ISO 27001: Complete 10-step implementation guide

Information protection is an extremely important topic for the interconnected and globalized world in which we live today. The entire digital infrastructure of modern society, including business, international trade and social media, depends on technologies and services that need to be protected. We can mention threats such as intrusions, unauthorized access, data loss, among others. Managing information security is even more challenging because it involves a variety of variables, such as policies, procedures, processes, control measures, and applications, that need to be managed strategically and intelligently.

Information security management is essential to protect businesses and society from potentially devastating threats. It is crucial that organizations assess the risks involved, considering the potential impact of security incidents, and adopt an intelligent and appropriate risk assessment approach.

The ISO 27000 family of standards helps organizations keep their information assets secure. ISO/IEC 27001 is the best-known standard in this family and sets out the requirements for the information security management system (ISMS).


To implement any management system, a certain level of documentation is required: policies, procedures, detailed work instructions, etc. ISO 27001 is no different in this respect: formal documentation is actually required.  However, it presents a slightly unusual pattern in the existence of the list of controls that an organization should consider as part of its implementation, where a control is a method to treat risks.

Probably as a result of this, a very common question is “should I start by writing the documentation or implementing the controls?”. The answer is “neither.”  The standard itself mentions that an ISMS must preserve the confidentiality, integrity and availability of information by applying a RISK management process. Therefore, writing documentation or applying controls to address risks BEFORE identifying and classifying them means trampling on the order of things.

Implementing an information security management system compliant with ISO 27001 can be a challenge. To make this journey easier, the following is a 10-step guide on how to implement ISO 27001 in your company. From senior management adherence to implementation, monitoring and improvement activities.

Do you know the latest features of ISO/IEC 27001:2022?

Step 1: Form an implementation team

Your first task is to appoint a project leader to oversee the implementation of the ISMS. They must have a comprehensive knowledge of information security as well as authority to lead a team and give orders to managers.

Who within your organization will oversee the process, set expectations, and manage milestones? How will you gain buy-in from the company’s leadership? Will you hire an ISO 27001 consultant to assist you in the process?

Once the team is together, they should create a project plan and define certain answers:

  • What do we hope to achieve?
  • How long will it take?
  • How much will it cost?
  • Does the project have managerial support?

Educating yourself about ISO 27001 and its 93 controls is a key part of this process.

Step 2: Define the scope of your ISMS

Each business is unique and houses different types of data. Before you build your ISMS, you’ll need to determine exactly what type of information you need to protect. This involves identifying the locations where information is stored: in physical or digital files and portable systems or devices. Correctly defining your scope is an essential part of your ISMS implementation project.

If your scope is too small, you can leave information exposed, putting your organization’s security at risk. However, if the scope is too broad, the ISMS will become too complex to manage. For some companies, the scope includes the entire organization. For others, it includes only a specific department or system, and that’s okay, the standard allows it. Certain considerations that should be taken at this time:

  • Internal and external matters defined in clause 4.1.
  • All requirements defined in clause 4.2. The interfaces and dependencies between what is happening within the scope and the external environment.

Step 3: Map and identify risks

A formal risk assessment is a requirement for compliance with the standard. This means that the data, analysis and results of your risk assessment must be documented.

ISO 27001 is actually part of a “family” of standards, the ISO 27000 series. ISO 27005 provides guidelines for managing information security risks. It proposes two approaches to identifying and scoring risks:


  • Scenario-based approach: risks are identified considering events and scored by assessing their consequences. In other words, you try to think about everything that could go wrong (events) and determine what impact (consequences) this would have on the confidentiality, integrity, and availability of the information in your scope.
  • Asset threat vulnerability approach: risks are identified using the asset inventory as a starting point. For each asset category (e.g., laptops, servers, networks), threats (theft, human error, malware, etc.) are considered and scored accordingly.

Step 4: Establish a ris management process

Now that you’ve identified the risks, you’ll need to decide how your organization will respond. What risks are you willing to tolerate and which ones do you need to address? All risks, controls and mitigation methods must be clearly defined and updated in the security policy. This helps organizations provide clear guidance to their stakeholders and create a strategic framework that serves as the foundation for information security.

In a future audit, the auditor will want to review the decisions you made regarding each risk identified during your mapping. You will also need to produce a Statement of Applicability and a Risk Treatment Plan as part of your audit evidence.

The Statement of Applicability summarizes and explains which ISO 27001 controls and policies are relevant to your organization. This document is one of the first things the auditor will review during their certification audit.

The Risk Treatment Plan is another essential document for ISO 27001 certification. It records how your organization will respond to the threats identified during the risk assessment process.

Regarding risks, you can follow one of the following four actions:

  • Modify the risk by establishing controls that reduce the likelihood of its occurrence.
  • Avoid risk by preventing the circumstances in which it could occur.
  • Share the risk with a third party (i.e. outsource security efforts to another company, purchase insurance, etc.).
  • Accept the risk because the cost of solving it is greater than the potential damage.

You will then implement controls in response to the identified risks. Its policies should establish and enforce security best practices, such as requiring employees to use multi-factor authentication and lock devices whenever they leave their workstations.

That may be easier said than done. This is where you must implement all documents and technologies and consequently change your company’s security processes. This is often the most difficult task in your project because it means imposing new behavior on your organization. New policies and procedures are often needed (meaning change is needed) and people often resist change – that’s why the next task (training and awareness) is crucial to avoid this risk.

Step 5: Implement training and awareness programs

If you want your people to implement all the new policies and procedures, you must first explain to them why they are needed and train them so that they can act as expected. Furthermore, ISO 27001 requires all employees to be trained in information security. This ensures that everyone in your organization understands the importance of data security and its role in achieving and maintaining compliance.

It is essential that there is evidence of training.

Step 6: Document and collect evidence

This is the part where ISO 27001 becomes a daily routine in your organization. The crucial word here is “records.” To obtain certification, you will need to prove to your auditor that you have established effective policies and controls and that they are working as required by the standard.

In addition to auditing, records should help you first – by using them, you can monitor what’s going on. You will know for sure if everyone involved in the ISMS is performing their tasks as needed.

Step 7: Monitor and measure ISMS

What’s going on in your ISMS? How many incidents do you have and of what kind? Are all procedures performed correctly?

This is where the objectives of your controls and your measurement methodology come together – you must verify that the results obtained are achieving what you have defined in your objectives. Otherwise, you will know that something is wrong and must take corrective and/or preventive actions to correct the problem.

Step 8: Perform internal audits

Periodic internal audit is mandatory for monitoring and review. It consists of testing the controls and identifying the gaps to subsequently address the corrective and preventive controls.

To be effective, ISMS needs to be reviewed by senior management at planned and periodic intervals. The review should evaluate changes/improvements to personnel policies, procedures, controls and decisions. This important step in the process is the review of project management. The results of periodic audits and reviews need to be documented and maintained.

Step 9: Prepare for the certification audit

For the organization to be certified, it is essential that it conducts a full cycle of internal audits, management reviews, and activities in the PDCA process and retains evidence of the actions and decisions taken as a result of these reviews and audits. ISMS management shall review risk assessments, RTP, SOA and policies and procedures at least annually.

The initial certification audit is divided into two phases, phase 1 and phase 2. Phase 1 is a predominantly documentary audit to verify that the management system is capable of being audited in a phase 2 certification audit. It is at this stage that the phase 2 audit plan is prepared. Phase 2 is an audit where all techniques are applied, with documentary verification, interviews, process evaluation, infrastructure evaluation, etc. This stage has the largest number of audit days and, consequently, the largest sampling of the certification cycle.

Step 10: Maintain continuous improvement

Security is not a destination, but a journey. You may have already been audited and certified, but it’s important to continue monitoring, adjusting and improving your ISMS. As your business evolves and new risks arise, you’ll need to look at opportunities to improve existing processes and controls.

ISO 27001 requires periodic internal audits as part of this ongoing monitoring. Internal auditors examine processes and policies to look for potential weaknesses and areas for improvement prior to a new external audit.

How much does it cost to implement ISO 27001?

This is often the first question of directors and business owners. Well, the answer is not immediate and the total cost of implementation will depend on a few factors:

  • The size of your company, that is, the number of employees (you should calculate only the employees that will be included in the scope of your ISO 27001).
  • The level of criticality of information (e.g. information in banks is considered more critical and requires a higher level of protection).
  • The technology the organization is using (for example, data centers tend to have higher costs because of their complex systems).
  • Legislation requirements (generally, the financial and government sectors are heavily regulated with regard to information security).

Furthermore, there are all other possible costs that may occur during implementation such as: training and literature, consulting, new technologies and certification.

What is the time required for the implementation of ISO 27001?

How long will it take? This is likely to be the second question after the cost assessment. Well, the answer isn’t really motivating – many people believe implementation only takes a few weeks. But that’s not realistic at all. The reality is a few months for smaller companies up to more than a year for larger organizations.

Of course, you can always produce dozens of documents in a matter of days stating that it complies with ISO 27001, but this is not what the true implementation of the standard is about with the real purpose of producing results – fewer incidents, greater efficiency, cost reduction, etc.

The duration as well as the complexity can be much shorter if there is a consulting aid or software tools. If you are trying to do this alone, without help, it will certainly take much longer.

How can SoftExpert help you?

With SoftExpert, you have access to the most comprehensive and advanced software solution on the market for information security management. SoftExpert Excellence Suite  helps you adhere to ISO/IEC 27001, reducing compliance costs, maximizing success, increasing productivity and reducing risk.

With the SoftExpert solution you can easily meet the requirements of ISO 27001, ensuring the three pillars of information security: Confidentiality, Integrity and Availability (CIA). It will assist you in various processes such as risk management, controls, information security policies, assets, incidents, suppliers, performance indicators, processes, among others. This will drive organizational efficiency in your company and reduce rework and waste.

Want to know more about our solution? Request a demo now!

I want to request a demo

    Camilla Christino


    Camilla Christino

    Business Analyst at SoftExpert, completed a Bachelor's in Food Engineering at Instituto Mauá de Tecnologia. She has solid experience in the quality area in the food industries with a focus on monitoring and adapting internal and external auditing processes, documentation of the quality management system (ISO 9001, FSSC 22000, ISO / IEC 17025), Quality Control, Regulatory Affairs, GMP, HACCP and Food Chemical Codex (FCC). She is also certified as a leading auditor in the ISO 9001: 2015.

    Get free content in your inbox!

    Subscribe to our Newsletter and get content about corporate management's best practices produced by specialists.

    By clicking the button below, you confirm that you have read and accept our Privacy Policy.

    Please, fill out the form to download

    Required field
    Required field
    Required field
    Please enter a valid phone number
    Required field

    By clicking the button below, you confirm that you have read and accept our Privacy Policy