Free Resource — ISO 27001

ISO 27001
Evidence Checklist

A practical checklist to help teams understand what evidence auditors may expect during ISO 27001 readiness and audit preparation — covering policies, access reviews, MFA records, risk treatment, supplier management, and approval records.

Free download

Free ISO 27001
Evidence Checklist

See the types of evidence auditors commonly expect when reviewing ISO 27001 controls.

  • Policies and responsibilities
  • Access reviews
  • MFA and authentication evidence
  • Risk treatment evidence
  • Supplier and asset management evidence
  • Review dates and approval records

No spam. Unsubscribe any time.

Who this checklist is for

This checklist is designed for teams preparing for an ISO 27001 audit or building out their information security management system (ISMS). It is especially useful for:

First-time ISO 27001 candidates

If you are going through certification for the first time, this checklist gives you a clear picture of the evidence types auditors commonly request before you engage a certification body.

Teams preparing for surveillance audits

ISO 27001 requires annual surveillance visits. Use this checklist to verify your evidence pack is current, your controls have review dates, and approvals are documented.

Compliance managers and IT leads

If you are responsible for maintaining the ISMS, this checklist helps you identify gaps in evidence coverage before an internal or external review.

What's included

The checklist covers six evidence areas that auditors commonly review. Each item represents a concrete document, record, or approval that should exist in your ISMS.

Policies and Responsibilities

  • Information security policy documented and approved
  • Policy owner and review date assigned
  • Acceptable use policy in place
  • Roles and responsibilities documented

Access Reviews

  • Periodic access reviews conducted and logged
  • Privileged account access reviewed quarterly
  • Leavers access revoked within agreed timescales
  • Access review sign-off documented

MFA and Authentication Evidence

  • MFA enabled for all users — evidence of enforcement
  • Conditional Access policies documented
  • Authentication logs retained
  • Privileged accounts use phishing-resistant MFA

Risk Treatment Evidence

  • Risk register maintained and dated
  • Risk treatment decisions documented
  • Accepted risks signed off by management
  • Residual risk reviewed at least annually

Supplier and Asset Management

  • Asset inventory maintained
  • Supplier agreements include security requirements
  • Supplier risk assessments on file
  • Critical supplier reviews documented

Review Dates and Approval Records

  • All evidence has a review date assigned
  • Approvals are signed and timestamped
  • Overdue reviews flagged and remediated
  • Audit trail of approvals retained for 3+ years

Frequently asked questions

Who is this checklist for?

Compliance managers, IT leads, and anyone responsible for preparing an ISO 27001 evidence pack. It is useful for teams approaching their first certification, preparing for a surveillance audit, or responding to an auditor's evidence request.

Does this checklist guarantee a successful ISO 27001 audit?

No. This checklist covers common evidence areas that auditors review, but it is not a complete representation of ISO 27001 requirements. Certification requires working with a qualified ISO 27001 consultant and an accredited certification body.

How is this checklist different from the M365 compliance checklist?

The M365 compliance checklist focuses on specific Microsoft 365 configuration controls. This checklist focuses on the types of evidence documents and records auditors expect to see during an ISO 27001 audit — it is framework and platform-agnostic.

How often should I review my evidence against this checklist?

Before every audit or surveillance visit. Some items — like access reviews and review dates — should be checked at least quarterly.

Can Certvik help me collect and manage this evidence?

Yes. Certvik automates evidence collection from your Microsoft 365 environment, assigns review dates, routes evidence through approval workflows, and maintains a full audit trail — so your evidence pack stays current year-round.

Related resources

ISO 27001 compliance software ISO 27001 evidence management Microsoft 365 compliance ISO 27001 evidence checklist guide Free M365 compliance checklist