Implementing ISO 27001

With the support of our experts and our implementation tools, training and resources, you can implement an ISMS (information security management system) aligned with ISO 27001. 

An ISO 27001 project requires involvement of your entire organisation and can take from three months to a year to achieve certification, depending on the complexity and size of your company. The ISMS you implement will be specific to your organisation, so no two ISO 27001 projects are identical.

Our ISO 27001 implementation bundles can help you reduce the time and effort required to implement an ISMS, and eliminate the costs of consultancy work, travelling and other expenses.

View our ISO 27001 implementation bundles and pricing here >>

ISO 27001 and ISO 27002 2022 updates

ISO/IEC 27001:2022 – the newest version of ISO 27001 – was published in October 2022.

Organisations that are certified to ISO/IEC 27001:2013 have a three-year transition period to make the necessary changes to their ISMS (information security management system).

For more information about ISO 27001:2022 and its companion standard, ISO 27002:2022, and what they mean for your organisation, please visit ISO 27001 and ISO 27002: 2022 updates

Download your copy of ISO 27001:2022 here

Download your copy of ISO 27002:2022 here

Need a quick introduction to the ISO 27001 implementation process?

Download our free green paper to discover our nine-step approach to implementing an ISO 27001 ISMS, which we’ve used to help more than 800 organisations around the world achieve compliance with the Standard.

ISO 27001 implementation checklist  

Familiarise yourself with ISO 27001 and ISO 27002


Before you can reap the many benefits of ISO 27001, you first need to familiarise yourself with the Standard and its core requirements. The ISO/IEC 27001:2013, ISO/IEC 27002:2013 and ISO 27000:2018 standards will serve as your principal points of reference.

Assemble a project team and initiate the project 


You will first need to appoint a project leader to manage the project (if it will be someone other than yourself). Second, you will need to embark on an information-gathering exercise to review senior-level objectives and set information security goals. Third, you should develop a project plan and project risk register.


​The ISO 27001 Documentation Toolkit includes a range of project tools that will help you tackle the ISMS

The Lead Implementer course teaches you how to implement an ISMS from beginning to end, including how to overcome common pitfalls and challenges.

Conduct a gap analysis


A gap analysis helps you determine which areas of the organisation aren’t compliant with ISO 27001, and what you need to do to become compliant.


This toolkit includes an ISO 27001:2013 and ISO 27002:2013 gap analysis tool that will help you assess yourself against the Standard’s requirements. 

A downloadable tool, that can help assess your organsations current state of ISO/IEC 27001:2013 complaince. 

Scope the ISMS


Scoping requires you to decide which information assets to ring-fence and protect. Doing this correctly is essential, because a scope that’s too big will escalate the time and cost of the project, and a scope that’s too small will leave your organisation vulnerable to risks that weren’t considered. 


Find out how to scope the ISMS effectively by attending the definitive ISO 27001 Lead Implementer course.

Initiate high-level policy development and other key ISO 27001 documentation


You should set out high-level policies for the ISMS that establish roles and responsibilities and define rules for its continual improvement. Additionally, you need to consider how to raise ISMS project awareness through both internal and external communication.


The documentation toolkit will save you weeks of work trying to develop all the required policies and procedures.

Undertake a risk assessment


Risk assessments are the core of any ISMS and involve five important aspects: establishing a risk management framework, identifying, analysing and evaluating risks, and selecting risk treatment options.

The risk assessment also helps identify whether your organisation’s controls are necessary and cost-effective. 


The documentation toolkit will save you weeks of work trying to develop all the required policies and procedures.

Undertake error-proof risk assessments with the leading ISO 27001 risk assessment tool, vsRisk, which includes a database of risks and the corresponding ISO 27001 controls, in addition to an automated framework that enables you to conduct the risk assessment accurately and effectively. 

Select and apply controls


Controls should be applied to manage or reduce risks identified in the risk assessment. ISO 27001 requires organisations to compare any controls against its own list of best practices, which are contained in Annex A. Creating documentation is the most time-consuming part of implementing an ISMS.


The documentation toolkit provides a full set of the required policies and procedures, mapped against the controls of ISO 27001, ready for you to customise and implement.

vsRisk includes a full set of controls from Annex A of ISO 27001 in addition to controls from other leading frameworks.

Develop risk documentation


The risk treatment plan (RTP) and Statement of Applicability (SoA) are key documents required for an ISO 27001 compliance project. 

The SoA lists all the controls identified in ISO 27001, details whether each control has been applied and explains why it was included or excluded. The RTP describes the steps to be taken to deal with each risk identified in the risk assessment. 


vsRisk provides all the documentation you need to satisfy auditor requirements

Conduct staff awareness training


Human error has been widely demonstrated as the weakest link in cyber security. Therefore, all employees should receive regular training to increase their awareness of information security issues and the purpose of the ISMS.


E-learning courses are a cost-effective solution for improving general staff awareness about information security and the ISMS. 

Assess, review and conduct an internal audit


ISO 27001 requires regular audits and testing to be carried out. This is to ensure that the controls are working as they should be and that the incident response plans are functioning effectively. Additionally, top management should review the performance of the ISMS at least annually.


Our auditor courses give you the skills to successfully undertake or lead an ISMS audit project. 

Opt for a certification audit


If you opt for certification, the certification body you use should be properly accredited by a recognised national accreditation body and a member of the International Accreditation Forum. 

Your chosen certification body will review your management system documentation, check that you have implemented appropriate controls and conduct a site audit to test the procedures in practice. 

Browse our range of best selling ISO 27001 products and services

ISO 27001 implementation bundles

Many organisations fear that implementing ISO 27001 will be costly and time-consuming. Our implementation bundles can help you reduce the time and effort required to implement an ISMS, and eliminate the costs of consultancy work, travelling and other expenses.

IT Governance offers four different implementation bundles that have been expertly created to meet the unique needs of your organisation, and are the most comprehensive mix of ISO 27001 tools and resources currently available.


Speak to an expert

One of our qualified ISO 27001 lead implementers are ready to offer you practical advice about the best approach to take for implementing an ISO 27001 project and discuss different options to suit your budget and business needs.

SAVE 25%