Free resource · Auditor checklist

ISO 27001 evidence checklist

A practical checklist of the evidence a certification auditor actually expects to see for ISO 27001 — the mandatory clause records, Annex A evidence by theme, and the gaps that catch SMEs out at surveillance. Written by an IRCA Registered Principal Auditor.

See how PICMS manages ISO evidence Try PICMS Free

The auditor opens these first

Four things a certification auditor reaches for before anything else

When an ISO 27001 auditor sits down for a Stage 2 or surveillance visit, the first four artefacts they ask to see tell them whether the ISMS is real or paper. Have these instantly retrievable.

Scope statement — what is in and out of the ISMS, including locations, products/services, and any exclusions with justification.
Statement of Applicability (SoA) — every Annex A control marked applicable/not, with justification and implementation status.
Risk treatment plan — risks, chosen treatments, owners, and target dates, traceable to the risk assessment.
Internal audit programme + reports and the last management review minutes — proof the system is checked and owned by leadership.

Clauses 4–10

The documented information ISO 27001 actually requires

These are the records the standard mandates. Missing or out-of-date items here are the fastest route to a nonconformity.

ISMS scope (4.3) and information security policy (5.2)
Information security risk assessment process and results (6.1.2, 8.2)
Risk treatment process, the SoA, and the risk treatment plan (6.1.3, 8.3)
Information security objectives and plans to achieve them (6.2)
Evidence of competence and awareness for people in scope (7.2, 7.3)
Results of monitoring and measurement (9.1)
Internal audit programme and audit results (9.2)
Documented management review outputs (9.3)
Nonconformities and the corrective actions taken (10.2)

Annex A (ISO 27001:2022)

Evidence by control theme — 93 controls across four groups

You do not need a folder per control, but for each applicable theme an auditor expects to see live evidence it is operating, not just a policy that says it should.

Organizational (37) — policies, supplier/cloud security agreements, asset inventory, access-control policy, incident procedure, threat-intelligence and continuity records.
People (8) — screening records, terms of employment, awareness-training completion, disciplinary process, and joiners/movers/leavers evidence.
Physical (14) — secure-area access logs, visitor records, equipment maintenance, secure disposal/wiping certificates, clear-desk checks.
Technological (34) — access reviews, privileged-access records, logging and log review, vulnerability/patch evidence, backup and restore-test records, change records, secure-development and configuration baselines.

Where SMEs lose marks

The evidence that is almost always thin

These are the gaps that turn a clean audit into minor nonconformities. They are rarely about missing policy — they are about missing proof the policy is followed.

Periodic user access reviews actually performed and signed off
Restore tests from backups (everyone backs up; few prove they can restore)
Supplier / cloud-service security assurance kept current
Log review evidence — that someone looks, not just that logging is on
Awareness training completion records for every person in scope
Change records linking changes to risk and approval

ISO 27001 evidence checklist

Four things a certification auditor reaches for before anything else

The documented information ISO 27001 actually requires

Evidence by control theme — 93 controls across four groups

The evidence that is almost always thin

PICMS keeps every one of these as live, audit-ready evidence — mapped to the clause and the Annex A control, retrievable in seconds.