assessment is the technical core of ISO 27001:2022 — and the document auditors will spend the most time reviewing.
Risk assessment requirements:
→ A documented risk assessment methodology defining likelihood, impact, and risk scoring
→ Identification of information assets within scope and their associated risks
→ Evaluation of risks against defined acceptance criteria
→ Risk treatment decisions for each identified risk: mitigate, avoid, transfer, or accept
Risk treatment plan:
For each risk selected for mitigation, document:
→ The Annex A control(s) selected to treat the risk
→ Any additional controls beyond Annex A
→ Responsible owner for implementing the control
→ Target implementation date and current status
ISO 27001:2022 risk assessment ISO 27001:2022 checklist items auditors verify:
→ Risk assessment is documented and reproducible — not a one-time spreadsheet exercise
→ All significant information assets are included
→ Risks are evaluated from the perspective of confidentiality, integrity, and availability
→ Risk treatment decisions are formally approved by management
→ Residual risk is formally accepted by an appropriate authority
Step 3 — Statement of Applicability (SoA) — The Most Important Document in ISO 27001:2022
The Statement of Applicability in your ISO 27001:2022 checklist maps your risk treatment decisions to the 93 Annex A controls. It is the most scrutinised document in any ISO 27001:2022 audit.
What the SoA must contain:
→ All 93 Annex A controls listed
→ Whether each control is included or excluded from your ISMS
→ Justification for every inclusion — which risks it treats
→ Justification for every exclusion — why it is not applicable
→ Implementation status of each included control
The SoA audit trap:
Many organisations exclude controls without adequate justification — particularly the 11 new 2022 controls around cloud security, threat intelligence, and data leakage prevention. An auditor who finds a significant information security risk that is not addressed by any control — and for which no control is listed as applicable — will raise a major nonconformity.
Work through the SoA systematically. For each of the 11 new controls, document explicitly whether it applies and why. Cloud services (5.23), threat intelligence (5.7), and data leakage prevention (8.12) are the three most commonly missed in first-time certifications.
Also ensure your legal compliance register maps applicable laws to specific ISMS controls — particularly for PDPL Saudi Arabia and data protection obligations that require specific technical and organisational controls.
Step 4 — Implementation and Operational Controls (Clause 8 and Annex A)
With the SoA complete, implement the controls selected for inclusion. This is the longest phase of ISO 27001:2022 certification — typically 4–8 months for a mid-sized organisation implementing from scratch.
Priority implementation areas for ISO 27001:2022 checklist:
Policies and procedures (Organisational controls — A.5):
→ Information security policy approved by top management
→ Access control policy
→ Acceptable use policy
→ Supplier security policy
→ Incident management procedure
→ Business continuity and disaster recovery plans
People controls (A.6):
→ Background screening procedure for new employees
→ Information security awareness training programme (mandatory for all staff)
→ Disciplinary process for information security violations
→ Offboarding procedure covering access removal and equipment return
Technical controls (A.8)— focus on the new 2022 controls:
→ Threat intelligence process: how do you monitor emerging threats relevant to your sector?
→ Cloud security: documented security requirements for every cloud service in use (A.5.23)
→ Data leakage prevention: controls preventing unauthorised data exfiltration (A.8.12)
→ Configuration management: documented and maintained baseline configurations (A.8.9)
→ Secure coding: if you develop software, secure development lifecycle documented (A.8.28)
→ Data masking: applied where personal or sensitive data is used in non-production environments (A.8.11)
AI and information security:
If your organisation uses AI systems, these introduce specific information security risks — model theft, adversarial attacks, training data poisoning — that should be captured in your risk assessment and addressed through specific controls. See our ISO 42001 AI governance guide for the AI-specific governance framework that complements ISO 27001:2022.
ISO 27001:2022 Checklist — Step 5: Internal Audit, Management Review, and Certification Audit
The final phase of the ISO 27001:2022 checklist before seeking certification involves internal verification that the ISMS is working as intended.
Internal audit (Clause 9.2):
Conduct a full internal audit of the ISMS — covering all clauses, all in-scope Annex A controls, and all processes within scope. The audit must be conducted by individuals independent of the areas being audited.
Common internal audit findings that become certification audit failures:
→ Access control reviews not completed — user access rights not formally reviewed at required intervals
→ Supplier assessments not completed — third-party information security assessments missing for key suppliers
→ Incident records incomplete — incidents recorded but root cause analysis or CAPA closure missing
→ Training records not maintained — staff awareness training completed but not documented
Address every internal audit finding through the
[LINK #6] “corrective action (CAPA)”
corrective action process before your certification audit. Certification auditors will review internal audit records and CAPA closure as standard procedure.
See our internal audit guide for the common reasons internal audits fail to catch what external auditors find — and how to close that gap before your certification audit arrives.
Management review (Clause 9.3):
Top management must conduct a formal ISMS management review covering: context changes, audit results, risk register status, security incidents, control performance, and continual improvement opportunities. The management review record is primary audit evidence of leadership commitment.
Stage 1 certification audit:
The certification body reviews your ISMS documentation — particularly the risk assessment, SoA, and key policies. Any documentation gaps identified at Stage 1 must be closed before Stage 2.
Stage 2 certification audit:
Auditors assess implementation evidence — interviewing staff, reviewing records, testing controls. The most common Stage 2 findings are operational — controls that are documented but not consistently implemented.
ISO 27001:2022 CERTIFICATION TIMELINE
For an organisation implementing ISO 27001:2022 from scratch:
📌 Month 1–2 — Scope definition, context analysis, gap assessment
📌 Month 2–4 — Risk assessment, SoA development, risk treatment planning
📌 Month 4–8 — Control implementation, policy and procedure development
📌 Month 8–9 — Internal audit and corrective actions
📌 Month 9 — Management review
📌 Month 10 — Stage 1 certification audit
📌 Month 11 — Stage 2 certification audit
📌 Month 12 — ISO 27001:2022 certificate issued (if no major nonconformities)
Organisations with existing ISO management systems — ISO 9001, ISO 14001, or ISO 45001 — typically complete ISO 27001:2022 3–4 months faster, because context analysis, management review, internal audit, and corrective action processes are already established.
WHAT AUDITORS CHECK FIRST — THE ISO 27001:2022 CHECKLIST PRIORITIES
Based on common certification audit findings, these are the highest-risk areas in any ISO 27001:2022 audit:
→ SoA completeness — all 93 controls addressed with documented justification for inclusions and exclusions
→ Risk assessment currency — risk assessment reflects the current threat landscape and recent changes
→ Access control implementation — user access rights formally reviewed, privileged access controlled, joiners/movers/leavers process operational
→ Supplier security — all significant third parties assessed; contracts include information security requirements
→ Incident management — incidents detected, recorded, investigated, and CAPA raised for significant events
→ Awareness training — all staff completed current information security training; records available
→ Cloud security controls (A.5.23) — every cloud service has documented security requirements and approval
→ New 2022 controls — threat intelligence, data leakage prevention, configuration management, and secure coding all present and evidenced
THE BOTTOM LINE
ISO 27001:2022 certification is not a one-time project. It is an ongoing management system that requires annual internal audits, annual surveillance audits, and a three-year recertification cycle. The ISO 27001:2022 checklist above covers the foundation work — the management system you build in years 1 and 2 determines how sustainable that cycle becomes.
The organisations that treat ISO 27001:2022 as a documentation exercise will struggle at surveillance. The organisations that build genuine risk management capability, real access control processes, and a functioning incident management culture will find each annual audit reinforces rather than stresses the system.
Start with the scope. Build the risk assessment. Work through the SoA control by control. Implement before you audit. And remember that the 11 new controls in ISO 27001:2022 — cloud security, threat intelligence, and data leakage prevention above all — are where first-time and transitioning organisations are most likely to be challenged.
👉 Download your free ISO 27001:2022 Compliance Checklist — 45 gap assessment items covering all five steps and the highest-risk Annex A controls.
👉 Use this ISO 27001:2022 checklist as your readiness tracker through every stage of the certification journey Standards Unlimited shop for ISO 27001:2022 implementation templates — including risk assessment tool, SoA template, policy library, and internal audit checklist.
#ISO27001 #ISO270012022 #InformationSecurity #ISMS #CyberSecurity #ISO27001Checklist #InformationSecurityManagement #ISO27001Certification #CyberSecurityCompliance #ISO27001Audit #DataSecurity #GCCCyberSecurity #InformationSecurityGCC