ISO 27001 is the world's most widely used international standard for managing information security and maintaining compliance through an Information Security Management System (ISMS).
The ISO 27001 certification strengthens your organisation's image by proving to partners and customers that their information assets, such as personal and sensitive data, are being handled properly.
However, successfully implementing ISO 27001 is a lengthy process that requires precise planning and clear timelines, as well as extensive preparation.
To make this easier for you, we’ve created the following article to give you a complete overview of the ISO 27001 compliance and certification journey, along with a downloadable ISO 27001 Implementation checklist.
In this article
- ISO 27001 Implementation roadmap
- What are the mandatory documents required for ISO 27001?
- Employees implementing a project: What are their roles?
- What do you need to look for in ISO 27001 implementation tools?
- How much effort is required to implement and maintain the ISMS?
- How much time is needed for the initial ISO 27001 implementation?
- What are the key success factors for an ISO 27001 implementation?
- What are the four main advantages of implementing ISO 27001?
- How much does ISO 27001 implementation cost?
ISO 27001 Implementation Roadmap
There are 2 parts to ISO 27001: compliance and certification. Our ISO 27001 implementation roadmap covers both compliance and certification in a total of 9 steps—8 to achieve compliance and an additional 1 to get certified.
To make the process smoother, you can also leverage DataGuard’s ISO 27001 platform which helps to implement these steps quickly, manage the required documentation and organise your tasks in one place. Let’s get started and first take a look at the 8 steps to ISO 27001 compliance:
Step 1: Assemble your team
Estimated time: 1 week
Deliverables: Project Team RACI Chart, drafting of Statement of Applicability and Scope of
Step 2: Complete gap analysis
An ISO 27001 gap analysis is a process of evaluating an organisation's current ISMS against the requirements of the ISO 27001 standard. The analysis helps to identify gaps or areas where the organisation's information security controls do not meet the ISO 27001 standard. Then, it provides a roadmap for the organisation to improve its information security and achieve ISO 27001 certification.
At DataGuard, we run this process through our ISO 27001 platform. You can answer comprehensive questionnaires that cover all areas of the ISMS to understand the gaps in your system and the assets that need to be protected.
Estimated time: 2 weeks
Deliverables: A report outlining your biggest process gaps and risks.
Step 3: Prioritise recommendations
Based on the gap analysis, our platform generates recommendations like addressing policy gaps and patching ISMS flaws. They are prioritised so you know which ones to work on first.
Estimated time: 6 weeks
Deliverables: Clear next steps to prepare for ISO 27001, plus a joint action plan.
Step 4: Asset management
Asset management is an important component of an ISMS that focuses on identifying, classifying, and managing information assets. This includes all types of information assets, such as physical, digital, and intellectual assets.
With our ISO 27001 platform, you can keep tabs on all your data assets, organise them by how secure they need to be, and calculate the risks associated with each one. Assets can be imported as CSV files, which allows for simple additions and deletions to your asset list.
Estimated time: 2 weeks
Deliverables: Up-to-date and live record of all assets established by the organisation.
Step 5: Risk management
ISO 27001 risk management is a systematic approach to identify, assess, and treat an organisation's information security risks. It involves the following steps:
- Risk assessment - identifies and evaluates the risks to the confidentiality, integrity, and availability of the organisation’s information assets. It includes identifying the assets to be protected, the threats to those assets, and the vulnerabilities that the threats could exploit.
- Risk treatment - After the risk assessment, this process selects and implements appropriate risk management measures to mitigate the identified risks. It can include implementing security controls, developing policies and procedures, and implementing a risk management framework.
- Risk monitoring and review - This means regularly reviewing and monitoring the effectiveness of the risk management measures and adjusting them as necessary based on new risks or information.
DataGuard’s risk management feature helps you create a risk map which provides your team with a complete overview of your risks and vulnerabilities.
Estimated time: 2 weeks
Deliverables: A visual overview of your biggest risks and vulnerabilities so that your team can prioritise what to tackle next.
Step 6: ISMS documentation
ISMS documentation is the set of documents, records, and other materials required for the implementation and operation of an ISO 27001-compliant ISMS. The documentation provides a systematic approach to information security management that is consistent, effective, and responsive to the organisation’s needs and objectives.
Our documentation platform can help keep your documents in a centralised location at this stage, upload them with ease and create new documents with the help of questionnaires or pre-made templates.
Additionally, it offers a policy generation option which is as simple as filling out a few forms. The information you provide will then allow our platform to automatically generate many of the required policies for the audit.
Estimated time: 1.5 months
Deliverables: Establishing all ISMS documentation and policies for your ISO 27001 audit.
Step 7: Internal audit
Internal audits of the ISMS are frequently required by ISO 27001. They are useful for testing your new processes and getting ready for the formal audit. It can be conducted by either a separate internal team or an external reviewer who is not affiliated with your organisation.
Ahead of the formal audit, an internal audit informs you and allows you to adjust your ISMS controls.
Our platform generates Internal Audit Protocols for every chapter of the ISMS. DataGuard will drive this step alongside the next step: the management review.
Estimated time: 2 weeks
Deliverables: Audit review protocols created, which is a prerequisite for the audit.
Step 8: Management review
Typically, the management review involves a top-level review of the ISMS by senior management, including a review of the policies, procedures, and controls in place. It also involves an assessment of the ISMS's performance and effectiveness in achieving the organisation’s information security objectives.
The review process may also include evaluating internal audit results, implementing corrective actions, and any changes to the organisation’s information security risks and needs. It is also a mandatory step for certification.
Estimated time: 2 weeks
Deliverables: Management review protocols created, which is a prerequisite for the audit.
If your organisation is already ISO 27001 compliant, the next step would be to pursue certification. For ISO 27001 certification, follow this additional step:
Step 9: External audit and certification
Once your ISMS is up and running, the next step is to pursue ISO 27001 certification via an external audit. There are several auditing bodies to choose from; UKAS in the UK is a reliable resource to use for more information.
You should consider which auditor has experience in your industry, as they will be able to give you the best feedback. The audit will be conducted in two stages:
Stage 1 determines whether or not your ISMS has been developed in line with ISO 27001’s requirements.
Stage 2 is a more detailed investigation done by the certifying body, including an on-site visit.
Estimated time: 2 weeks
Deliverables: Certification Audit Preparation Plan, Corrective Action Plans for Non-Conformities
Download our ISO 27001 Implementation Roadmap Guide for a detailed look at these steps.
If you're new to information security, we recommend checking out our webinar on Information Security for Beginners to get a solid foundation.
What are the mandatory documents required for ISO 27001?
Although ISO 27001 certification isn't always required by law, it does come with several advantages. Certification makes it easy to comply with regulatory obligations, including alignment with NIS2 requirements, gives verification of your security implementation, and emphasises your organisation's reliability to your customers. This alignment with NIS2 further underscores the importance of ISO 27001 in the current regulatory landscape, providing a pathway towards comprehensive cybersecurity compliance.
With so much to think about, we've compiled a list of documentation that is required for ISO 27001 certification that will provide you with a comprehensive overview of the steps you need to complete before certification.
Employees implementing a project: What are their roles?
In small to medium organisations, the project manager usually also serves as the security officer, while the project manager in a large organisation will only lead the project.
The organisation will usually have a separate security officer who will take charge being responsible for the overall security while also participating in the project.
Additionally, you will need to include a few of your employees in the following activities no matter the size of your organisation is:
- Risk assessment – figuring out how much and how your data would be risked
- Risk treatment – determining which risk-reduction strategies to use
- Reviewing policies and procedures – ensuring that security policies are in line with current organisation practices
- Approval of security objectives, documentation, and required resources – maintaining alignment and commitment towards the organisation's strategy
Department heads can be used to fulfil the first 3 jobs mentioned above whereas the last job will need to be carried out by higher management such as CEO, COO or CTO of larger companies.
What do you need to look for in ISO 27001 implementation tools?
If you plan to work with an internal team without any external support, using an ISO 27001 tool to start and manage the implementation is recommended.
However, before deciding on a software solution, keep in mind that not every tool will meet your needs. As a result, you will need to select a tool with the features you need to move the ISO 27001 project ahead and built-in knowledge on how to meet ISO 27001 criteria.
You need a platform that will:
- Outline the processes for implementing ISO 27001 in your project.
- Provide easy-to-use language in all documentation.
- Fill out the Statement of Applicability automatically based on interested parties' risk treatment and needs.
- Allow for simple cooperation among those involved in the ISO 27001 implementation.
- Provide a clear picture of the tasks you have received, the duties you have delegated to others, and their status.
- Allow automation not just for the initial deployment of the ISMS but also for its ongoing maintenance.
- Be adapted to the size of your firm. The paperwork and flow of procedures are tailored to the size of your organisation.
- Provide support from experienced experts if you have some questions on how to approach your specific case.
- Teach all the people about security. The point is not only to mechanically ask people to do some tasks but also to explain to them why these tasks are needed.
Finally, one of the most significant requirements for choosing an ISO 27001 implementation tool is that it must include built-in expert reasoning on how to apply the standard – in other words, properly, it must be created by ISO 27001 experts, not just designers and software developers.
How much effort is required to implement and maintain the ISMS?
The internal project manager of the implementation process in a larger organisation would need to spend around 25% of their time throughout this whole project.
The bigger the organisation, the more time the project manager will need to invest. For example, in an organisation of 500-1000 employees, the project manager would need to work full-time on the implementation of ISO 27001.
Larger companies tend to have both a project manager and a security officer therefore, they both will need to spend equal time working on this project.
The implementation of the ISO 27001 certification does not stop with just the implementation process. It is a continuous process where you will be required to constantly maintain and improve the ISMS that was created at the beginning of the implementation process.
If your organisation chooses to hire an external consultant for the implementation of ISO 27001, you will only be required to focus on reviewing and approving the documentation. DataGuard can act as your external consultant in such a situation.
How much time is needed for the initial ISO 27001 implementation?
Once you start your ISO 27001 certification journey, you may find yourself spending the most time on the ‘planning’ and ‘doing’ phases of implementation. For example, you may spend your time familiarising yourself with the certification, assembling an in-house or external team to start the process, and work alongside that team to conduct the initial gap analysis.
The estimated time mentioned below has been calculated when an organisation works alongside an external consultant to help you with the certification's implementation. If your organisation is doing this using an in-house team, chances are that it will take much longer.
The length of time it usually takes to complete the initial implementation of the certification varies depending on the size of your organisation:
- Companies of 1-20 employees – Up to 3 months
- Companies of 20 to 50 employees – 3 to 5 months
- Companies of 50 to 200 employees – 5 to 8 months
- More than 200 employees – 8 to 20 months
What are the key success factors for an ISO 27001 implementation?
Many organisations are unaware that effectively establishing the ISO 27001 project from the start of the implementation is one of the most crucial parts if you want to complete the implementation on time and on budget.
- Management support will be required
This is a process in which you must take an active role: first, you must recognize the relevant advantages for your organisation, and then you must consistently communicate this message to decision-makers.
- Study the topic—Be knowledgeable
If you have not already implemented ISO 27001 in your organisation, you will need to learn and understand what it is and how to implement it for your particular organisation.
- Run the implementation as a project
Standards such as these take a long time to implement, so plan ahead. You will not only waste time but also miss an opportunity to assist your organisation in expanding and thriving if the implementation is done carelessly or without clear objectives.
- Choosing the right project manager
A person in charge of information security in your firm is the most natural person to lead the project - there are various titles for this position: Chief Information Security Officer (CISO), Information Security Officer (ISO), Security Manager, and so on.
What are the four main advantages of implementing ISO 27001?
While trying to convince your higher management to invest in improving and maintaining information security in your organisation, the first question they may ask is, why do we need to improve information security in the first place?
We have put together four key benefits of using ISO 27001 to help you show your higher management the balance and benefit of this investment. They are:
If an organisation needs to comply with various data protection and privacy standards, ISO 27001 can provide the approach that will allow it to do so in the most effective manner possible.
- Marketing Edge
In an increasingly competitive market, it might be tough to identify something that will set you apart from the competition in the eyes of potential clients.
ISO 27001 could be a differentiator that sets you apart from the competition, especially if new customers want their data handled carefully.
- Lowering the Expenses
Information security is usually considered a cost with no obvious financial gain. However, if you take compliance to heart and abide by the regulations, your chances of going through a data breach are highly unlikely.
In the event of a data breach, you will have to pay up to £17.5 million or 4% of annual global revenue, whichever is greater.
- Bringing Order to Your Organisation
ISO 27001 is particularly good at forcing you to define different roles and responsibilities across the organisation very precisely and, in turn, strengthen your internal team even up to the higher management.
If you can first understand and then communicate the above advantages to your higher management, they will realise that the ISO 27001 certification is crucial for any organisation and start getting things to work on implementation.
How much does ISO 27001 implementation cost?
While determining a precise cost for any compliance certification can be tricky, ISO 27001 is particularly variable. It is advisable that you begin your ISO 27001 compliance journey as soon as possible to minimise the costs associated with deferring ISO 27001.
The real cost of adopting ISO 27001 is determined by the organisation's risk tolerance and the amount of risk it is willing to take. However, the three primary costs to consider are the cost of internal and external resources, the cost of implementation, and the cost of certification.
Apart from the above, the total cost of the implementation will depend on the following:
- The size of your organisation or the number of employees.
- The level of importance of information.
- The kind of technology the organisation is using.
- Legislation requirements.
You can learn more about the cost of ISO 27001 certification by reading a more comprehensive article we created on this exact topic.
ISO 27001 implementation benefits your customers as it may improve their trust in the firm and reduce the risk of their personal information falling into the wrong hands and approaching ISO 27001 certification is easier when your organisation is armed with a structured plan and the advice of an expert.
Whether you require industry-specific information, assistance setting up your ISMS, or assistance preparing for an external audit, DataGuard's InfoSec-as-a-Service is designed to help you along the way. To book an ISO 27001 consultation, get in touch with our experts today.
How do you implement an ISMS?
To successfully implement an ISMS, organisations must follow the PDCA model. It involves the following stages:
- Plan: Establish the scope and objectives of the ISMS. Identify the risks and vulnerabilities of the organisation's information assets. Develop a risk management plan, and define the policies, procedures, and controls to mitigate the identified risks.
- Do: Implement the plan. Train employees on the ISMS policies and procedures. Implement the security controls, and establish a framework for monitoring and measuring the effectiveness of the ISMS.
- Check: Monitor the ISMS to ensure that it is meeting the established objectives. Evaluate the performance of the ISMS against the set metrics. Conduct regular internal audits to identify potential areas for improvement.
- Act: Take corrective measures to address any identified gaps in the ISMS. Implement improvements to the system based on the findings of the audits. Repeat the PDCA cycle to continually improve the effectiveness of the ISMS.
What are the domains of ISO 27001?
ISO 27001:2022 lists 93 information security controls that are then categorised into 4 ‘themes’ rather than the previously known 14 domains. The 4 themes are:
- Organisational controls - Defines organisational rules plus expected behaviour of users, equipment, software and systems. E.g. Access Control Policy, BYOD Policy.
- People controls - Used to train and educate employees on secure ways to handle data within the organisation. E.g. ISO 27001 awareness training, ISO 27001 internal auditor training
- Physical controls - Utilises tools that physically interact with people. E.g. CCTV cameras, alarm systems, locks.
- Technological controls - Adds software, hardware, and firmware components to the current ISMS. E.g. Backup, antivirus software
The 14 domains that were revised are:
- Information security policies
- Organisation of information security
- Human resource security
- Asset management
- Access control
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
What are the main components of ISO 27001?
ISO 27001 provides information security guidelines and components that are needed to protect an organisation's data from security threats. These components include:
- A risk assessment process
- Organisational structure
- Information classification
- Access control mechanisms
- Physical and technical safeguards
- Information security policies, procedures, monitoring and reporting guidelines
How many controls are in ISO 27001?
There are 93 information security controls for ISO 27001 according to the new 2022 revision (compared to the previous 114 controls of the 2013 revision of the standard). Here are the types of controls:
- Controls related to organisational issues: 37
- Controls related to human resources: 8
- IT-related controls: 34
- Controls related to physical security: 14
How do I prepare for ISO 27001 certification?
You can learn about ISO 27001 and its requirements by reading about it beforehand. You can upskill yourself by:
- Purchasing a copy of the standard
- Attending an ISO 27001 introductory training course
What is an ISO 27001 risk assessment?
ISO 27001 risk assessment is a process that helps organisations identify, evaluate and manage risks related to information security according to the ISO 27001 standard.
The process involves:
- Identifying and analysing potential threats to the confidentiality, integrity and availability of information.
- Assessing the likelihood and potential impact of these risks and implementing measures to manage or mitigate them.
The goal of the risk assessment is to help organisations ensure the security and protection of their information assets while maintaining compliance with ISO 27001 standards.
What are the best ISO 27001 practices?
ISO 27001 is a set of rules and procedures rather than an exact to-do list, so there is no fixed set of practices for specific organisations that must be followed. Rather, you can follow these general practices that can get you closer to ISO 27001 compliance:
- Understand your organisation’s needs, how it operates and how ISO 27001 can help to protect your data even better.
- Define your security policy to get an overview of the current security controls, plus how they are managed and implemented.
- Monitor data access and ensure that data isn’t tampered with. Additionally, you can monitor security access and keep records for future investigations.
- Conduct security awareness training so that employees understand how to deal with security threats or prevent them.
- Encrypt your data to prevent unauthorised access.
- Monitor data transfers and sharing to ensure that data is not being shared with unauthorised parties.
Is ISO 27001 free?
No. Usually, securing an auditor for stages 1 and 2 of the audit-certification process costs between £4,400 ($5,500) and £14,600 ($18,000). However, the exact cost depends on the following factors:
- The ISMS’s current maturity level
- The types of activities carried out under the ISMS's scope
- The scope and variety of technologies used in the ISMS's numerous aspects
- The level of outsourcing and third-party arrangements within the scope of the ISMS
- The difference between the actual state and the desired state of the control environment
- The capability inside the organisation to develop the ISMS and close the highlighted gaps
- How fast the certificate has to be provided to the client
Check out our ISO 27001 certification cost article for a more detailed breakdown of costs.
ISO 27001 Documentation Checklist
This checklist is a comprehensive guide for successful ISO 27001 certification and also provides valuable ideas for a streamlined audit process.