Considering adopting ISO 27001 but unsure whether it will work for organisation? Although implementing ISO 27001 takes time and effort, isn’t as expensive or as difficult as you might think.
We’ve trained more than 7,000 professionals on information security management system (ISMS) implementations and audits worldwide, and helped more than 600 organisations with ISO 27001 compliance and certification projects. Our experience means we know exactly what it takes to make a project succeed.
Our ISO 27001 implementation bundles can help you reduce the time and effort required to implement an ISMS, and eliminate the costs of consultancy work, travelling and other expenses.
ISO 27001 implementation checklist
Familiarise yourself with ISO 27001 and ISO 27002
Before you can reap the many benefits of ISO 27001, you first need to familiarise yourself with the Standard and its core requirements. The ISO/IEC 27001:2013, ISO/IEC 27002:2013 and ISO 27000:2018 standards will serve as your principal points of reference.
Assemble a project team and initiate the project
You will first need to appoint a project leader to manage the project (if it will be someone other than yourself). Second, you will need to embark on an information-gathering exercise to review senior-level objectives and set information security goals. Third, you should develop a project plan and project risk register.
Conduct a gap analysis
A gap analysis helps you determine which areas of the organisation aren’t compliant with ISO 27001, and what you need to do to become compliant.
Scope the ISMS
Scoping requires you to decide which information assets to ring-fence and protect. Doing this correctly is essential, because a scope that’s too big will escalate the time and cost of the project, and a scope that’s too small will leave your organisation vulnerable to risks that weren’t considered.
Initiate high-level policy development and other key ISO 27001 documentation
You should set out high-level policies for the ISMS that establish roles and responsibilities and define rules for its continual improvement. Additionally, you need to consider how to raise ISMS project awareness through both internal and external communication.
Undertake a risk assessment
Risk assessments are the core of any ISMS and involve five important aspects: establishing a risk management framework, identifying, analysing and evaluating risks, and selecting risk treatment options.
The risk assessment also helps identify whether your organisation’s controls are necessary and cost-effective.
Select and apply controls
Controls should be applied to manage or reduce risks identified in the risk assessment. ISO 27001 requires organisations to compare any controls against its own list of best practices, which are contained in Annex A. Creating documentation is the most time-consuming part of implementing an ISMS.
Develop risk documentation
The risk treatment plan (RTP) and Statement of Applicability (SoA) are key documents required for an ISO 27001 compliance project.
The SoA lists all the controls identified in ISO 27001, details whether each control has been applied and explains why it was included or excluded. The RTP describes the steps to be taken to deal with each risk identified in the risk assessment.
Conduct staff awareness training
Human error has been widely demonstrated as the weakest link in cyber security. Therefore, all employees should receive regular training to increase their awareness of information security issues and the purpose of the ISMS.
Assess, review and conduct an internal audit
ISO 27001 requires regular audits and testing to be carried out. This is to ensure that the controls are working as they should be and that the incident response plans are functioning effectively. Additionally, top management should review the performance of the ISMS at least annually.
Opt for a certification audit
If you opt for certification, the certification body you use should be properly accredited by a recognised national accreditation body and a member of the International Accreditation Forum.
Your chosen certification body will review your management system documentation, check that you have implemented appropriate controls and conduct a site audit to test the procedures in practice.
Speak to an expert
One of our qualified ISO 27001 lead implementers are ready to offer you practical advice about the best approach to take for implementing an ISO 27001 project and discuss different options to suit your budget and business needs.