How to implement and maintain an ISO 27001-compliant ISMS

ISO 27001 is one of the most popular information security standards in the world, outlining the best practice for an ISMS (information security management system).

The framework provides a systematic approach to data security, demonstrating the ways you can use processes, technology and people to protect your organisation’s sensitive information.

Organisations that implement an ISMS are better able to prevent cyber attacks and other security incidents, and are equipped to stay on top of the evolving regulatory landscape.

How ISO 27001 implementation works

There are nine steps to implementing an ISMS:

  1. Create a project mandate

The implementation project should begin by appointing a project leader, who will work with other members of staff to create an initial plan.

  1. Initiate the project

Organisations should use their project mandate to build a more defined structure that goes into specific details about information security objectives and the project’s team, plan and risk register.

  1. Adopt a methodology for the ISMS

ISO 27001 recognises that a “process approach” to continual improvement is the most effective model for managing information security.

However, it doesn’t specify a particular methodology, instead allowing organisations to use whatever method they choose, or to continue with a model they already have in place.

  1. Create a management framework

This begins by identifying the scope of the system, which will depend on its context. The scope needs to account for your offices, employees’ mobile devices and teleworkers.

  1. Identify baseline security criteria

These are the requirements and corresponding measures or controls that are necessary to conduct business.

  1. Create a risk management process

ISO 27001 allows organisations to broadly define their own risk management processes.

Common methods focus on looking at risks to specific assets or risks presented in specific scenarios. There are pros and cons to each, and some organisations will be much better suited to one method than another.

  1. Create a risk treatment plan

This is the process of building the security controls that will protect your organisation’s information assets.

To ensure these controls are effective, you will need to check that staff are able to operate or interact with the controls, and that they are aware of their information security obligations.

  1. Measure, monitor and review the results

For an ISMS to be useful, it must meet its information security objectives. Organisations need to measure, monitor and review the system’s performance.

This will involve identifying metrics or other methods of gauging the effectiveness and implementation of the controls.

  1. Achieve certification

Once the ISMS is in place, organisations should seek certification from an accredited certification body.

This proves that the ISMS meets the requirements of ISO 27001, and allows organisations to experience the benefits of certification.


Find out more about implementing an ISMS by downloading our free green paper: Cyber Security and ISO 27001 – Reducing your cyber risk.

You’ll learn more about the threat landscape, how ISO 27001 helps protect your organisation and why so many organisations have decided to adopt its framework.


Why you should enrol on ISO 27001 training

According to a Ponemon Institute study, organisations spend $3.86 million (about €3.25 million) responding to security incidents.

By taking the time to understand how the Standard works and how you can implement its requirements, you can reduce the risk of an incident occurring and reduce the costs when it does.

If you’re considering adopting ISO 27001, our fully accredited practitioner-led courses can help start your organisation on the right track.   

We offer a variety of training courses that are designed to teach attendees the skills required to plan, implement, maintain and audit an ISMS in line with the Standard.  

Having led ISO 27001 implementations since the inception of the Standard, IT Governance is known as the global authority on ISO 27001, and has trained more than 7,000 people around the world on ISO 27001 implementations and audits.

Here are some of the training courses you may be interested in:

Certified ISO 27001 ISMS Foundation Training Course

The starting point for all prospective ISO 27001 project managers and auditors, this one-day training course provides a complete introduction to the ISO 27001 standard and an overview of key implementation activities.

Certified ISO 27001 ISMS Lead Implementer Training Course

This fully certified, practitioner-led course equips you with the skills to lead an ISO 27001-compliant ISMS implementation project.

Drawing on ISO 27001 experts Alan Calder and Steve Watkins’s industry-leading implementation guide, this three-day course covers all nine key steps involved in planning, implementing and maintaining an ISO 27001-compliant ISMS.


A version of this blog was originally published on 8 April 2019.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.