BG Beter Geregeld ICT
Compliance · 2 min leestijd · 19 October 2025

ISO 27001 pre-audit checklist: 2 weeks before Stage 2

Stage 2 is two weeks away. This 22-point checklist covers everything auditors typically ask for — if even one box is missing, fix it now.

Two weeks before Stage 2. This is no longer the time to build anything substantial — it's time to make sure everything is in order. Work through these 22 points.

\n\n

Documentation

\n
    \n
  1. Security policy is up to date, an owner is named, and an annual review date is scheduled.
    2. \n
  2. Statement of Applicability is current (all Annex A controls: implemented / N/A + reason).
    3. \n
  3. All 8–12 policies are on the correct version number, with a visible changelog.
    4. \n
  4. Risk register review date falls within the last quarter.
    5. \n
  5. Asset inventory is current (including the SaaS inventory).
    6. \n
\n\n

Operational evidence

\n
    \n
  1. Most recent access review completed, with a PDF report including decisions and sign-offs.
    2. \n
  2. Privileged access inventory is current, with the latest review within the past 3 months.
    3. \n
  3. Last 2 offboardings fully documented.
    4. \n
  4. Onboarding process for at least 1 recent hire complete.
    5. \n
  5. Backup test performed, with evidence of a successful restore.
    6. \n
  6. Incident register for the last quarter present (even "nothing happened" must be logged).
    7. \n
\n\n

Governance

\n
    \n
  1. Most recent management review within the last 12 months, with minutes available.
    2. \n
  2. Internal audit completed, report available, and findings closed or included in an action plan.
    3. \n
  3. Training log: everyone has completed security awareness training this year.
    4. \n
  4. Roles and responsibilities document in place (CISO role filled, even if that's the director themselves).
    5. \n
\n\n

Technical controls

\n
    \n
  1. MFA enforced on critical systems (M365 admin, accounting, cloud infrastructure).
    2. \n
  2. Password policy enforced (at minimum: length requirements + common password blocking).
    3. \n
  3. Patches: last quarter's OS/browser patches applied to > 95% of devices.
    4. \n
  4. Anti-malware installed on all endpoints.
    5. \n
  5. Disk encryption enabled on all company laptops.
    6. \n
\n\n

Contracts

\n
    \n
  1. Data processing agreements in place with key suppliers (see processor register).
    2. \n
  2. Confidentiality and security clauses included in employment contracts.
    3. \n
\n\n

Everything ticked off → you're ready for Stage 2.

Onderwerpen

#checklist #audit #iso-27001

Volledige gids: ISO 27001 para pymes sin gastar €50k en consultores

Dit artikel is onderdeel van onze uitgebreide Compliance-gids. Lees de pillar voor het complete plaatje.

Lees de pillar →

Verwant leesmateriaal

Compliance

ISO 27001 for SMBs without €50k in consultancy fees

ISO 27001 is manageable once you understand the structure. Here's the minimum work a 30-person SMB needs to pass a Stage 2 audit, what it costs, and where consultants actually add value.

2 min
Compliance

ISO 27001 costs: from initial gap analysis to certificate

A realistic budget breakdown for a 30-person SMB. Internal hours, external audit, consultancy (kept to a minimum), and annual maintenance. No marketing fluff.

2 min
Compliance

ISO 27001 or SOC 2? Which one fits your Dutch SMB?

ISO 27001 is Europe-oriented, SOC 2 is American. Which one do your clients actually need — and can you combine them? Here's the practical difference for an SMB.

2 min
Compliance

NEN 7510 for healthcare businesses: a step beyond ISO 27001

Do you work in or with healthcare? Then NEN 7510 — alongside or instead of ISO 27001 — is a real requirement. The overlap is significant; the differences lie in patient data and specific Annex controls.

2 min
Compliance

The management review: what goes in it and who takes part?

One of the clause-9 requirements of ISO 27001. Annual, with senior management, 2 hours. Here is the agenda that an auditor will accept — and that works as a practical exercise for you.

2 min
Compliance

The PDCA Cycle Explained for Managers

Plan-Do-Check-Act sounds bureaucratic. In practice it means: write down what you do, do it, check whether it works, adjust accordingly. Here's the shortest useful explanation.

2 min
← Alle artikelen in "Compliance"