This website uses cookies. View our cookie policy
Select regional store:

Implementing ISO 27001


Implement ISO 27001 with the experts

We've helped over 600 clients with ISO 27001 certification and implementation projects.



Implementing an information security management system (ISMS) based on ISO 27001 will involve your whole organization. An ISMS is specific to the organization that implements it, so no two ISO 27001 projects are the same. The entire project, from scoping through certification, can take three months to a year depending on the complexity and size of the organization.


We’ve summarized some of the most common elements of an ISMS project (in no particular order):

Conduct a gap analysis

A gap analysis determines the shortfall between your current information security processes and the Standard’s requirements. It also identifies the resources and capabilities you need in order to close the gap.

Scope the ISMS

Scoping requires a decision about which information assets are going to be protected. In larger organizations, this can be a tough, complicated process. Incorrectly scoping the project can leave your organization vulnerable to risks that were not considered.

Determining the context of your organization requires a review of aspects such as its risk appetite and culture. This is to ensure the ISMS is designed to suit your business.

Develop your information security policy

The policy should reflect the organization’s view on information security and be agreed by the board.

Conduct a risk assessment

Risk assessment is at the core of any ISMS. A risk assessor will identify the risks the organization faces and conduct a risk estimation and evaluation of those risks. This often takes the form of an asset-based risk assessment. The risk assessment helps to identify whether controls are necessary and cost-effective for the organization.

Select your controls

Controls should be applied to manage or reduce the risks identified by the risk assessment. ISO 27001 requires you to compare the controls you select against its own list of best-practice controls contained in Annex A.

Create a Statement of Applicability (SoA)

The SoA should set out a list of all controls you have selected, together with a justification for their inclusion, a statement of whether or not they have been implemented, and justification for the exclusion of any controls from Annex A of ISO/IEC 27001:2013.

Set up a risk treatment plan (RTP)

The RTP describes the steps to be taken to deal with each risk identified in the risk assessment.

Create your documentation

Documentation needs to be developed to support every planned control and every component of the ISMS. This is to establish a point of reference to ensure consistent application and continual improvement. Creating documentation is the most time-consuming part of implementing an ISMS.

Roll out a staff awareness program

All staff should regularly receive training to increase their awareness of information security issues and the purpose of the ISMS.

Conduct regular testing

ISO 27001 requires internal audits of the ISMS at planned intervals to determine whether the controls work as they should. Regular testing should also be conducted to ensure that your incident response plans function effectively.

Management review

Top management should review the performance of the ISMS at least annually.

Choose your certification body

It is important to ensure that the certification body you use is properly accredited by a recognized national accreditation body that is a member of the IAF, such as American National Standards Institute (ANSI).

Read more about the importance of accredited certification.

Gain accredited certification

The certification body will review your management system documentation and check that you have implemented appropriate controls, followed by a site audit to test the procedures in practice.

Manage and review your ISMS

ISO 27001 specifies the requirements for maintaining and continually improving the ISMS.



Start implementing ISO 27001 now

IT Governance’s proven approach to implementing an ISO 27001-compliant ISMS helps you to successfully tackle any ISO 27001 project.

Get started now with these bestselling resources and tools

ISO 27001 standard

Must-have implementation guidance

Implementation masterclass

Policies and procedures toolkit

Gap analysis consultancy

DIY Packages


Why use IT Governance?

  • Our team led the world’s first ISO 27001 certification project.
  • We’ve managed ISO 27001 implementations since the inception of the Standard.
  • We are your one-stop shop for everything ISO 27001, including training, tools, software, e-learning, staff awareness and consultancy that helps you get certification-ready.
  • Thousands of companies around the world make use of our products and services.
  • We’ve helped more than 600 companies with ISO 27001 certification and implementation projects worldwide.


Let's work together to get things moving

Whatever the nature or size of your problem, we are here to help. Click the button below to request a call. One of our experts will get in touch as soon as possible.


Speak to an expert

Please contact us for further information or to speak to an expert.

Contact us