ISO 27001 – Checklist and Evidences

If your role involves gap analysis, audit (internal or external) or any other work that involves verifying each of the ISO 27001 requirements, our control-wise question and evidences is aimed for you. It helps you focus on what to ask, and what to look for.

The checklist and evidence covers the complete list of mandatory and annexcure controls, which is clause 4 to 10, and Annexure A.5.1.1 to A.18.2.3 (Total – 140 requirements)

Scope of Controls include all mandatory requirements Clause 4 to 10, and Annexure A.5.1.1 to A.18.2.3 (Total – 140 controls)

Here is a table that describes the individual iso 27001 requirement, sample question, and what you will get as an evidence.

ISO 27001 Requirement


Evidence description – what you will get

4.2 - Understanding the needs and expectations of interested parties

Who are the interested parties for your ISMS? What are their specific requirements?

We will provide an evidence of possible interested parties and their sample requirements

8.2 Information security risk assessment

How do you identify information security risk? How do you ensure that all the phases of ISO 31000 are tracked?

We will provide evidence of how risk assessment procedure looks like. We will share evidence of actual risks and how to track them from open, close, transfer, and accept risks.

5.3 Organizational roles, responsibilities and authorities

What are the organisational roles and responsibilities for your ISMS? What are the responsibilities and authorities for each role?

We will provide multiple possible roles in the organisation and their responsibilities and authorities

A.12.1.2 - Change management

What is your definition of change? What is the procedure in place?

We will provide sample evidences of IT and non IT changes

A.16.1.4 - Assessment of and decision on information security events

What are the security incidents identified? Who is responsible to mitigate if this incident takes place?

We will provide sample list of security incidents and tasks associated to each incident

A.18.1.1 - Identification of applicable legislation and contractual requirements

What are the applicable legal, regulatory and contractual requirements in place? How do you track new requirements

We will show you evidence of applicable legal requirements, and show evidence of tracking these requirements


If you wish to see a list of sample evidences, kindly let us know, we will provide the same.

The service includes 30 days Question and Answer (Q&A) support.


Contact Us Now !