# ISO 27001 Readiness Checklist for SaaS and Fintech Teams

By Kellwick - independent ISO 27001 / GRC advisory.
Not a certification body. This checklist is an indicative guide, not a formal gap analysis.

How to use: for each item, mark Yes / Partly / No and note where the evidence lives.
The items most teams fail are the ones asking you to *prove* a control operated, not just that a policy exists.

---

## 1. Scope
- [ ] ISMS scope is written down and approved.
- [ ] Scope matches the products, systems, data and teams you actually operate.
- [ ] Cloud providers and the shared-responsibility boundary are named.
- [ ] Nothing critical (production, customer data) is quietly excluded.

## 2. Risk register
- [ ] Risks are specific scenarios tied to real assets or processes.
- [ ] Each risk has a named individual owner.
- [ ] Likelihood and impact use a written, consistent scale.
- [ ] Treatment decisions are recorded (treat / tolerate / transfer / terminate).
- [ ] The register has changed over time as treatment progressed.

## 3. Statement of Applicability (SoA)
- [ ] Every Annex A control is marked applicable or excluded, with a reason.
- [ ] Justifications reference your real environment, not a template.
- [ ] The SoA is consistent with the risk assessment.
- [ ] Every "implemented" control can be evidenced today.

## 4. Policies
- [ ] Core policies exist and are approved and versioned.
- [ ] Policies describe what teams actually do, not an ideal nobody follows.
- [ ] Staff can find the policies relevant to their role.

## 5. Access control
- [ ] Access is granted on least privilege and recorded at onboarding.
- [ ] Access reviews run on a stated cadence with recorded decisions.
- [ ] Reviews produce removal records, not just recommendations.
- [ ] Joiner / mover / leaver changes are handled promptly and logged.
- [ ] Privileged, shared and service accounts are in scope.

## 6. Supplier risk
- [ ] A current inventory of suppliers and subprocessors exists.
- [ ] Each supplier is tiered by the data and criticality involved.
- [ ] High-risk suppliers are reviewed at least annually, with evidence.
- [ ] New suppliers pass through a review step before adoption.

## 7. Incident management
- [ ] Incidents (including small ones) are logged and triaged.
- [ ] Incidents are classified by impact, including business impact.
- [ ] Post-incident reviews produce corrective actions that get closed.

## 8. Change and release
- [ ] Changes are reviewed before reaching production.
- [ ] Releases leave a durable record: ticket, review, test, deployment.
- [ ] Emergency changes are captured retrospectively.
- [ ] Higher-risk changes get an explicit approval step.

## 9. Secure development
- [ ] Code review is required, not optional.
- [ ] Relevant automated tests are blocking in CI.
- [ ] Environments (dev / staging / production) are separated.

## 10. Evidence
- [ ] Evidence for key controls exists across the whole period, not just recently.
- [ ] Evidence is dated, attributable and stored in one findable place.
- [ ] You can produce evidence for a sampled control within minutes.

## 11. Management review
- [ ] Management review is held on a schedule with leadership present.
- [ ] The required inputs are covered (audits, risks, incidents, objectives).
- [ ] The review produces real decisions and tracked follow-ups.

## 12. Internal audit
- [ ] Internal audit is independent of the work it reviews.
- [ ] It is planned, covers the ISMS, and produces written findings.
- [ ] Findings feed corrective actions with owners and dates.

## 13. Corrective actions
- [ ] Findings are tracked in one place with root cause, owner and date.
- [ ] Actions are verified as effective before closure.
- [ ] Prior audit findings are genuinely closed, not reopened each cycle.

---

## Next step
Score yourself honestly. If several sections are "Partly" or "No", that is normal - and fixable.

- Take the interactive self-assessment: https://kellwick.com/assessment
- Book a readiness review: https://kellwick.com/contact

Kellwick - operated by BCE Ventures LLC, 30 N Gould St, Sheridan, WY 82801, USA.
Independent advisory practice. Not a certification body.
