Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

Planning your ISO27001 implementation project


If you’re just starting on your ISO27001 implementation and you’re thinking about where to start, this brief article gives you some hints and tips about how to approach your project to implement an information security management system, or ISMS.

iso27001 project cartoon

First steps

Once you’ve defined your scope, probably the most important thing to have in place is management commitment, both in terms of the initial implementation, but also for the ongoing maintenance of your ISMS. To obtain the level of commitment required, you’ll need to be able to tell management a few basic items of information, such as how long will it take to create an ISMS, how much will it cost and who needs to be involved. As input to this discussion it may be useful to conduct a gap assessment to understand what’s already in place, and what still needs to be done.

Creating your plan

The results of the gap assessment will help you to define your approach to the project and to create an initial project plan. The CertiKit toolkit provides a Microsoft Project and an equivalent Microsoft Excel version of a plan which you may use as a starting point. You may also find it useful to set out how your project will be managed within a Project Initiation Document, so that everyone has a common understanding of who’s on the team, what will be delivered and how progress will be reported, amongst other things. Planning is key to a successful ISO27001 implementation.

A game of two halves

A common approach to implementing an ISMS is to consider it in two halves. The first is the creation of a management system and the second is to put in place the applicable reference controls from Annex A of the standard, although there will be overlap between the two areas.

The key aspects of the management system will be the definition of roles, responsibilities and authorities, setting of objectives, defining the information security policy, conducting a risk assessment and creating a treatment plan, completing your statement of applicability, performing a management review and ensuring internal audits are carried out. These are relatively non-technical tasks which are often more about understanding how ISO management systems work than information security. But you will need technical input in parts, such as the risk assessment and treatment plan.

The implementation of the Annex A controls is a somewhat more technical exercise, although some of the controls involved are administrative or procedural in nature. You’ll need to define who the best people are to look at each of the control areas such as human resources, access control, suppliers and compliance. Splitting up the controls and allocating them across appropriate teams is key to making progress in getting the Annex A controls in place.

Keeping track of progress

Tracking and reporting progress may be achieved by reference to the gap assessment if you decided to carry one out. We suggest you use a certification readiness checklist to assess whether you’re ready for the certification audit and have the main building blocks of an ISMS in place.

Going for certification

Once you’re at this point, certification is a two stage process and, to meet your timescale objective, you may need to get an appointment in the calendar early if your chosen registered certification body gets booked up a long way in advance.

In summary

The process of planning your project is key to ensuring your ISO27001 implementation has the best chance of success. These simple steps can go a long way to building the foundations on which your future ISMS will be built.

Written by Ken Holmes CISSP, CIPP/E; CertiKit’s managing director and principal consultant. Ken is a qualified ISO/IEC 27001 Lead Auditor, an active member of ISACA and a BSI-published author on IT service management. Ken is the lead author of the CertiKit ISO 27001 toolkit.

Just starting out and want to know more?

Download our free ISO27001: 10 steps to certification guide to learn:

  1. Each step of the process from project planning to the certification audit
  2. Expert tips from the CertiKit team on best practise for easy implementation
  3. Key insights into building a successful ISMS

Download free 20-page guide

We’ve helped more than 4000 businesses with their compliance


The toolkits are very clear and easy to use and probably the best examples out there for these standards. Easy to adapt or add details to, to reflect your own processes and procedures.

Aberdein Considine

View all Testimonials