This website uses cookies. View our cookie policy
Select regional store:

Implementing ISO 27001 

Considering adopting ISO 27001 but unsure whether it will work for your organization? Although implementing ISO 27001 takes time and effort, it isn’t as expensive or as difficult as you might think.

We’ve trained more than 7,000 professionals on information security management system (ISMS) implementations and audits worldwide, and helped more than 600 organizations with ISO 27001 compliance and certification projects. Our experience means we know exactly what it takes to make a project succeed. 

To assist you with your project, we have created a how-to guide covering the basics of implementing ISO 27001, which takes you through the planning process step-by-step and will help keep you on track.

Download our free guide to implementing ISO 27001 here >>

ISO 27001 implementation checklist  


Familiarize yourself with ISO 27001 and ISO 27002

Before you can reap the many benefits of ISO 27001, you first need to familiarize yourself with the Standard and its core requirements. The ISO/IEC 27001:2013, ISO/IEC 27002:2013 and ISO 27000:2018 standards will serve as your principal points of reference. 

Assemble a project team and initiate the project

You will first need to appoint a project leader to manage the project (if it will be someone other than yourself). Second, you will need to embark on an information-gathering exercise to review senior-level objectives and set information security goals. Third, you should develop a project plan and project risk register.

The ISO 27001 Documentation Toolkit includes a range of project tools that will help you tackle the ISMS.
The Lead Implementer training course teaches you how to implement an ISMS from beginning to end, including how to overcome common pitfalls and challenges.

Conduct a gap analysis

A gap analysis helps you determine which areas of the organization aren’t compliant with ISO 27001, and what you need to do to become compliant.

This toolkit includes an ISO 27001:2013 and ISO 27002:2013 gap analysis tool that will help you assess yourself against the Standard’s requirements.
A specialist, in-person review of your current information security posture against the requirements of ISO/IEC 27001:2013.

Scope the ISMS

Scoping requires you to decide which information assets to ring-fence and protect. Doing this correctly is essential, because a scope that’s too big will escalate the time and cost of the project, and a scope that’s too small will leave your organization vulnerable to risks that weren’t considered.

Find out how to scope the ISMS effectively by attending the definitive ISO 27001 Lead Implementer training course.

Initiate high-level policy development and other key ISO 27001 documentation

You should set out high-level policies for the ISMS that establish roles and responsibilities, and set up a continual improvement process. Additionally, you need to consider how to raise ISMS project awareness through both internal and external communication.

The documentation toolkit will save you weeks of work trying to develop all the required policies and procedures.

Undertake a risk assessment

Risk management is the core of any ISMS and involves five important aspects: establishing a risk management framework; identifying, analyzing, and evaluating risks; and selecting risk treatment options.

Effective risk management also helps identify whether your organization’s controls are necessary and cost-effective.

Undertake error-proof risk assessments with the leading ISO 27001 risk assessment tool, vsRisk, which includes a database of risks and the corresponding ISO 27001 controls, in addition to an automated framework that enables you to conduct the risk assessment accurately and effectively.

Select and apply controls 

Controls should be applied to manage or reduce risks identified in the risk assessment. ISO 27001 requires organizations to compare any controls against its Annex A reference controls – the idea is that you implement all controls deemed necessary, and justify any exclusions. This entire process should be documented – one of the most time-consuming parts of implementing an ISO 27001-conformant ISMS.

The documentation toolkit provides a full set of the required policies and procedures, mapped against ISO 27001’s Annex A reference controls, ready for you to customize and implement.
vsRisk includes all controls listed in Annex A of ISO 27001, in addition to controls from other leading frameworks, such as the PCI DSS (Payment Card Industry Data Security Standard), NIST, and Cyber Essentials.

Develop risk documentation

The RTP (risk treatment plan) and SoA (Statement of Applicability) are key documents required for an ISO 27001 compliance project.

The SoA lists all the controls identified in ISO 27001, details whether each control has been applied, and explains why it was included or excluded. The RTP describes the steps to be taken to deal with each risk identified in the risk assessment.

vsRisk provides all the documentation you need to satisfy auditor requirements.

Conduct staff awareness training

Human error has been widely demonstrated as the weakest link in cybersecurity. Therefore, all employees should receive regular training to increase their awareness of information security issues and the purpose of the ISMS.

E-learning courses are a cost-effective solution for improving general staff awareness about information security and the ISMS.

Assess, review, and conduct an internal audit

ISO 27001 requires regular audits and testing to be carried out. This is to ensure that the controls are working as they should be and that the incident response plans are functioning effectively. Additionally, top management should review the performance of the ISMS at least annually.

Our auditor course gives you the skills to successfully lead an ISMS audit project.

Opt for a certification audit

If you opt for certification, the certification body you use should be properly accredited by a recognized national accreditation body and a member of the International Accreditation Forum.

Your chosen certification body will review your management system documentation, check that you have implemented appropriate controls, and conduct a site audit to test the procedures in practice.

ISO 27001 implementation bundles

Many organizations fear that implementing ISO 27001 will be costly and time-consuming. Our implementation bundles can help you reduce the time and effort required to implement an ISMS, and eliminate the costs of consultancy work, traveling, and other expenses.

IT Governance USA offers four different implementation bundles that have been expertly created to meet the unique needs of your organization, and are the most comprehensive mix of ISO 27001 tools and resources currently available.

Find out more >>

Speak to an expert

Contact one of our experts today for further advice and guidance on implementing ISO 27001.