The hardest part of many projects is knowing where to start.

ISO 27001 is no exception. This standard describes best practice for an ISMS (information security management system).

In other words, it lays out the requirements you must meet but doesn’t show you how to adopt or implement them.

This blog post explains our tried-and-tested, nine-step approach to implementing ISO 27001:

  1. Project mandate
  2. Develop the ISO 27001 implementation plan
  3. ISMS initiation
  4. Management framework
  5. Baseline security criteria
  6. Risk management
  7. Implementation
  8. Measure, monitor and review
  9. Certification

(This is the methodology we’ve developed over the past 20 years to help more than 800 organisations around the world achieve compliance with the Standard.)

 

 

1. Project mandate

The implementation project should begin by appointing a project leader.

They’ll work with other members of staff to create a project mandate, which is essentially a set of answers to these questions:

  • What do we hope to achieve?
  • How long will the project take?
  • Does the project have top management support?
  • What resources – financial and otherwise – will the project need?

 

 

 

2. Develop the ISO 27001 implementation plan

The next step is to use your project mandate to create a more detailed outline of:

  • Your information security objectives;
  • Your project risk register;
  • Your project plan; and
  • Your project team.

Information security objectives

Your information security objectives should be more granular and specific than your answer to ‘What do we hope to achieve?’ from step 1.

They’ll inform and be included in your top-level information security policy. They’ll also shape how the ISMS is applied.

Project risk register

Your project risk register should account for risks to the project itself, which might be:

  • Managerial– will operational management continue to support the project?
  • Budgetary– will funding continue to see the project through?
  • Legal– are specific legal obligations at risk?
  • Cultural– will staff resist change?

Each risk in the register should have an assigned owner and a mitigation plan. You should also regularly review the risks throughout the project.

Project plan

The project plan should detail the actions you must take to implement the ISMS.

This should include the following information:

  • Resources required
  • Responsibilities
  • Review dates
  • Deadlines

Project team

The project team should represent the interests of every part of the organisation and include various levels of seniority.

Drawing up a RACI matrix can help with this. This identifies, for the project’s key decisions, who’s:

  • Responsible;
  • Accountable;
  • Consulted; and
  • Informed

One critical person to appoint and include in the project team is the information security manager. They’ll have a central role in the implementation project and eventually be responsible for the day-to-day functioning of the ISMS.
 

3. ISMS initiation

You’re now ready to initiate your ISMS.

Documentation structure

A big part of this is establishing your documentation structure – any management system is very policy- and procedure-driven.

We recommend a four-tier approach:

  • Policies
    These are at the top of the ‘pyramid’, defining your organisation’s position and requirements.
  • Procedures
    These enact the requirements of your policies at a high level.
  • Work instructions
    These set out how employees implement individual elements of the procedures.
  • Records
    These track the procedures and work instructions, providing evidence that you’re following them consistently and correctly.

This structure is simple enough for anyone to grasp quickly. At the same time, it provides an effective way of ensuring you implement policies at each level of your organisation. Plus, that you develop well-functioning, cohesive processes.

Tips for more effective policies and procedures

Your policies and procedures must also be effective. Here are four tips:

  1. Keep them practicable by balancing aspirations against the reality. If your policies and/or procedures appear too idealised, staff will be much less likely to follow them.
  2. Keep them clear and straightforward, so staff can easily follow your procedures.
  3. Use version control, so everyone knows which is the latest document.
  4. Avoid duplication. This will also help with the version control.

Make sure you systematically communicate your documentation – particularly new or updated policies – throughout your organisation. Be sure to also communicate them to other stakeholders.

Continual improvement

As part of your ISMS initiation, you’ll need to select a continual improvement methodology.

First, understand that continual improvement might sound expensive, but is cost-effective if done well.

Continual improvement means getting better results for your investment. That typically means one of two things:

  1. Getting the same results while spending less money.
  2. Getting better results while spending the same amount of money.

Yes, you need to be looking at your objectives and asking yourself how well your ISMS is currently meeting them. And where your management system falls short, money may have to be spent.

But many improvements have little financial cost. You can make a process more efficient – perhaps by cutting out a step or automating some manual work.

While continual improvement is a critical element of an ISO 27001 ISMS, the Standard doesn’t specify any particular continual improvement methodology.

Instead, you can use whatever method you wish, so long as it continually improves the ISMS’s “suitability, adequacy and effectiveness” (Clause 10.1). That can include a continual improvement model you’re already using for another activity.

 

 

4. Management framework

At this stage, you need to develop the high-level framework of your ISMS. This will set the groundwork for the rest of your ISO 27001 implementation.

This means tackling the requirements of Clauses 4 and 5 of ISO 27001:2022.

Context for the ISMS

Formalise the context of your ISMS. That means identifying:

A. Internal and external issues

Where relevant to the ISMS, you must identify internal and external issues. Some, you may have already identified in step 2.

A PESTLE analysis can be very helpful here:

  • Political, such as political tensions that can disrupt supply chains.
  • Economic, such as the risk of a recession, affecting your ability to procure the necessary equipment.
  • Sociological, such as how people might perceive your use of personal and other confidential data.
  • Technological, such as AI developments, new malware or outdated hardware/software.
  • Legal, such as cyber security and data privacy legislation (e.g. the GDPRDORA, and the NIS Directive and NIS Regulations).
  • Environmental, such as climate change impact.

B. Interested parties

You need to identify interested parties, along with their needs and expectations. These can include:

  • Partners;
  • Employees; and
  • Regulators and other authorities.

C. ISMS scope

This is the most important one: determine your ISMS scope.

This’ll be partially informed by the issues and interested parties you’ve identified. This information will help you understand which parts of your organisation you want your ISMS to cover and protect.

Scope is critical to get right. If too small, you leave sensitive information exposed. But too large, and your ISMS will become too complex to manage.

 

Top management

The success of any management system depends on the support of top management. So, as you’re establishing your management framework, you must be clear about how top management will demonstrate leadership and commitment to the ISMS.

Part of this comes back to your top-level information security policy. This must be established and signed off by top management.

Top management must also assign and communicate responsibilities and authorities for roles relevant to the ISMS.

 

 

5. Baseline security criteria

Next, you should formalise your baseline security criteria. These are the minimum level of security controls required to conduct business securely in an ISO 27001-compliant ISMS, accounting for your business, legal and contractual requirements.

This step is generally straightforward, as you should have already done much of the work required by now. You need only identify the practices already in place and assess their effectiveness.

Then, ensure they continue under the control of the eventual ISMS – though potentially in an improved state.

 

 

6. Risk management

Risk management lies at the heart of any ISMS – or indeed any security programme. After all, you have to know what risks you’re addressing – and which are your biggest risks – before you can identify what measures you need.

Risk assessment and management are key to keeping your defences effective and affordable.

Risk assessment methodology

ISO 27001 requires organisations to conduct risk assessments at regular intervals and when planning significant changes. They must use a methodology that ensures “repeated information security risk assessments produce consistent, valid and comparable results” (Clause 6.1.2.b).

Like with continual improvement, however, the exact methodology is up to the organisation. It must, however, account for the following five steps:

  1. Establish and maintain information security risk criteria, including risk acceptance criteria and the criteria for performing risk assessments.
  2. Identify information security risks and their risk owners.
  3. Analyse the risks, assessing their potential impact and realistic likelihood to determine the risk level for each.
  4. Evaluate the risks, by comparing the risk analysis results against your risk criteria and prioritising them accordingly.
  5. Select risk treatment options for identified risks outside your risk appetite.

Risk treatment

Generally speaking, you can respond to a risk in four ways:

  1. Modify the risk by applying controls to bring it down to an acceptable level.
  2. Share the risk, such as through insurance or by outsourcing the process to an organisation that is better able to manage the risk.
  3. Eliminate the risk by avoiding it entirely by, for example, changing the way the activity linked to the risk is conducted or even ending it altogether.
  4. Retain the risk. This must be an active choice and have clear justification.

Where you modify the risk, you can choose controls from any framework or control set you like.

However, your SoA (Statement of Applicability) must then map them against those in Annex A of ISO 27001, so auditors have a clear point of reference. Where you exclude a control, your SoA must justify this.

 

 

7. Implementation

The ‘implementation’ phase relates to implementing:

  • Your ISMS processes; and
  • Your risk treatment plan.

So, you’re building the actual processes, and implementing the security measures, that’ll protect your information assets.

You should also document those processes and controls in relevant policies, procedures, work instructions and records (as outlined in step 3).

Staff competence and training

To ensure those processes and controls will be effective, make sure that staff are appropriately competent to implement, operate or interact with, and maintain the controls. Where competences might be lacking, you can provide the necessary training.

ISO 27001 also requires all staff to be aware of:

  • Your information security policy;
  • How they contribute to the effectiveness of the ISMS; and
  • The implications of failing to conform to the ISMS requirements.

Staff are almost always an organisation’s weakest point when it comes to security. So, ensuring they understand their security obligations and how they can help keep your organisation safe is critical.

Like your other processes, your staff awareness programme should be systematic and maintained over time.

 

 

8. Measure, monitor and review

For your ISMS to be effective, it must meet your information security objectives.

ISMS measurement

To know whether it is doing so, you need to monitor, measure, analyse and evaluate its performance. This requires you to identify metrics or other methods – that “produce comparable and reproducible results” (Clause 9.1.b) – of determining how effective your measures are.

You must also document, analyse and evaluate the results.

Internal audits

ISO 27001 requires organisations to conduct regular internal audits, covering the whole ISMS. These internal audits must be part of an audit programme that confirm you:

  • Have implemented your ISMS effectively;
  • Are maintaining your ISMS effectively; and
  • Are meeting your ISMS objectives and the ISO 27001 requirements.

Naturally, the auditors need to be objective and impartial. To ensure the latter, outsourcing could be a good option.

Alternatively, to ensure internal staff have the right competence, specialist training may prove invaluable.

Management review

ISO 27001 also requires top management to regularly review the ISMS “to ensure its continuing suitability, adequacy and effectiveness” (Clause 9.3.1).

This review must consider:

  • The status of actions from previous management reviews;
  • Changes in internal and external issues, or in the needs and expectations of interested parties;
  • Feedback from your measurement activities, internal audits and interested parties;
  • Information about any NCs (nonconformities), corrective actions and OFIs (opportunities for improvement); and
  • Risk assessment results, and the status of your risk treatment plan.

You must also feed outputs of measurement, internal audits and management reviews into your continual improvement process. This isn’t some arbitrary requirement, but a way of getting better results for your investment.

 

 

9. Certification

Once you’ve implemented your ISMS, consider seeking certification from an accredited certification body.

This proves to customers, partners and other stakeholders that your ISMS is effective. It also shows you take information security seriously.

Learn more about the benefits of certification.

 

Looking to implement ISO 27001 quickly and cost-effectively?

Get all the consultancy support you need to implement an ISMS with our ISO 27001 FastTrack™ service.

This turnkey consultancy package is designed to help organisations reach ISO 27001 certification readiness in 3–6 months for a fixed fee.

Put your ISO 27001 project in the hands of an experienced consultant.

We’ll develop an ISMS that works for you.

Find out more