Note: 1) the numbering used under the heading ‘Clause’ is taken from ISO 27001:2022;

2) enter the appropriate status symbols (see footer) under the ‘Policy’ and ‘Other Document’ columns;
3) enter the identifying reference of the ‘Other Document’ in the ‘Document Reference column;
4) in the ‘Comment’ column, in addition to general comments, record both comments on the status and actions required;
5) text in blue shows the changes and additions introduced with the 2022 edition of the Standard.

Organization name and location

ISMS Manual or equivalent
Issue No.
Issue Date
Clause Policy Other Document
Document Reference
4 Context of the organization
4.1 Understanding the organization and its context
Has the organization determined external and internal issues that are relevant to its
purpose and that affect its ability to achieve the intended outcome(s) of its
information security management system?
NOTE: Determining these issues refers to establishing the external and internal
context of the organization considered in Clause 5.4.1 of ISO
31000:2018.

4.2 Understanding the needs and expectations of interested parties

Has the organization determined:
a) interested parties that are relevant to the information security management
system; and
b) the requirements of these interested parties relevant to
information security?
c) which of these requirements will be addressed through the information security
management system?
4.3 Determining the scope of the information security management system

Has the organization determined the boundaries and applicability of

the information security management system to establish its scope?
When determining this scope, has the organization considered:
a) the external and internal issues referred to in 4.1;
b) the requirements referred to in 4.2; and
Clause Policy Other Document
Document Reference
c) interfaces and dependencies between activities performed by
the organization, and those that are performed by other organizations?

Is the scope available as documented information?

4.4 Information security management system
Has the organization established, implemented, maintained and continually improve
the information security management system, including the processes needed and
their interaction, in accordance with the requirements of the ISO 27001 Standard?

5 Leadership
5.1 Leadership and commitment
Has top management demonstrated leadership and commitment with respect to the
information security management system by:
a) ensuring the information security policy and the information
security objectives are established and are compatible with the strategic
direction of the organization;
 b) ensuring the integration of the information security
management system requirements into the organization’s
processes;

c) ensuring that the resources needed for the information security

management system are available;
d) communicating the importance of effective information
security management and of conforming to the information security
management system requirements;
e) ensuring that the information security management system achieves its
intended outcome(s);
f) directing and supporting persons to contribute to the
effectiveness of the information security management system;

g) promoting continual improvement; and

h) supporting other relevant management roles to demonstrate their
leadership as it applies to their areas of responsibility?
NOTE Reference to “business” in this document can be
interpreted broadly to mean those activities that are core to the
purposes of the organization’s existence.

5.2 Policy
Has top management established an information security policy that:
a) is appropriate to the purpose of the organization;
Clause Policy Other Document
Document Reference
b) includes information security objectives (see 6.2) or provides
the framework for setting information security objectives;
c) includes a commitment to satisfy applicable requirements related to
information security; and
d) includes a commitment to continual improvement of the information
security management system?
Is the information security policy:
e) available as documented information;
f) communicated within the organization; and
g) available to interested parties, as appropriate?
5.3 Organizational roles, responsibilities and authorities
Has top management ensured that the responsibilities and authorities
for roles relevant to information security are assigned and communicated within the
organiation?
Has top management assigned the responsibility and authority for:
a) ensuring that the information security management system
conforms to the requirements of the ISO 27001 Standard; and
b) reporting on the performance of the information security management
system to top management?
NOTE Top management may also assign responsibilities and authorities for reporting
performance of the information security management system within the organization.

6 Planning
6.1 Actions to address risks and opportunities
6.1.1 General
When planning for the information security management system, has the organization
considered the issues referred to in 4.1 and the requirements referred to in 4.2 and
determined the risks and the
opportunities that need to be addressed to:
a) ensure the information security management system can achieve its
intended outcome(s);
 b) prevent, or reduce, undesired effects; and
c) achieve continual improvement?
Has the organization planned:
d) actions to address these risks and opportunities; and
e) how to
1) integrate and implement the actions into its information
security management system processes; and
Clause Policy Other Document
Document Reference
2) evaluate the effectiveness of these actions?
6.1.2 Information security risk assessment
Has the organization defined and applied an information security risk assessment
process that:
a) establishes and maintains information security risk criteria that include:

1) the risk acceptance criteria; and

2) criteria for performing information security risk assessments;

b) ensures that repeated information security risk assessments

produce consistent, valid and comparable results;
c) identifies the information security risks:
1) apply the information security risk assessment process to identify risks
associated with the loss of confidentiality, integrity and availability for
information within the scope
of the information security management system; and
2) identify the risk owners;
d) analyses the information security risks:
1) assess the potential consequences that would result if the risks
identified in 6.1.2 c) 1) were
e) to materialize;
2) assess the realistic likelihood of the occurrence of the
risks identified in 6.1.2 c) 1); and
3) determine the levels of risk;
f) evaluates the information security risks:
1) compare the results of risk analysis with the risk criteria
established in 6.1.2 a); and
2) prioritize the analysed risks for risk treatment?
Does the organization retain documented information about the information security
risk assessment process?
6.1.3 Information security risk treatment
Has the organization defined and applied an information security risk
treatment process to:
a) select appropriate information security risk treatment options, taking
account of the risk assessment results;
b) determine all controls that are necessary to implement the information
security risk treatment option(s) chosen;
NOTE Organizations can design controls as required, or
identify them from any source.
Clause Policy Other Document
Document Reference
c) compare the controls determined in 6.1.3 b) above with those
in Annex A and verify that no necessary controls have been omitted;
 NOTE 1 Annex A contains a list of possible control objectives and controls.
Users of the ISO 27001 Standard are directed to Annex A to ensure that no
necessary controls are overlooked.
NOTE 2 Control objectives are implicitly included in the controls chosen. The
control objectives and controls listed in Annex A are not exhaustive and
additional control objectives
and controls may be needed.
d) produce a Statement of Applicability that contains the necessary controls
(see 6.1.3 b) and c)) and justification for
inclusions, whether they are implemented or not, and the justification for
exclusions of controls from Annex A;
e) formulate an information security risk treatment plan; and
f) obtain risk owners’ approval of the information security risk treatment plan
and acceptance of the residual information
security risks?
Does the organization shall retain documented information about the
information security risk treatment process?
6.2 Information security objectives and planning to achieve them
Has the organization establishd information security objectives at relevant functions
and levels?
Are the information security objectives:
a) consistent with the information security policy;
b) measurable (if practicable);
c) taking account of applicable information security requirements, and results
from the risk assessment and the
risk treatment;
d) monitored;
e) communicated; and
f) updated as appropriate.
Does the organization shall retain documented information on the
information security objectives?
When planning how to achieve its information security objectives, does the
organization determine:
g) what will be done;
h) what resources will be required;
i) who will be responsible;
j) when it will be completed; and
Clause Policy Other Document
Document Reference
k) how the results will be evaluated?

7 Support
7.1 Resources
Does the organization determine and provide the resources needed for the
establishment, implementation, maintenance and continual
improvement of the information security management system?
7.2 Competence
Does the organization:
a) determine the necessary competence of person(s) doing
work under its control that affects its information security performance;

b) ensure that these persons are competent on the basis of appropriate

education, training, or experience;
c) where applicable, take actions to acquire the necessary competence, and
evaluate the effectiveness of the actions
taken; and
 d) retain appropriate documented information as evidence of competence.

NOTE Applicable actions may include, for example: the provision of training
to, the mentoring of, or the reassignment of current employees; or the
hiring or contracting of
competent persons.
7.3 Awareness
Are persons doing work under the organization’s control aware of:
a) the information security policy;
b) their contribution to the effectiveness of the information security
management system, including the benefits of
improved information security performance; and
c) the implications of not conforming with the information security
management system requirements?
7.4 Communication
Has the organization determined the need for internal and external
communications relevant to the information security management system including:

a) on what to communicate;
b) when to communicate;
c) with whom to communicate;
d) who shall communicate; and
e) the processes by which communication shall be effected?
Clause Policy Other Document
Document Reference
7.5 Documented information
7.5.1 General
Does the organization’s information security management system
include:
a) documented information required by the ISO 27001 Standard; and

b) documented information determined by the organization as being

necessary for the effectiveness of the information security management
system?
NOTE The extent of documented information for an information security
management system can differ from one organization to another due to:
1) the size of organization and its type of activities, processes, products and
services;
2) the complexity of processes and their interactions; and
3) the competence of persons.

7.5.2 Creating and updating

When creating and updating documented information has the organization ensured
appropriate:
a) identification and description (e.g. a title, date, author, or reference
number);
b) format (e.g. language, software version, graphics) and media (e.g. paper,
electronic); and
c) review and approval for suitability and adequacy?
7.5.3 Control of documented information
Is documented information required by the information security management system
and by this International Standard controlled to ensure:

a) it is available and suitable for use, where and when it is needed; and

b) it is adequately protected (e.g. from loss of confidentiality, improper use,

or loss of integrity)?
For the control of documented information, has the organization
address the following activities, as applicable:
c) distribution, access, retrieval and use;
d) storage and preservation, including the preservation of
legibility;
e) control of changes (e.g. version control); and
f) retention and disposition?
Clause Policy Other Document
Document Reference
Is documented information of external origin, determined by the
organization to be necessary for the planning and operation of the information
security management system, identified as appropriate, and controlled?
NOTE Access implies a decision regarding the permission to view the documented
information only, or the permission and authority to view and change the
documented information, etc.

8 Operation
8.1 Operational planning and control
Does the organization plan, implement and control the processes needed to meet
information security requirements, and to implement the actions determined in 6, by:
- establishing criteria for the process;
- implementing control of the processes in accordance with the criteria?

Does the organization shall keep documented information to the extent necessary to
have confidence that the processes have been
carried out as planned?
Does the organization control planned changes and review the consequences of
unintended changes, taking action to mitigate any adverse effects, as necessary?

Does the organization ensure that externally provided processes, products or

services that are relevant to the information security
management system are controlled?
8.2 Information security risk assessment
Does the organization shall perform information security risk assessments at planned
intervals or when significant changes are
proposed or occur, taking account of the criteria established in 6.1.2 a)?
Does the organization retain documented information of the results of the
information security risk assessments?
8.3 Information security risk treatment
Has the organization implemented the information security risk
treatment plan?
Does the organization retain documented information of the results of the
information security risk treatment?

Clause Policy Other Document

Document Reference
9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
Does the organization evaluate the information security performance and the
effectiveness of the information security management system?
Does the organization determine:
 a) what needs to be monitored and measured, including
information security processes and controls;
b) the methods for monitoring, measurement, analysis and evaluation, as
applicable, to ensure valid results. The methods selected should produce
comparable and reproducible
results to be considered valid.
c) when the monitoring and measuring shall be performed;
d) who shall monitor and measure;
e) when the results from monitoring and measurement shall be
analysed and evaluated; and
f) who shall analyse and evaluate these results?
Is documented information available as evidence of the monitoring
and measurement results?
9.2 Internal audit
9.2.1 General
Does the organization shall conduct internal audits at planned intervals to provide
information on whether the information security
management system:
a) conforms to
1) the organization’s own requirements for its information
security management system; and
2) the requirements of the ISO 27001 Standard;
b) is effectively implemented and maintained?
9.2.2 Internal Audit Programme
Does the organization:
c) plan, establish, implement and maintain an audit programme(s), including
the frequency, methods, responsibilities, planning requirements and reporting.
The audit programme(s) shall take into consideration the importance of the
processes concerned and the results of
previous audits;

d) define the audit criteria and scope for each audit;

e) select auditors and conduct audits that ensure objectivity and
the impartiality of the audit process;
Clause Policy Other Document
Document Reference
f) ensure that the results of the audits are reported to relevant
management; and
g) retain documented information as evidence of the audit programme(s) and
the audit results?
9.3 Management review
9.3.1 General
Does top management review the organization’s information security
management system at planned intervals to ensure its continuing
suitability, adequacy and effectiveness?

9.3.2 Management review inputs

Do the management reviews include consideration of:
a) the status of actions from previous management reviews;
b) changes in external and internal issues that are relevant to the
information security management system;
c) changes in needs and expectations of interested parties that are relevant to
the information security management system;
 d) feedback on the information security performance, including
trends in:
1) nonconformities and corrective actions;
2) monitoring and measurement results;
3) audit results; and
4) fulfilment of information security objectives;
e) feedback from interested parties;
f) results of risk assessment and status of risk treatment plan; and

g) opportunities for continual improvement?

9.3.3 Management review results
Does the outputs of the management review shall include decisions
related to continual improvement opportunities and any needs for changes to the
information security management system?
Does the organization shall retain documented information as evidence of the results
of management reviews?

10 Improvement
10.1 Nonconformity and corrective action
When a nonconformity occurs, does the organization:
a) react to the nonconformity, and as applicable:
1) take action to control and correct it; and
2) deal with the consequences;
Clause Policy Other Document
Document Reference
b) evaluate the need for action to eliminate the causes of
nonconformity, in order that it does not recur or occur elsewhere, by:

1) reviewing the nonconformity;

2) determining the causes of the nonconformity; and
3) determining if similar nonconformities exist, or
could potentially occur;
c) implement any action needed;
d) review the effectiveness of any corrective action taken; and
e) make changes to the information security management
system, if necessary?
Are corrective actions appropriate to the effects of the
nonconformities encountered?
Does the organization retain documented information as evidence of:
f) the nature of the nonconformities and any subsequent
actions taken, and

g) the results of any corrective action?

10.2 Continual improvement
Does the organization continually improve the suitability, adequacy and effectiveness
of the information security management system?

Annex A: Information security controls reference (normative)

NOTE: This will require an audit of the ISMS against the listed Controls in Annex A.
This should be documented separately and added to this Report.

Prepared by:
Date prepared:
ed;

Comment

Comment
Comment
Comment

Comment
Comment
Comment
Comment

Comment
Comment
Comment

NOTE: The word ‘normative’ means mandatory.