Implementing ISO 27001
We’ve trained more than 7,000 professionals on information security management system (ISMS) implementations and audits worldwide and have helped more than 600 organisations with ISO 27001 compliance and certification projects. Our experience means we know exactly what it takes to make a project succeed.
Our ISO 27001 implementation bundles can help reduce the time and effort required to successfully implement an ISMS, and eliminate costs associated with traditional consultancy.
Need a quick introduction to the ISO 27001 implementation process?
Download our free green paper: Implementing an ISMS, for a quick introduction to ISO 27001 and learn about our nine-step approach to implementing an ISO 27001-compliant ISMS.
ISO 27001 implementation process
Familiarise yourself with ISO 27001 and ISO 27002
The first step in your project is to familiarise yourself with the Standards and their core requirements. ISO/IEC 27001:2013, ISO/IEC 27002:2013 and ISO/IEC 27000:2018 will serve as your principal points of reference.
Assemble a project team and initiate the project
You will need to appoint a project leader to manage the implementation project, gather information to review objectives and information security goals, and develop a project plan and project risk register.
- ISO 27001 Documentation Toolkit – contains a range of project tools that will help you tackle the ISMS, including an implementation manager to plot tasks against the Standard’s requirements.
Conduct a gap analysis
Determine which areas of your organisation are not compliant with ISO 27001 and what to do to achieve compliance.
- ISO 27001 Documentation Toolkit – contains an ISO/IEC 27001:2013 and ISO/IEC 27002:2013 gap analysis tool to help you determine what you have to do to achieve compliance.
Scope the ISMS
This is an essential step in your project where you decide which information assets to ring-fence and protect. Too big a scope will escalate the time and cost of the project; too small a scope will leave your organisation vulnerable to risks that were not considered.
Develop policies, procedures and other key ISO 27001 documentation
You need to set out high-level policies for the ISMS that establish roles and responsibilities, and put in place a continual improvement process. Mandatory documentation includes an information security policy, information security objectives and evidence of competence.
- ISO 27001 Documentation Toolkit – contains customisable documentation templates that will save you weeks of work trying to develop all the required policies and procedures.
Undertake a risk assessment
Risk assessments are at the core of an ISO 27001-compliant ISMS and provide an accurate snapshot of the threats facing your organisation. Risk assessments help determine how effective your organisation’s current controls are.
- vsRisk™ risk assessment software – avoid errors and take advantage of the risk database and corresponding Annex A controls, so you can conduct accurate and effective risk assessments.
Select and apply controls
Controls should be compared against ISO 27001’s reference control objectives and controls in Annex A. If you choose to not include any of these, you should justify those decisions.
- ISO 27001 Documentation Toolkit – provides a full set of the required policies and procedures, mapped against the Annex A controls, ready for you to customise and implement.
- vsRisk™ risk assessment software – includes all Annex A controls, in addition to controls from other leading frameworks, such as PCI DSS and NIST 800-53.
Develop risk documentation
ISO 27001 requires an RTP (risk treatment plan) and SoA (Statement of Applicability) to be produced. The SoA lists all identified controls from ISO 27001 and details whether each control has been applied, along with a justification of its inclusion or exclusion.
- vsRisk™ risk assessment software – generates six audit-ready reports, including the RTP and SoA, which can be exported, edited and shared across the organisation and with auditors.
Conduct staff awareness training
Human error has been widely demonstrated as the weakest link in cyber security. To increase awareness of information security issues and the purpose of the ISMS, all employees should receive regular training.
Assess, review and conduct an internal audit
You must conduct regular audits and tests to ensure controls are working as intended and incident response plans are functioning effectively. The ISMS’s performance should be reviewed by top management at least annually.
Opt for a certification audit
If your organisation opts for external certification, the body you use must be accredited by a recognised national accreditation body and a member of the IAF (International Accreditation Forum). This provides an independent opinion about your security posture by reviewing your documentation, checking control implementation and performance, and conducting an on-site audit to test procedures.
Speak to an expert
For more advice or guidance on implementing ISO 27001, please contact our team below.