Implementation Overview
ISO 27001
IMPLEMENTATION
OVERVIEW
Exploring how we plan an implementation.
Contents
A Note From The Author ......................................................................................................... 2
An Overview of the Implementation Process Stages ................................................................ 3
STEP 1: INITIATION................................................................................................................ 4
STEP 2: PLANNING ................................................................................................................ 6
STEP 3: IMPLEMENTATION .................................................................................................... 8
STEP 4: MONITORING & REVIEW ........................................................................................ 10
STEP 5: CONTINUOUS IMPROVEMENT ............................................................................... 12
1
� Implementation Overview
A Note from The Author
Before we start, let's acknowledge that there are many routes to success.
There’s no definitively 'right' way to implement ISO 27001 - so long as you adhere to the
standard - but there are 'wrong' ways. I know; I've been there.
I also know that whatever you do, an auditor will find something to mark up for improvement –
they have to; it's their job to find something to report back on. Sometimes, the trick is allowing
them to find something minor (but I never said that).
I've documented my essential advice separately, but I strongly suggest having a robust plan
with multiple engaged stakeholders and getting something out there that might not be perfect
on day one but can evolve, just like the standard suggests.
Going it alone without solid support around you can result in two things;
1) Pushback from others: Failure to get senior support and stakeholder involvement will
likely mean resistance to change, and with ISO 27001, that can be project-killing. For
example, if you don't get stakeholders to contribute to your policies, they will likely tear
them down if the first time they see them is when they are published.
2) Dependency upon an individual: Without a robust framework and support, the whole
ISO standard and ISMS will fall apart when you leave the organisation.
There are many other reasons, but these are my top two.
On another note, I won't tell people how to manage projects in detail. That's all documented
elsewhere on my website!
Let's get on then……
2
� Implementation Overview
An Overview of the Implementation Process Stages
The first year of implementation is broadly in 5 key stages;
1. Initiation Establish a project framework and resources and
define your scope.
2. Planning Conduct a risk assessment of your ISMS and determine
treatment options.
3. Implementation Creating the policies, procedures and controls that
support your risk assessments.
4. Monitoring & Review Checking that your actions have a positive impact
5. Continuous Improvement Review outcomes and plan how to improve the
performance of the ISMS.
3
� Implementation Overview
STEP 1: INITIATION
Overview of the Initiation Phase
The Initiation phase of ISO 27001 implementation focuses on establishing a solid foundation
for the Information Security Management System (ISMS).
This phase ensures that all necessary preparatory steps are taken to set up the ISMS
effectively, including understanding the organisation's context, defining the scope, and
ensuring leadership commitment.
I've suggested setting up the Steering Group early because you'll need somewhere to take your
scope and (in the next step) risk assessments and treatments for approval. A group can act as
a review body and issue direction from the outset. Otherwise, you'll likely find yourself
rudderless or acting like a dictator.
The major inputs to this phase include the organisational context, internal and external issues,
statutory and regulatory requirements, and interested parties' expectations.
The main outputs are establishing a project plan, steering group, ISMS scope, and the initial
information security policies and objectives.
4
� Implementation Overview
Summary of Steps
1. Establish a Project Plan
▪ Create an outline plan for the implementation, summarising the approach, key
resources, timelines, and milestones required for the journey.
2. Assemble a Steering Group
▪ Form a group with defined terms of reference to oversee the implementation
process, ensuring that all necessary expertise and leadership are represented.
3. Define the ISMS
▪ Identify and document an asset inventory and understand statutory, regulatory,
and contractual requirements to establish the boundaries and applicability of
the ISMS.
4. Develop an Information Security Policy
▪ Draft an initial information security policy that aligns with the organisation's
objectives and regulatory requirements, setting the groundwork for security
practices.
5. Define ISMS Roles and Responsibilities (R&Rs)
▪ Clearly define and document roles and responsibilities related to information
security to ensure accountability and effective implementation.
6. Set ISMS Objectives
▪ Establish specific, measurable, attainable, relevant, and time-bound (SMART)
objectives for the ISMS to guide the subsequent implementation phases and
provide clear goals for security improvements.
5
� Implementation Overview
STEP 2: PLANNING
Overview of the Planning Phase
The Planning phase in the ISO 27001 implementation process is crucial for identifying,
assessing, and treating risks to ensure effective information security management within the
defined ISMS scope.
This phase establishes a structured approach to managing information security risks by
defining methodologies, documenting risks, and determining appropriate treatments.
The major inputs include the ISMS scope and the initial Statement of Applicability (SoA).
The main outputs are documented risk management methodologies, risk logs, risk treatment
plans, and an updated SoA.
Summary of Steps
1. Define Risk Methodology
▪ Establish and document the risk assessment and treatment methodology used
throughout the ISMS. This includes criteria for assessing and prioritising risks.
6
�Implementation Overview
2. Identify Risks
▪ Conduct a thorough assessment to identify potential information security risks
within the ISMS scope. Document these risks in a risk log for further analysis.
3. Analyse & Evaluate Risks
▪ Analyse the identified risks to assess their potential impact and likelihood.
Evaluate these risks against the defined risk criteria to prioritise them for
treatment.
4. Determine Risk Treatment Options
▪ Based on the risk evaluation, determine and document appropriate risk
treatment options. Develop detailed risk treatment plans that outline how each
risk will be managed.
5. Update Statement of Applicability (SoA)
▪ Update the SoA to reflect the controls that have been determined necessary as
part of the risk treatment process. This document should justify the inclusion or
exclusion of each control based on the risk assessment and treatment findings.
7
� Implementation Overview
STEP 3: IMPLEMENTATION
Overview of the Implementation Phase
The Implementation phase of ISO 27001 is where the planning comes to fruition by putting in
place the necessary controls and measures to manage information security risks effectively.
This phase is focused on developing and implementing policies, procedures, and controls,
conducting awareness campaigns, and providing training to ensure the ISMS is operational.
The major inputs include the Statement of Applicability (SoA), risk treatment plans, and ISMS
objectives.
The main outputs are a comprehensive resource plan, documented policies and procedures,
implemented controls, and trained staff.
Summary of Steps
1. Create Resource Plan
▪ Develop a detailed plan outlining the resources required to implement the ISMS,
including personnel, technology, and financial resources.
8
�Implementation Overview
2. Document Policies & Procedures
▪ Formulate and document all necessary policies and procedures to support the
ISMS. This includes IT standard operating procedures (SOPs), incident
management SOPs, supplier security policy, business continuity procedures,
access control policy, secure system design principles, document control
procedures, and controls for record management. Please recognise these are
suggested minimums, and there may be many others you need to create.
3. Implement Controls
▪ Implement the information security controls as defined in the risk treatment
plans. This includes updating the risk assessment and treatment plans to reflect
the implemented controls.
4. Conduct Awareness Campaign
▪ Develop and execute a communication plan to raise awareness about the ISMS
and its importance among all employees. This ensures that everyone
understands their roles and responsibilities in maintaining information security.
5. Provide Training
▪ Identify training needs and develop a plan to ensure all relevant staff are
adequately trained on the ISMS policies, procedures, and controls. Maintain
records of all training conducted to demonstrate compliance.
9
� Implementation Overview
STEP 4: MONITORING & REVIEW
Overview of the Monitoring & Review Phase
The Monitoring and Review phase of ISO 27001 implementation focuses on continuously
evaluating the ISMS to ensure its effectiveness and alignment with organisational objectives.
This phase involves regular monitoring, measurement, and auditing activities to identify areas
for improvement and ensure compliance with the established policies and controls.
The key inputs include scope changes and ISMS objectives.
The main outputs are ISMS performance reports, management review minutes, and audit
plans and findings.
Summary of Steps
1. Monitor & Measure ISMS Performance
▪ Monitor and measure the ISMS's performance regularly against the defined
objectives and metrics. Document these findings in an ISMS performance report
to track progress and identify areas needing attention.
10
�Implementation Overview
2. Management Review
▪ Conduct periodic management reviews to assess the ISMS's overall
performance. This includes evaluating the results from monitoring activities,
considering scope changes, and reviewing ISMS objectives. Document the
minutes of these reviews to ensure transparency and record decisions made.
3. Internal Audits
▪ Plan and conduct internal audits to evaluate the ISMS's compliance with ISO
27001 requirements and organisational policies. Develop an audit plan and
document the findings of these audits to identify non-conformities and areas for
improvement.
11
� Implementation Overview
STEP 5: CONTINUOUS IMPROVEMENT
Overview of the Continuous Improvement Phase
The Continuous Improvement phase in ISO 27001 focuses on maintaining and enhancing the
effectiveness of the ISMS by systematically addressing non-conformities and implementing
improvements.
This phase ensures the ISMS evolves with the organisation's changing needs and continuously
improves its information security posture.
The major inputs include ISMS performance reports, management review minutes, and audit
findings.
The main output is the improvement plan, which addresses identified non-conformities and
outlines steps for continuous enhancement.
Summary of Steps
1. Create Improvement Plan
▪ Develop a comprehensive improvement plan based on inputs from ISMS
performance reports, management review minutes, and audit findings. This plan
should address all identified non-conformities and propose actions to enhance
the ISMS.
2. Management Review Minutes
12
� Implementation Overview
▪ Utilise the documented minutes from management reviews to identify
improvement areas. These reviews provide insights into the effectiveness of the
ISMS and highlight strategic areas for enhancement.
3. Audit Findings
▪ Leverage findings from internal and external audits to pinpoint specific
weaknesses or non-conformities within the ISMS. Address these findings
systematically in the improvement plan to ensure compliance and effectiveness.
4. Non-Conformities Log
▪ Maintain a log of all identified non-conformities, tracking and managing them.
Use this log to prioritise improvement plan actions and demonstrate
accountability and progress.
Important Notice
This document is provided for personal use only. Commercial or consultative use requires a licence. For detailed terms of use, please visit
https://www.iseoblue.com/terms.
13
