What’s the best way to implement ISO 27001? (Difficult question, I know!)

colored-pencils-374771_1920As you’re reading this, I’m sure you can testify to the fact that there are a great many ways of approaching an ISO 27001 implementation project.

Since the project can be quite complicated – especially in larger organisations where the scope needs to be defined and the project might be isolated to a specific business area – many organisations can find the process quite daunting.

  1. Do it yourself

Some prefer to approach the project themselves, by gaining the internal expertise through a combination of training and ‘self-help’ tools, but the plethora of available tools offered by different providers can make the process of choosing a suitable solution even more difficult!

What may work perfectly for one organisation may not be right for the next. This might work out cheaper than outsourcing the project, but it could also lead to project overruns and high demands being placed on scarce resources.

As a quick overview, these are probably the key things that you will need if you are tackling the project via a DIY approach:

  • A copy of the standards: ISO 27001:2013, ISO 27002:2013, ISO 27000:2014
  • An ISO 27001 implementation guide
  • ISO 27001 Lead Implementer and Internal Auditor/Lead Auditor training
  • An ISMS documentation toolkit
  • Risk assessment software (if you know that Excel might prove too unwieldly)
  • Staff awareness training tools




  1. Call in the experts

At the other end of the spectrum, there is the option to call in the experts to do all the work. This is sometimes the preferred solution for those with limited time and resources, but who do have the necessary budget.

Using consultants who know best, who have a solid track record of implementing the Standard, and who have the experience to keep the project on track and in budget is probably the neatest and most efficient way of approaching an ISO 27001 implementation project. Some may not prefer this option as they feel they lose control over the project and, once the consultants have left, they’re none the wiser of how to maintain the ISMS post-certification.

A solution for this is to use an ISMS managed service to maintain your ISMS all year round.

  1. Combined approach

Many of our clients favour the combined approach. Using a blend of self-help tools, internal training and a series of fixed sessions with a personal ISO 27001 coach gives the client the opportunity to combine the best of both worlds.

This is a much more cost-effective option than standard consultancy, as most of the sessions are delivered using a variety of online methods (including Skype calls, telephone conversations and email), eliminating any additional consultancy expenses.

The client is able to mobilise and manage their own project team, and gain the necessary internal knowledge, while still benefiting from ongoing guidance from the implementation coach throughout the project.

With IT Governance’s ISO 27001 Mentor and Coach consultancy service, you are in control, which saves you money while you benefit from the expertise of an experienced implementation coach.

Find out more about the ISO 27001 Mentor and Coach consultancy now >>>