How to Implement ISO 27001: A 9-Step Guide

The hardest part of many projects is knowing where to start, and there’s no exception when it comes to implementing ISO 27001.

The Standard, which describes best practice for an ISMS (information security management system ISMS), explains the requirements you need to meet, but it doesn’t show you how to adopt them.

It’s an issue that plenty of organisations will be facing at the moment, given the release of a new version of ISO 27001 last year. It has been almost a decade since the Standard was last updated, and whether you’re starting from scratch or looking to transition to the revised version, you must have a plan in place.

In this blog, we explain exactly what you need to do to implement ISO 27001.


1. Assemble an ISO 27001 implementation team

The implementation project should begin by appointing a project leader, who will work with other members of staff to create a project mandate. This is essentially a set of answers to these questions: 

  • What are we hoping to achieve? 
  • How long will it take? 
  • What will it cost? 
  • Does it have management support? 

2. Develop the ISO 27001 implementation plan

The next step is to use your project mandate to create a more detailed outline of your information security objectives, plan and risk register. 

This includes setting out high-level policies for the ISMS that establish: 

  • Roles and responsibilities; 
  • Rules for its continual improvement; and 
  • How to raise awareness of the project through internal and external communication. 

Find out more about each of these steps by downloading Implementing an ISMS – The nine-step approach.

This free guide shows you exactly what you need to do to meet ISO 27001’s requirements, highlighting the challenges you’ll face and how you can overcome them.

By following our nine-step approach, you’ll save time and money during your implementation project and ensure that you’ve adequately addressed your information security concerns.


3. ISMS initiation

Now it’s time to adopt a methodology for implementing the ISMS. The Standard recognises that a “process approach” to continual improvement is the most effective model for managing information security.

However, it doesn’t specify a particular methodology, and instead allows organisations to use whatever method they choose, or to continue with a model they already have in place. 

Part of this process involves developing the rest of your document structure. We recommend using a four-tier strategy: 

  • Policies at the top, defining the organisation’s position on specific issues, such as acceptable use and password management. 
  • Procedures to enact the policies’ requirements. 
  • Work instructions describing how employees should meet those policies. 
  • Records tracking the procedures and work instructions.

4. Management framework

At this stage, you need to gain a broader understanding of the ISMS’s framework. The process for doing this is outlined in clauses 4 and 5 of the ISO 27001 standard

The most important part of this process is defining the scope of your ISMS – i.e. which parts of your organisation you’ll be protecting. Creating an appropriate scope is an essential part of your ISMS implementation project.

If your scope is too small, then you leave information exposed, jeopardising the security of your organisation, but if it’s too large, your ISMS will become too complex to manage. 


5. Baseline security controls

An organisation’s security baseline is the minimum level of activity required to conduct business securely. 

You should define your security baseline using the information collected during your ISO 27001 risk assessment.


6. Risk management

Risk management is a core part of any ISMS. After all, it’s no good identifying and prioritising information security threats if you’re unable to deal with them effectively. 

This stage isn’t about managing risks themselves but establishing how you’ll approach the task. There are several ways you can do this, but most methods involve looking at risks to specific assets or risks presented in specific scenarios. 

However you go about the task, the risk assessment process is crucial. After identifying, evaluating and assigning values to your threats, you’ll know which risks pose the biggest problem.

You should take those and determine whether to: 

  • Treat the risk by applying information security controls laid out in ISO 27001; 
  • Terminate the risk by avoiding it entirely;
  • Share the risk (with an insurance policy or via an agreement with other parties); or
  • Accept the risk (if it doesn’t pose a significant threat).

Any risks that you treat should be documented in an SoA (Statement of Applicability). This should explain which of the Standard’s controls you’ve selected and omitted and why you made those choices. 


7. Implement the risk treatment plan

Now it’s time to implement your risk treatment plan. To ensure these controls are effective, you will need to check that staff are able to operate or interact with the controls, and that they are aware of their information security obligations. 

You will also need to develop a process to determine, review and maintain the competences necessary to achieve your ISMS objectives.

This involves conducting a needs analysis and defining a desired level of competence.


8. Measure, monitor and review

You won’t be able to tell if your ISMS is working or not unless you review it. We recommend doing this at least annually, so that you can keep track of the way risks evolve and identify new threats. 

The main objective of the review process is to see whether your ISMS is in fact preventing security incidents, but the process is more nuanced than that.

You should be comparing its output to the objectives you laid out in the project mandate – i.e. what you hoped to achieve. These can be measured quantitatively and qualitatively.

Quantitative assessments are useful for measuring things that involve financial costs or time, whereas qualitative assessments are better suited for objectives that are hard to define, like your employees’ satisfaction with new processes, for example.


9. Certification

Once the ISMS is in place, organisations should consider seeking certification from an accredited certification body.

This proves to stakeholders that the ISMS is effective and that the organisation understands the importance of information security. 

The certification process will involve a review of the organisation’s management system documentation to check that the appropriate controls have been implemented. The certification body will also conduct a site audit to test the procedures in practice. 


Get ISO 27001 certified with IT Governance

If you’re looking for help implementing the Standard’s requirements, we are here to help.

IT Governance offers a range of ISO 27001 consultancy services, so whether you’re looking for guidance on specific issues – such as the gap analysis or internal audit – or would like an expert to manage the process, we have the solution for you.

As you begin your compliance project, you’ll notice that the documentation process is the most time-consuming part of your ISO 27001 compliance project.

Each clause comes with its own documentation requirements, meaning IT managers and implementers will have to deal with hundreds of documents. Each policy and procedure must be researched, developed, approved, and implemented, which could take months.

Organisations can simplify the compliance process with our ISO 27001 Toolkit.

This set of customisable templates was designed by information security experts, providing simple guidance to help you meet the Standard’s documentation requirements.

You can embed the documentation directly in your organisation, saving you time and money.


A version of this article was originally published on 13 April 2021.

3 Comments

  1. LoadX 13th May 2020
  2. instantvitalrecords 14th April 2021
  3. Matri3D 23rd August 2022

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.