Implementing ISO 27001

We’ve summarised some of the most common elements of implementing an ISMS project:

Conduct a gap analysis

A gap analysis determines the shortfall between your current information security processes and the Standard’s requirements. It also identifies the resources and capabilities you need in order to close the gap.

Scope the ISMS

Scoping requires a decision about which information assets are going to be ring-fenced and protected. In larger organisations, this can be a tough, complicated process. Incorrectly scoping the project can leave your organisation vulnerable to risks that were not considered.

Determining the context of the organisation requires a review of aspects such as your organisation’s risk appetite and culture to ensure that the ISMS is designed to suit your business.

Develop your information security policy

The policy should reflect the organisation’s view on information security and be agreed by the board.

Conduct a risk assessment

The risk assessment is at the core of any ISMS. A risk assessor will identify the risks the organisation faces and conduct a risk estimation and evaluation of those risks. This often takes the form of an asset-based risk assessment. The risk assessment helps to identify whether controls are necessary and cost-effective for the organisation.

Select your controls

Controls should be applied to manage or reduce actual risks once the risk assessment has been completed. ISO 27001 requires you to compare any controls against its own list of best-practice controls contained in Annex A.

Create a Statement of Applicability (SoA)

The SoA sets out a list of all controls identified in Annex A of ISO/IEC 27001:2013, together with a statement of whether or not the control has been applied, and a justification for its inclusion or exclusion.

Set up a risk treatment plan (RTP)

The RTP describes the steps to be taken to deal with each risk identified in the risk assessment.

Create your documentation

Documentation needs to be developed to support every planned control and every component of the ISMS. This is to establish a point of reference to ensure consistent application and continual improvement. Creating documentation is the most time-consuming part of implementing an ISMS.

Roll out a staff awareness programme

All staff should receive regular training to increase their awareness of information security issues and the purpose of the ISMS.

Conduct regular testing

ISO 27001 requires internal audits of the ISMS at planned intervals to determine whether the controls work as they should. Regular testing should also be conducted to ensure that your incident response plans function effectively.

Conduct management reviews

Top management should review the performance of the ISMS at least annually.

Choose your certification body

It is important to ensure that the certification body you use is properly accredited by a recognised national accreditation body that is a member of the IAF, such as UKAS (United Kingdom Accreditation Service).

Read more about the importance of accredited certification.

Gain accredited certification

The certification body will review your management system documentation and check that you have implemented appropriate controls, followed by a site audit to test the procedures in practice.

Manage and review your ISMS

ISO 27001 specifies the requirements for maintaining and continually improving the ISMS.

Get started now with these bestselling resources and tools

ISO 27001 standard

Must-have implementation guidance

Implementation masterclass

Policies and procedures toolkit

Gap analysis consultancy

DIY packaged consultancy