Why a step-by-step plan for ISO 27001?
ISO 27001 implementation can seem overwhelming, especially for SMEs without a dedicated information security team. The standard contains 93 controls and dozens of documentation requirements. A structured step-by-step plan makes the trajectory transparent and predictable. This plan is based on our experience with dozens of successful certification projects at organizations of 20 to 500 employees.
Step 1: Obtain Management Commitment (Week 1–2)
Without active management support, every ISO 27001 project fails. Management must approve the scope, allocate budget, appoint a project leader, and be willing to participate in the management review. Prepare a business case that quantifies the benefits: customer requirements, legal compliance (NIS2), risk reduction, and competitive advantage.
Step 2: Perform Gap Analysis (Week 2–6)
The gap analysis maps the current situation against ISO 27001:2022. For each of the 93 controls, it is determined whether it is implemented, partially implemented, or absent. The result is a priority list and a realistic schedule. An experienced Lead Auditor can indicate which gaps are critical for the certification audit.
Step 3: Scope and Statement of Applicability (Week 4–6)
Define the ISMS scope: which locations, departments, systems, and processes are included? A common mistake is making the scope too broad, making the project unnecessarily complex and expensive. Then prepare the Statement of Applicability (SoA): which of the 93 controls are relevant and why any non-relevant controls are excluded.
Step 4: Perform Risk Assessment (Week 5–8)
The risk assessment is the heart of ISO 27001. Identify information assets, threats, and vulnerabilities. Assess the likelihood and impact of each risk. Develop a risk treatment plan indicating which risks are mitigated (and with which controls), accepted, avoided, or transferred. Use a GRC platform to make this process reproducible and auditable.
Step 5: Develop Policy Documentation (Week 6–14)
ISO 27001 requires several mandatory documents: information security policy, risk assessment procedure, risk treatment plan, SoA, and objectives. Additionally, procedures are needed for incident management, access control, change management, backup, and other operational processes. Focus on practical, workable documents — not paper tigers that nobody reads.
Step 6: Implement Technical Measures (Week 8–20)
Based on the gap analysis and risk assessment, technical measures are implemented or improved. Think of multi-factor authentication, encryption of data at rest and in transit, centralized log management, vulnerability scanning, and network segmentation. Prioritize based on risk, not technical complexity.
Step 7: Awareness and Training (Week 10–22)
All employees must be trained in information security awareness. This includes recognizing phishing, safe password practices, incident reporting procedures, and the importance of the information security policy. Document the training and keep attendance records — the auditor will ask for these.
Step 8: Internal Audit (Week 20–24)
Before the external auditor arrives, conduct an internal audit. The internal auditor (internal or externally hired, but independent from implementation) assesses whether the ISMS functions according to ISO 27001. Findings are documented and corrective actions taken where needed. This is your chance to discover and fix problems before the external audit.
Step 9: Management Review (Week 22–24)
Management performs a formal ISMS review. Topics include internal audit results, risk and measure status, incidents and trends, and improvement objectives. The management review is documented in minutes that the external auditor will request.
Step 10: External Certification Audit (Week 24–30)
The external audit consists of two stages. Stage 1 is a documentation review where the auditor assesses the completeness and logic of your ISMS. Stage 2 is the implementation audit where the auditor verifies on-site that measures are actually applied. With a positive outcome, you receive the ISO 27001 certificate, valid for three years with annual surveillance audits.
Common mistakes to avoid
The five most common mistakes are a scope that's too broad, too much focus on documentation without actual implementation, underestimating internal hours investment, skipping the management review, and engaging the certification body too late. Start planning the external audit at least eight weeks before the desired audit date.
How does iso2700x help?
Our consultants guide you through all ten steps, from management commitment to certificate. With our GRC platform, we accelerate the documentation phase and make the ISMS manageable long-term. Contact us for a free consultation.