Our plain English information security standard can also be used as a
Checklist. That's because we’ve used a task oriented approach to translate
the original ISO IEC 27002 standard into Plain English. This means that our
Plain English product (our Title 37) consists entirely of tasks or actions. So
if you want to implement this ISO IEC standard and achieve your security
objectives, all you have to do is carry out the tasks that we have listed.

However, you don’t have to perform every task. Since ISO IEC 27002 2013
consists entirely of recommendations or guidelines (not requirements),
you can ignore any task that does not address your particular security
requirements or address one of your unique security risks.

Accordingly, we offer three response options for each task: TODO, DONE,
or N/A. Select TODO if a task addresses one of your organization's security
risks or requirements, select DONE if you've already done it, or select N/A
if the task does not address a security risk or requirement.

To see what our checklist looks like, please have a look at the following
PDF sample: ISO IEC 27002 2013 Checklist (Part 8 of our Title 37 product).