Back to Resources
ISO 27001:2022 Implementation Checklist — visual preview
Checklist

ISO 27001:2022 Implementation Checklist

Information Security Management System Certification

Overview

ISO 27001:2022 is the latest version of the world's most widely recognized information security management system (ISMS) standard. Published in October 2022, it replaces ISO 27001:2013 and introduces a restructured set of controls in Annex A (reduced from 114 to 93 controls, including 11 new controls). Organizations certified to the 2013 version had until October 31, 2025, to transition. For new certifications, ISO 27001:2022 is the only available version. This checklist walks through the implementation process from initial scoping through certification audit.

Annex A Control Themes (ISO 27001:2022)

ThemeNumber of ControlsFocus Areas
Organizational Controls37Policies, roles, threat intelligence, asset management, access control, supplier relationships, cloud services, business continuity
People Controls8Screening, awareness, responsibilities, remote working, reporting
Physical Controls14Perimeters, entry, offices, monitoring, equipment, storage media
Technological Controls34Endpoints, privileged access, authentication, encryption, secure development, configuration, DLP, monitoring, web filtering

New Controls in ISO 27001:2022

  • The 2022 revision introduces 11 new controls that reflect how security has evolved:
  • Threat intelligence (A.5.7): Collect and analyze threat intelligence relevant to your organization
  • Information security for use of cloud services (A.5.23): Manage security of cloud service adoption and usage
  • ICT readiness for business continuity (A.5.30): Ensure ICT systems support business continuity requirements
  • Physical security monitoring (A.7.4): Detect and deter unauthorized physical access through monitoring
  • Configuration management (A.8.9): Establish and maintain secure configurations for hardware, software, and networks
  • Information deletion (A.8.10): Delete information when no longer required in accordance with policy
  • Data masking (A.8.11): Mask data in accordance with access control and business requirements
  • Data leakage prevention (A.8.12): Apply data leakage prevention measures to systems and networks
  • Monitoring activities (A.8.16): Monitor networks, systems, and applications for anomalous behavior
  • Web filtering (A.8.23): Manage access to external websites to reduce exposure to malicious content
  • Secure coding (A.8.28): Apply secure coding principles in software development

Implementation Roadmap

Phase 1 (Months 1-2): Secure management commitment, define ISMS scope, conduct initial gap assessment, and establish the project plan. Phase 2 (Months 2-4): Perform risk assessment, develop the Statement of Applicability (SoA), create required policies and procedures, and define risk treatment plan. Phase 3 (Months 4-8): Implement controls, deploy technical solutions, conduct training and awareness programs, and integrate the ISMS into day-to-day operations. Phase 4 (Months 8-10): Conduct internal audit, perform management review, address non-conformities, and finalize documentation. Phase 5 (Months 10-12): Engage a certification body, complete Stage 1 audit (documentation review), address findings, and pass Stage 2 audit (implementation assessment). Timelines vary by organization size and complexity, but 9-12 months is typical for a first-time certification.

Required Documentation

  • ISMS scope statement (Clause 4.3)
  • Information security policy (Clause 5.2)
  • Risk assessment process and methodology (Clause 6.1.2)
  • Risk treatment plan (Clause 6.1.3)
  • Statement of Applicability (Clause 6.1.3d)
  • Information security objectives (Clause 6.2)
  • Evidence of competence (Clause 7.2)
  • Operational planning and control documentation (Clause 8.1)
  • Risk assessment results (Clause 8.2)
  • Risk treatment results (Clause 8.3)
  • Monitoring and measurement results (Clause 9.1)
  • Internal audit program and results (Clause 9.2)
  • Management review results (Clause 9.3)
  • Non-conformities and corrective actions (Clause 10.1)

Certification Process

StageWhat HappensDuration
Stage 1 AuditCertification body reviews ISMS documentation, scope, and readiness. Identifies any gaps that must be addressed before Stage 2.1-2 days on-site
Stage 2 AuditFull implementation audit assessing whether controls are operating effectively. Interviews staff, reviews evidence, tests controls.3-5 days on-site (varies by scope)
Surveillance AuditsAnnual audits reviewing a subset of the ISMS to verify ongoing compliance1-2 days annually
Recertification AuditFull audit every three years to renew certificationSimilar to Stage 2

Frequently Asked Questions

How long does it take to get ISO 27001 certified?
Typically 9-12 months for a first-time certification. This depends on organizational size, complexity, existing security maturity, and resource availability. Organizations with mature security programs may achieve certification faster, while larger enterprises may need 12-18 months.
What is the difference between the 2013 and 2022 versions?
The core management system clauses (4-10) are largely unchanged. The major changes are in Annex A, where 114 controls have been consolidated and restructured into 93 controls across four themes (organizational, people, physical, technological) instead of 14 domains. Eleven new controls address cloud security, threat intelligence, DLP, and other modern requirements.
Is ISO 27001 certification mandatory?
ISO 27001 is a voluntary international standard. However, many industry regulations reference it (including DORA, NIS2, and various national frameworks), customers increasingly require it through procurement processes, and it can satisfy or accelerate compliance with other frameworks like SOC 2 and GDPR.
Do we need to implement all 93 Annex A controls?
No. You must consider all controls and document your decisions in the Statement of Applicability (SoA). Controls can be excluded if they are not relevant to your identified risks, but exclusions must be justified. In practice, most organizations implement the majority of controls.
How much does ISO 27001 certification cost?
Costs vary significantly based on scope and organization size. Certification body audit fees typically range from $10,000-$50,000 for the initial certification. Additional costs include consulting support, tooling, personnel time, and any technical control implementations needed. Total investment for a mid-size organization is generally $50,000-$150,000.

Ready to use this resource?

Download it now or schedule a demo to see how Hunto AI can automate your security workflows.

Book a Demo