ISO 27001 is the internationally recognised standard for Information Security Management Systems (ISMS). In the defence supply chain, it can carry particular weight because the information you handle, technical drawings, project timelines, personnel data, classified correspondence etc. often have implications that go well beyond your own organisation. Your clients need to have confidence your business treats that information with the same seriousness they do, and ISO 27001 certification can give them that assurance.
This ISO 27001 checklist is for information security leads, compliance managers, and operations teams. If you are preparing for ISO 27001 certification, mid-way through a gap assessment, or managing a surveillance audit, this is your working reference.
1. Why ISO 27001 Matters
ISO 2700, updated in 2022 (ISO/IEC 27001:2022), it defines how organisations establish, implement, maintain, and continually improve information security controls. If implemented correctly, it can form the basis of a robust security culture that your partners and client require
The NCSC’s Cyber Threat to the UK in 2024 identifies supply chain compromise as a primary attack vector against UK critical sectors, defence and aerospace included.
2. The ISO 27001 Checklist: Core Requirements
The 2022 revision restructured Annex A controls into four themes, across 93 controls. Your ISMS must demonstrate compliance with both the mandatory clauses (4–10) and the applicable Annex A controls.
Mandatory ISMS Requirements: Clauses 4–10
- Clause 4 — Context of the Organisation: Understanding the organisation, its internal and external issues, interested parties, and defining the scope of the ISMS.
- Clause 5 — Leadership: Top management commitment, information security policy, and organisational roles, responsibilities and authorities.
- Clause 6 — Planning: Actions to address risks and opportunities, information security objectives, and planning to achieve them. This is where risk assessment, risk treatment, and the Statement of Applicability (SoA) all live.
- Clause 7 — Support: Resources, competence, awareness, communication, and documented information (your policies, procedures, and records).
- Clause 8 — Operation: Operational planning and control, carrying out the risk assessment, and implementing the risk treatment plan. This is where the ISMS moves from paper into practice.
- Clause 9 — Performance Evaluation: Monitoring, measurement, analysis, internal audit, and management review. Evidence that the ISMS is working and being reviewed regularly.
- Clause 10 — Improvement: Nonconformity, corrective action, and continual improvement. What you do when something goes wrong or falls short.
Annex A Controls: Four Themes
| Theme | Controls | What Auditors Check |
| Organisational | 37 controls | Policies, roles, supplier security, incident management |
| People | 8 controls | Pre-employment screening, awareness training, disciplinary process |
| Physical | 14 controls | Access controls, secure disposal, clear desk policy |
| Technological | 34 controls | Access management, encryption, monitoring, vulnerability management |
3. Certification Pathway: Phased Timeline
ISO 27001 certification follows a defined sequence. Rushing any phase creates audit findings that delay certification and increase cost.
| Phase | Activity | Duration | Key Output |
| Phase 1 | Gap Assessment | 4–6 weeks | Map controls against all 93 Annex A requirements. Produce prioritised remediation list. |
| Phase 2 | ISMS Build & Implementation | 8–16 weeks | Document policies, assign control owners, implement technical controls, complete risk assessment and SoA. |
| Phase 3 | Internal Audit | 4 weeks | Full internal audit against ISO 27001:2022 clauses. Raise and close nonconformities before the certification body arrives. |
| Phase 4 | Certification Audit (Stage 1 + 2) | 6–8 weeks | Stage 1 reviews documented ISMS. Stage 2 tests implementation against evidence. |
Realistic total timeline: 6–12 months from gap assessment to certificate, depending on scope and the current state of maturity in the organisation’s security processes.
We have put together a top-level checklist to give you a simple overview of what each clause within your ISMS should achieve.
Download your free ISO 27001:2022 readiness checklist
4. Common Mistakes
- Scope that is too broad or too narrow – Defining scope too broadly creates an unmanageable audit surface. Too narrowly, and you exclude systems that handle controlled information which auditors will flag immediately.
- An unjustified Statement of Applicability – Every excluded control must have a documented, defensible rationale. ‘Not applicable’ without explanation is a nonconformity.
- No evidence of management review – ISO 27001 requires senior leadership engagement. A single informal meeting without minutes and tracked actions will not satisfy auditors.
- Supplier security left unaddressed – Control A.5.19 requires documented supplier assessments. Defence contractors with subcontractors or cloud service providers must evidence this particularly where the supplier handles CUI (Controlled Unclassified Information) or access-controlled data.
- Training records that do not exist – Awareness training is mandatory. Verbal confirmation is not evidence. Maintain dated records of who was trained and what they completed.
5. Framework Mapping
ISO 27001 does not operate in isolation, it maps directly to adjacent UK and international requirements:
- Cyber Essentials (CE) / Cyber Essentials Plus (CE+) — NCSC’s baseline scheme maps to a subset of ISO 27001 Annex A technological controls. ISO 27001 certification addresses all five CE technical domains and more.
- NIST Cyber Security Framework (CSF) — The ISO 27001 SoA controls map to the NIST CSF and can be used as evidence for your Informative References.
Conclusion
ISO 27001 certification is achievable on a defined timeline but only if the groundwork is done properly. A completed checklist is the starting point, not the finish line. For defence contractors under procurement pressure, the margin for a failed audit is narrow.
Review the checklist above against your current posture. If gaps exist in your risk treatment plan, Statement of Applicability, or supplier controls, address them before the certification body does.
Pera Prometheus delivers ISO 27001 gap analysis assessments, ISMS design, implementation, and audit readiness support. Our consultants hold CISM and CISSP certifications and operate within a whole range of security frameworks.
We do not hand you a checklist and walk away. We build a risk-managed ISMS that holds up under audit but more importantly, delivers an effective and practical information security system that protects you and your clients.
Book a Discovery Call – Get your Gap Assessment
Frequently Asked Questions
- How long does ISO 27001 certification take?
Most organisations complete the process in 6–12 months, depending on scope size and the maturity of existing controls. Organisations with no prior ISMS documentation should budget towards the longer period. This isn’t a race and security isn’t about getting a certificate, it is about earning the correct certificate that represents true security and resilience within your business.
2. What is the difference between ISO 27001:2013 and ISO 27001:2022?
The 2022 revision restructured Annex A from 114 controls across 14 domains to 93 controls across four themes.
3. What is a Statement of Applicability?
The SoA is a mandatory document listing all 93 Annex A controls, whether each applies to your ISMS and the documented justification for any exclusions. It is one of the first documents an auditor will request.
5. Can ISO 27001 help us meet Cyber Essentials requirements?
ISO 27001 addresses all five Cyber Essentials technical control domains and goes significantly further. CE+ certification is typically straightforward for ISO 27001 certified organisations, though a separate formal CE+ assessment is still required.
Stay Safe, Stay Secure
