Learn in small groups from top experts and real-life examples
  • (0)

    ISO 27001 & ISO 22301 Knowledge base

    ISO 27001 checklist: 16 steps for the implementation

    If you are starting to implement ISO 27001, you are probably looking for an easy way to implement it. Let me disappoint you: there is no easy way to do it. However, I’ll try to make your job easier – here is a list of 16 steps summarizing how to implement ISO 27001. From getting buy-in from top management, to going through activities for implementation, monitoring, and improvement, in this ISO 27001 checklist you have the main steps your organization needs to go through if you want to achieve ISO 27001 certification.

    ISO 27001 Implementation Steps

    1. Obtain management support

    This one may seem rather obvious, and it is usually not taken seriously enough. But in my experience, this is the main reason why ISO 27001 certification projects fail – management is either not providing enough people to work on the project, or not enough money. (Read the article Four key benefits of ISO 27001 implementation for ideas on how to present the case to management.)

    2. Treat it as a project

    As I already said, the implementation of an Information Security Management System (ISMS) based on ISO 27001 is a complex issue involving various activities and lots of people, lasting several months (or more than a year). If you do not clearly define what is to be done, who is going to do it, and in what time frame (i.e., apply project management), you might as well never finish the job. (Read the article ISO 27001 project – How to make it work for more about developing a successful ISO 27001 project.)

    3. Define the scope

    If you are a larger organization, it probably makes sense to implement ISO 27001 only in one part of your organization, thus significantly lowering your project risk; however, if your company is smaller than 50 employees, it will be probably easier for you to include your whole company in the scope. (Learn more about defining the scope in the article How to define the ISMS scope).

    4. Write an Information Security Policy

    The Information Security Policy (or ISMS Policy) is the highest-level internal document in your ISMS – it shouldn’t be very detailed, but it should define some basic requirements for information security in your organization. But what is its purpose if it is not detailed? The purpose is for management to define what it wants to achieve, and how to control it. (Learn more in the article What should you write in your Information Security Policy according to ISO 27001?)

    5. Define the risk assessment methodology

    Risk assessment is the most complex task in the ISO 27001 project – the point is to define the rules for identifying the risks, impacts, and likelihood, and to define the acceptable level of risk. If those rules were not clearly defined, you might find yourself in a situation where you get unusable results. (For more, read the article How to write ISO 27001 risk assessment methodology).

    6. Perform the risk assessment & risk treatment

    Here you have to implement the risk assessment you defined in the previous step – it might take several months for larger organizations, so you should coordinate such an effort with great care. The point is to get a comprehensive picture of the internal and external dangers to your organization’s information. (For more, read the article ISO 27001 risk assessment: How to match assets, threats and vulnerabilities).

    The purpose of the risk treatment process is to decrease the risks that are not acceptable – this is usually done by planning to use the controls from Annex A. (Learn more in the article 4 mitigation options in risk treatment according to ISO 27001).

    In this step, a Risk Assessment Report has to be written, which documents all the steps taken during the risk assessment and risk treatment process. Also, an approval of residual risks must be obtained – either as a separate document, or as part of the Statement of Applicability.

    7. Write the Statement of Applicability

    Once you have finished your risk treatment process, you will know exactly which controls from Annex A you need (there are a total of 114 controls, but you probably won’t need them all). The purpose of this document (frequently referred to as the SoA) is to list all controls and to define which are applicable and which are not, and the reasons for such a decision; the objectives to be achieved with the controls; and a description of how they are implemented in the organization.

    The Statement of Applicability is also the most suitable document to obtain management authorization for the implementation of the ISMS. (Read the article The importance of Statement of Applicability for ISO 27001 to learn more).

    8. Write the Risk Treatment Plan

    Just when you thought you had resolved all of the risk-related documents, here comes another one – the purpose of the Risk Treatment Plan is to define exactly how the controls from the SoA are to be implemented – who is going to do it, when, with what budget, etc. This document is actually an implementation plan focused on your controls, without which you wouldn’t be able to coordinate further steps in the project. (Read the article Risk Treatment Plan and risk treatment process – What’s the difference? for more details on the Risk Treatment Plan).

    9. Define how to measure the effectiveness of controls

    This is another task that is usually underestimated in a management system. The point here is – if you can’t measure what you’ve done, how can you be sure you have fulfilled the purpose? Therefore, be sure to define how you are going to measure the fulfillment of objectives you have set both for the whole ISMS, and for security processes and/or controls. (Read more in the article ISO 27001 control objectives – Why are they important?)

    10. Implement the controls & mandatory procedures

    This might be easier said than done. This is where you have to implement the documents and records required by clauses 4 to 10 of the standard, and the applicable controls from Annex A. For more about ISO 27001-required documents and records, read the article List of mandatory documents required by ISO 27001 (2013 revision). For more about Annex A, read the article How to structure the documents for ISO 27001 Annex A controls

    This is usually the riskiest task in your project because it means enforcing new behavior in your organization. Often, new policies and procedures are needed (meaning that change is needed), and people usually resist change – this is why the next task (training and awareness) is crucial for avoiding that risk.

    11. Implement training and awareness programs

    If you want your personnel to implement all of the new policies and procedures, first you have to explain to them why they are necessary, and train your people to be able to perform as expected. The absence of these activities in a management system is the second most common reason for ISO 27001 project failure. (For more about training and awareness, read the article How to perform training & awareness for ISO 27001 and ISO 22301).

    12. Operate the ISMS

    This is the part where ISO 27001 becomes an everyday routine in your organization. The crucial word here is: “records.” ISO 27001 certification auditors love records – without records, you will find it very hard to prove that some activity has really been done. But records should help you in the first place – by using them, you can monitor what is happening – you will actually know with certainty whether your employees (and suppliers) are performing their tasks as required. (Read more in the article Records management in ISO 27001 and ISO 22301).

    13. Monitor the ISMS

    What is happening in your ISMS? How many incidents do you have, and of what type? Are all the procedures carried out properly?

    This is where the objectives for your controls and measurement methodology come together – you have to check whether the results you obtain are achieving what you have set in your objectives. If not, you know something is wrong – you have to perform corrective and/or preventive actions. (Learn more in the article How to perform monitoring and measurement in ISO 27001).

    14. Internal audit

    Very often, people are not aware that they are doing something wrong (on the other hand, they sometimes are, but they don’t want anyone to find out about it). But being unaware of existing or potential problems can hurt your organization – you have to perform an internal audit in order to find out such things. The point here is not to initiate disciplinary actions, but to take corrective and/or preventive actions. (Read the article How to prepare for an ISO 27001 internal audit for more details.)

    15. Management review

    Management does not have to configure your firewall, but they must know what is going on in the ISMS, i.e., if everyone performed their duties, and if the ISMS is achieving the desired results, fulfilling the defined requirements, etc. Based on that, the management must make some crucial decisions. (Learn more in the article Why is management review important for ISO 27001 and ISO 22301?)

    16. Corrective and preventive actions

    The purpose of the management system is to ensure that everything that is wrong (so-called “non-conformities”) is corrected, or hopefully prevented. Therefore, ISO 27001 requires that corrective and preventive actions are done systematically, which means that the root cause of a non-conformity must be identified, and then resolved and verified. (Read the article Practical use of corrective actions for ISO 27001 and ISO 22301).

    Hopefully, this ISO 27001 checklist has clarified what needs to be done – although ISO 27001 is not an easy task, it is not necessarily a complicated one. You just have to plan each step carefully, and don’t worry – you’ll get the ISO 27001 certification for your organization.

    To learn how to implement ISO 27001 through a step-by-step wizard and get all the necessary policies and procedures, sign up for a 30-day free trial of Conformio, the leading ISO 27001 compliance software.

    Advisera Dejan Kosutic
    Dejan Kosutic
    Leading expert on cybersecurity / information security and author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become certified against ISO 27001 and other ISO standards. He believes that making ISO standards easy-to-understand and simple-to-use creates a competitive advantage for Advisera's clients. As an ISO 27001 expert, Dejan is sought out to help companies find the best way to obtain certification by eliminating overhead and adapting the implementation to the specifics of their size and industry.