How to implement an ISMS aligned with ISO 27001

Cyber attacks and data privacy concerns are a top priority for organisations, and many have chosen to mitigate the risk by implementing an ISMS (information security management system). 

An ISMS is a system of processes, documents, technology and people that helps organisations manage, monitor and improve their information security in one place. 

ISO 27001 is the international standard that describes best practice for an ISMS. 

Creating an ISO 27001-compliant ISMS can take several months, but the benefits it provides makes it an essential project. In this blog, we explain nine simple steps to creating an ISMS.

1. Create a project mandate

The implementation project begins by appointing a project leader, who will work with other members of staff to create a project mandate. This is essentially a set of answers to these questions: 

  • What are we hoping to achieve? 
  • How long will it take? 
  • What will it cost? 
  • Does it have management support? 

2. Initiation of the project

Organisations should use their project mandate to build a more defined structure that goes into specific details about information security objectives and the project’s team, plan and risk register.


Find out more about creating an ISMS with our free green paper: ISMS Measurement – Metrics made easy.

You’ll learn about the principles of effective information security measurement, and  the pitfalls organisations encounter when developing their ISMS.

Read this paper to:

  • Understand which controls should be prioritised for measurement; 
  • Understand the difference between measuring performance and effectiveness, and why both are necessary;  
  • Learn effective methods for measuring the risk assessment process; and 
  • Avoid common issues when analysing and presenting measurement results. 

3. Adopt a methodology for the ISMS 

The next step is to adopt a methodology for implementing the ISMS.

ISO 27001 recognises that a “process approach” to continual improvement is the most effective model for managing information security.

However, it doesn’t specify a particular methodology, and instead allows organisations to use whatever method they choose, or to continue with a model they already have in place.

4. Create a management framework 

At this stage, the ISMS will need a broader sense of the actual framework. Part of this involves identifying the scope of the system – i.e. determining which parts of your organisation is covered by the ISMS. 

You should ensure that any part of your organisation that holds sensitive information is covered in your system. However, you need to be equally careful that the ISMS isn’t too large, as this will make it prohibitively expensive and time-consuming to maintain. 

There are three steps to correctly scoping your ISMS: 

  1. Identify every location where sensitive information is scored.
  2. Determine the ways in which that information can be accessed.
  3. Define which parts of your organisation are out of scope.

5. Identify baseline security criteria

Organisations should identify their core security needs. These are the requirements and corresponding measures or controls that are necessary to conduct business. 

6. Develop a risk management process 

ISO 27001 allows organisations to broadly define their own risk management processes. Common methods focus on looking at risks to specific assets or risks presented in specific scenarios.

There are pros and cons to each, and some organisations will be much better suited to one method than the other. 

There are five important aspects of an ISO 27001 risk assessment: 

  1. Establishing a risk assessment framework 
  2. Identifying risks 
  3. Analysing risks 
  4. Evaluating risks 
  5. Selecting risk management options 

7. Create a risk treatment plan

At this stage, you must build the security controls that will protect your organisation’s information assets.

To ensure these controls are effective, you will need to check that staff are able to operate or interact with them, and that they are aware of their information security obligations. 

You will also need to develop a process to determine, review and maintain the competences necessary to achieve your ISMS objectives. This involves conducting a needs analysis and defining a desired level of competence. 

8. Measure, monitor and review the results

For an ISMS to be useful, it must meet its information security objectives. Organisations need to measure, monitor and review the system’s performance.

This will involve identifying metrics or other methods of gauging the effectiveness and implementation of the controls. 

9. Achieve certification 

Once the ISMS is in place, organisations should seek certification from an accredited certification body. This proves to stakeholders that the ISMS is effective and that the organisation understands the importance of information security. 

The certification process will involve a review of the organisation’s management system documentation to check that the appropriate controls have been implemented. The certification body will also conduct a site audit to test the procedures in practice. 

Get started with our ISO 27001 Toolkit

Ensure your organisation creates a fully compliant ISMS with the help of our ISO 27001 Toolkit.

It contains comprehensive compliance tools, including the gap assessment tool, Statement of Applicability tool, roles and responsibilities matrix, an Implementation Manager tool and two staff awareness e-learning licences.

You can guarantee compliance with more than 140 pre-written, customisable templates, including ISO 27001-compliant policies, procedures, work instructions and records.


A version of this blog was originally published on 29 June 2018.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.