How to implement an ISMS aligned with ISO 27001

With cyber attacks and data breaches on the rise, cyber security is fast becoming organisations’ top priority. Many have chosen to mitigate the risk by implementing an information security management system (ISMS).

An ISMS is a system of processes, documents, technology and people that helps organisations manage, monitor and improve their information security in one place.

ISO 27001 is the international standard that describes best practice for an ISMS.


An ISO 27001-compliant ISMS can benefit your organisation in several ways. It enhances your organisation’s structure and focus by clearly setting out who is responsible for various information security risks. It also protects and improves your reputation, proving to customers that you take information security seriously and are doing everything you can to keep data secure.

Even if you do suffer a breach, regulators show leniency to organisations that have certified to ISO 27001 because they are able to demonstrate that they are following information security best practices.

How to implement an ISMS

There are nine steps to implementing an ISMS:

  1. Create a project mandate: The implementation project should begin by appointing a project leader, who will work with other members of staff to create an initial plan.
  2. Initiate the project: Organisations should use their project mandate to build a more defined structure that goes into specific details about information security objectives and the project’s team, plan and risk register.
  3. Adopt a methodology for the ISMS: ISO 27001 recognises that a “process approach” to continual improvement is the most effective model for managing information security. However, it doesn’t specify a particular methodology, instead allowing organisations to use whatever method they choose, or to continue with a model they already have in place.
  4. Create a management framework: This begins by identifying the scope of the system, which will depend on its context. The scope needs to account for your offices, employees’ mobile devices and teleworkers.
  5. Identify baseline security criteria: These are the requirements and corresponding measures or controls that are necessary to conduct business.
  6. Create a risk management process: ISO 27001 allows organisations to broadly define their own risk management processes. Common methods focus on looking at risks to specific assets or risks presented in specific scenarios. There are pros and cons to each, and some organisations will be much better suited to one method than another.
  7. Create a risk treatment plan: This is the process of building the security controls that will protect your organisation’s information assets. To ensure these controls are effective, you will need to check that staff are able to operate or interact with the controls, and that they are aware of their information security obligations.
  8. Measure, monitor and review the results: For an ISMS to be useful, it must meet its information security objectives. Organisations need to measure, monitor and review the system’s performance. This will involve identifying metrics or other methods of gauging the effectiveness and implementation of the controls.
  9. Achieve certification: Once the ISMS is in place, organisations should seek certification from an accredited certification body. This proves that the ISMS meets the requirements of ISO 27001, and allows organisations to experience the benefits of certification.

Become an ISMS expert

To gain the skills necessary to implement an ISMS, you should consider enrolling on our ISO27001 Certified ISMS Foundation Training Course.

This one-day course is the ideal starting point for all prospective ISO 27001 project managers and auditors, or anyone who wishes to build a career in information security management. Developed by the team that led the world’s first ISO 27001 certification project, it provides a comprehensive introduction to the Standard and an overview of the key implementation activities, including:

  • An overview of ISO 27001 and its application;
  • Detailed benefits of ISMS certification;
  • Key elements of ISMS implementation project planning;
  • The core elements of the ISMS;
  • The key steps of an ISO 27001 risk assessment; and
  • An overview of the ISO 27001 Annex A controls.

IT Governance has helped more than 7,000 professionals across the globe learn about ISO 27001. Our online training option allows you to study from wherever you’re based and from the comfort of your own home or office.