This website uses cookies. View our cookie policy

Implementing ISO 27001


Implement an information security management system (ISMS) aligned with ISO 27001 with support from the experts. We’ve helped more than 400 clients achieve ISO 27001 certification, and our implementation tools, training and resources can help you too.

Implementing an ISMS based on ISO 27001 will involve your whole organisation. An ISMS is specific to the organisation that implements it, so no two ISO 27001 projects are the same. The entire project, from scoping to certification, can take three months to a year depending on the complexity and size of the organisation.


We’ve summarised some of the most common elements of implementing an ISMS project:

Conduct a gap analysis

A gap analysis determines the shortfall between your current information security processes and the Standard’s requirements. It also identifies the resources and capabilities you need in order to close the gap.

Scope the ISMS

Scoping requires a decision about which information assets are going to be ring-fenced and protected. In larger organisations, this can be a tough, complicated process. Incorrectly scoping the project can leave your organisation vulnerable to risks that were not considered.

Determining the context of the organisation requires a review of aspects such as your organisation’s risk appetite and culture to ensure that the ISMS is designed to suit your business.

Develop your information security policy

The policy should reflect the organisation’s view on information security and be agreed by the board.

Conduct a risk assessment

The risk assessment is at the core of any ISMS. A risk assessor will identify the risks the organisation faces and conduct a risk estimation and evaluation of those risks. This often takes the form of an asset-based risk assessment. The risk assessment helps to identify whether controls are necessary and cost-effective for the organisation.

Select your controls

Controls should be applied to manage or reduce actual risks once the risk assessment has been completed. ISO 27001 requires you to compare any controls against its own list of best-practice controls contained in Annex A.

Create a Statement of Applicability (SoA)

The SoA sets out a list of all controls identified in Annex A of ISO/IEC 27001:2013, together with a statement of whether or not the control has been applied, and a justification for its inclusion or exclusion.

Set up a risk treatment plan (RTP)

The RTP describes the steps to be taken to deal with each risk identified in the risk assessment.

Create your documentation

Documentation needs to be developed to support every planned control and every component of the ISMS. This is to establish a point of reference to ensure consistent application and continual improvement. Creating documentation is the most time-consuming part of implementing an ISMS.

Roll out a staff awareness programme

All staff should receive regular training to increase their awareness of information security issues and the purpose of the ISMS.

Conduct regular testing

ISO 27001 requires internal audits of the ISMS at planned intervals to determine whether the controls work as they should. Regular testing should also be conducted to ensure that your incident response plans function effectively.

Conduct management reviews

Top management should review the performance of the ISMS at least annually.

Choose your certification body

It is important to ensure that the certification body you use is properly accredited by a recognised national accreditation body that is a member of the IAF, such as UKAS (United Kingdom Accreditation Service).

Gain accredited certification

The certification body will review your management system documentation and check that you have implemented appropriate controls, followed by a site audit to test the procedures in practice.

Manage and review your ISMS

ISO 27001 specifies the requirements for maintaining and continually improving the ISMS.


Download your free guide on implementing ISO 27001

Start implementing ISO 27001 now

IT Governance’s proven approach to implementing an ISO 27001-compliant ISMS helps you to successfully tackle any ISO 27001 project.


Get started now with these bestselling resources and tools

ISO 27001 standard

Must-have implementation guidance

Implementation masterclass

Policies and procedures toolkit

Gap analysis consultancy

DIY Packages



Why use IT Governance?

  • Our team led the world’s first ISO 27001 certification project.
  • We’ve managed ISO 27001 implementations since the inception of the Standard.
  • We are your one-stop shop for everything ISO 27001, including training, tools, software, e-learning, staff awareness and consultancy that helps you get certification-ready.
  • Thousands of companies around the world make use of our products and services.
  • We’ve helped more than 400 companies achieve ISO 27001 certification.


Let's work together to get things moving

Whatever the nature or size of your problem, we are here to help. Click the button below to request a call. One of our experts will get in touch as soon as possible.

Speak to an expert

Please contact us for further information or to speak to an expert.

Contact us