ISO 27001/ISO 22301 documents, presentation decks and implementation guidelines


Have a question on ISO 27001 or ISO 22301?

Ask an Expert

Free eBook

Free eBook 9 Steps to Cybersecurity
Becoming Resilient: The Definitive Guide to ISO 22301 Implementation
Sign up for our free Newsletter and as bonus you'll receive my tips on how to launch an information security and business continuity project.



ISO 22301: An overview of BCM implementation process


September 10, 2014


ISO 27001 implementation checklist

'By 'Dejan Kosutic on September 28, 2010

If you are starting to implement ISO 27001, you are probably looking for an easy way to implement it. Let me disappoint you: there is no easy way to do it. However, I’ll try to make your job easier – here is the list of sixteen steps you have to go through if you want to achieve ISO 27001 certification:

1. Obtain management support

This one may seem rather obvious, and it is usually not taken seriously enough. But in my experience, this is the main reason why ISO 27001 projects fail – management is not providing enough people to work on the project or not enough money. (Read Four key benefits of ISO 27001 implementation for ideas how to present the case to management.)

2. Treat it as a project

As already said, ISO 27001 implementation is a complex issue involving various activities, lots of people, lasting several months (or more than a year). If you do not define clearly what is to be done, who is going to do it and in what time frame (i.e. apply project management), you might as well never finish the job.

3. Define the scope

If you are a larger organization, it probably makes sense to implement ISO 27001 only in one part of your organization, thus significantly lowering your project risk. (Problems with defining the scope in ISO 27001)

4. Write an ISMS Policy

ISMS Policy is the highest-level document in your ISMS – it shouldn’t be very detailed, but it should define some basic issues for information security in your organization. But what is its purpose if it is not detailed? The purpose is for management to define what it wants to achieve, and how to control it. (Information security policy – how detailed should it be?)

5. Define the Risk Assessment methodology

Risk assessment is the most complex task in the ISO 27001 project – the point is to define the rules for identifying the assets, vulnerabilities, threats, impacts and likelihood, and to define the acceptable level of risk. If those rules were not clearly defined, you might find yourself in a situation where you get unusable results. (Risk assessment tips for smaller companies)

6. Perform the risk assessment & risk treatment

Here you have to implement what you defined in the previous step – it might take several months for larger organizations, so you should coordinate such an effort with great care. The point is to get a comprehensive picture of the dangers for your organization’s information.

The purpose of the risk treatment process is to decrease the risks which are not acceptable – this is usually done by planning to use the controls from Annex A.

In this step a Risk Assessment Report has to be written, which documents all the steps taken during risk assessment and risk treatment process. Also an approval of residual risks must be obtained – either as a separate document, or as part of the Statement of Applicability.

7. Write the Statement of Applicability

Once you finished your risk treatment process, you will know exactly which controls from Annex you need (there are a total of 133 controls but you probably wouldn’t need them all). The purpose of this document (frequently referred to as SoA) is to list all controls and to define which are applicable and which are not, and the reasons for such a decision, the objectives to be achieved with the controls and a description of how they are implemented.

The Statement of Applicability is also the most suitable document to obtain management authorization for the implementation of ISMS.

8. Write the Risk Treatment Plan

Just when you thought you resolved all the risk-related documents, here comes another one – the purpose of the Risk Treatment Plan is to define exactly how the controls from SoA are to be implemented – who is going to do it, when, with what budget etc. This document is actually an implementation plan focused on your controls, without which you wouldn’t be able to coordinate further steps in the project.

9. Define how to measure the effectiveness of controls

Another task that is usually underestimated. The point here is – if you can’t measure what you’ve done, how can you be sure you have fulfilled the purpose? Therefore, be sure to define how you are going to measure the fulfilment of objectives you have set both for the whole ISMS, and for each applicable control in the Statement of Applicability.

10. Implement the controls & mandatory procedures

Easier said than done. This is where you have to implement the four mandatory procedures and the applicable controls from Annex A.

This is usually the most risky task in your project – it usually means the application of new technology, but above all – implementation of new behaviour in your organization. Often new policies and procedures are needed (meaning that change is needed), and people usually resist change – this is why the next task (training and awareness) is crucial for avoiding that risk.

11. Implement training and awareness programs

If you want your personnel to implement all the new policies and procedures, first you have to explain to them why they are necessary, and train your people to be able to perform as expected. The absence of these activities is the second most common reason for ISO 27001 project failure.

12. Operate the ISMS

This is the part where ISO 27001 becomes an everyday routine in your organization. The crucial word here is: “records”. Auditors love records – without records you will find it very hard to prove that some activity has really been done. But records should help you in the first place – using them you can monitor what is happening – you will actually know with certainty whether your employees (and suppliers) are performing their tasks as required.

13. Monitor the ISMS

What is happening in your ISMS? How many incidents do you have, of what type? Are all the procedures carried out properly?

This is where the objectives for your controls and measurement methodology come together – you have to check whether the results you obtain are achieving what you have set in your objectives. If not, you know something is wrong – you have to perform corrective and/or preventive actions.

14. Internal audit

Very often people are not aware they are doing something wrong (on the other hand they sometimes are, but they don’t want anyone to find out about it). But being unaware of existing or potential problems can hurt your organization – you have to perform internal audit in order to find out such things. The point here is not to initiate disciplinary actions, but to take corrective and/or preventive actions. (Dilemmas with ISO 27001 & BS 25999-2 internal auditors)

15. Management review

Management does not have to configure your firewall, but it must know what is going on in the ISMS, i.e. if everyone performed his or her duties, if the ISMS is achieving desired results etc. Based on that, the management must make some crucial decisions.

16. Corrective and preventive actions

The purpose of the management system is to ensure that everything that is wrong (so-called “non-conformities”) is corrected, or hopefully prevented. Therefore, ISO 27001 requires that corrective and preventive actions are done systematically, which means that the root cause of a non-conformity must be identified, and then resolved and verified.

Hopefully this article clarified what needs to be done – although ISO 27001 is not an easy task, it is not necessarily a complicated one. You just have to plan each step carefully, and don’t worry – you’ll get your certificate.

Here you can download the diagram of ISO 27001 implementation process showing all these steps together with the required documentation.

  • Raghavendra Gururaj

    Dear Dejan Kosutic,
    Quite crisp and upto the point. I liked the way the steps are defined and explained.


  • Ronaldo

    I have implemented 27001. A prospective customer wants to see our SoA. Is this acceptable?


  • Dejan Kosutic

    It would be acceptable if you don’t have confidential information in Statement of Applicability – therefore, you need to classify it first and then decide on allowing access or not. If you do have confidential information but care a lot about that customer, then it would be necessary to first sign the agreement where you would define the clauses for protection of information they are about to see.

  • Michael

    It would usually be acceptable, as the SoA only contains a list of controls you have implemented which doesn’t have to be confidential per se.
    I agree with Dejan in so far as stating or not stating a control might be seen as an indicator of your trustworthiness as a service provider by the customer. If this is a concern then you should follow the procedure Dejan described.

  • Andrea Simmons

    Can I ask for edits to this checklist?! “Write an ISMS Policy” is erroneous. You wouldn’t write an ISMS Policy… you write an ISP …and Information Security Policy. An ISMS is an Information Security Management System – it’s a System – not a Policy…. it is constructed of all the parts you have mentioned – the ISP, the SOA, the Risk Treatment Plan (RTP) etc. And whilst I agree with the intent of “Treat it as a project”, explicitly stating this means that people expect there to be an END…there isn’t one… doing information security properly is about building it into the fabric and DNA of an organisation – to which there should be NO end…. it doesn’t stop, it’s not finite etc…

  • Dejan Kosutic

    Andrea, clauses 4.2.1 b) and 4.3.1 a) specifically require to write a “ISMS policy” – this is a top-level policy that defines some basic rules for information security management. I agree with you that there should also be other policies that define some specific areas, like Acceptable Use Policy, Classification Policy, etc.

    I agree with you completely that information security management is a never-ending story – this is exactly the point I emphasized in my other blog post: However, the focus of this checklist with 16 steps is how to achieve the certification – if a company doesn’t have any management system in place, then I strongly believe that the only way to achieve successful implementation is by applying project management techniques. After the initial implementation is finished, the project structure should be replaced by a permanent information security management structure.

  • Paula

    I am aware that ISO 27001 is in the process of being redrafted. My company is looking to implement ISO 27001. Is it worth us waiting until the new standard is released, or continue working with the standard currently in place. We would not be looking to achieve certification until the end of 2013.

  • Dejan Kosutic

    Regarding the new ISO 27001 standard – at best it will be published in October 2013, but this is never certain – it could drag on until the March or April 2014 because it has to be approved by the majority of member countries of ISO.

    Once it is approved you will have a 2 year period to adapt to this new standard – and this you can do rather easily because you would have to maintain your existing documentation anyway and the new version of ISO 27001 won’t be too different from the version from 2005. (See this article which speaks about the new version:

    So my guess would be it is better to implement it now because otherwise you would lose quite a lot of time, and adapting to the new version of the standard won’t be too difficult.

  • ISO 27001 Manual

    Our ISO 27001 training courses are designed with your business in mind and delivered by best in class trainers. Choose from public courses or bespoke onsite training to gain the knowledge needed to independently build and manage a long-term information security framework.

  • Deepak

    Hi Mr.Dejan,
    I have few questions in mind;
    Even with the release of new version, can we still
    implement and get certified for ISO27001:2005 in the
    coming year i.e.2014? If that is so, for how long will
    that certificate be valid?

    What is your suggestion: should we wait for the new
    release to be out in the market to begin ISMS
    implementation, or should we progress with

    Awaiting your response.


  • Dejan Kosutic

    Deepak, after new revision of ISO 27001 is published (ISO says target date is October 2013), it is not going to be possible to certify against ISO 27001:2005.

    However, if you certify against ISO 27001:2005 before the new revision is published, you will have 2 years to comply with the new revision.

    Therefore, if your implementation according to ISO 27001:2005 is already in progress, or if you need this certificate quickly, I would advise you to get certified as soon as you can. On the other hand, if there is no time pressure you can start your implementation according to FDIS ISO/IEC 27001:2013, and plan your certification after October 2013.

  • SecurityFan

    Hej Dejan,
    why do you create the RTP right after the SoA, but before the procedures? I agree that the actual implementation of the controls has to be done after the RTP, but wouldn’t it be better to define procedures first and then conclude from them what resources and time you’ll need?
    I am planning to write procedures for all/most of the controls to ensure a thorough documentation. and doing so before defining the RTP would give me the ability to have a more or less exact idea of the resources and times needed.
    Also, what do you generally think about writing procedures for all applicable controls? (ofc individually worked out for the company’s needs)

  • Dejan Kosutic

    Hi SecurityFan, Risk Treatment Plan needs to be written before you start writing the procedures because RTP is a kind of an action plan which defines who will be responsible for writing these procedures, what are the deadlines, etc. I agree with you that you wouldn’t be able to anticipate all the resources for the implementation of those procedures, but the primary purpose of RTP is to plan how to comply with all the applicable controls from SoA.

    I don’t think you should write procedures for all the applicable controls, because that would mean you would have too many documents; instead, you should focus on most important ones – please read this article: 5 ways to avoid overhead with ISO 27001 (and keep the costs down)

  • Santhosh

    Hello Sir,

    This is Santhosh from India. Is there any write up explaining the 133 controls and their importance with some examples

  • Dejan Kosutic

    Santhosh, the best way is to purchase ISO 27002 – it describes each control into detail and suggests the way to implement them.

  • Santhosh

    Thanks for your swift response. How to assess the legal requirements for ISMS implementation?

  • Santhosh

    Dear Sir,

    We are in the process of implementing ISMS and we have followed ISO/IEC 27001:2005 (reaffirmed 2013) for all our initiation process. Do we need to follow this or we have to get the new release of ISO/IEC 27001:2013. Kindly provide your valuable reply in this regards

  • Dejan Kosutic

    Santosh, you can get certified against old ISO 27001 2005 revision until September 25, 2014 – for more details see this article:

  • Rakesh Maheshwari

    In my view the SOA is one document, which needs to be shared with the customer as and when required. Afterall then only the actual scope and extent of implementation of ISMS will be clear