ISMS and QMS

I am still thinking of implementing the ISMS without QMS is possible (and it is a better approach) and it does not require additional workload. Beside many organization has done ISMS without QMS.

Note: The end goal is to have the system (operations & maintenance) to have its ISMS certified after 2 years in operations.

There is no rush to have it ISMS certified during the development stage.

Question – Thus, I am thinking of doing these steps first even before doing the rest of ISMS activities

1 - I am want to focus to the system requirements – security requirements to design the system to be delivered to the customers. The main input of security requirements will be from risk assessment.
2 - Establishing the context of risk assessment
3 - Conduct the risk assessments, risk evaluation & risk analy sis – thus the risk treatments.
4 - Identifying the all the relevant controls based on ISO 27001 Annex A/ISO 27002
5 - Implement all the security measures and controls in the system design.
6 - Write all the necessary security policies, procedures and guidelines in relations the systems.
7 - Built the system (based on the security requirements), Test and UAT, FAT and deliver.

While doing all the activities above, other ISMS compliance requirements will gradually implemented and done, as we have enough time to get it certified after its being delivered.

Answer: In fact there is no need to implement a QMS to implement an ISMS, although you can take advantage of some practices required by the ISO 9001 standard to improve ISMS performance (identifying and documenting the processes in the scope will help you understand the organization al context and perform the risk assessment). So, it may be a good idea to take a look at ISO 9001 to verify which practices you can adopt now without compromising your current deadline and resources. For more information about this, please see these materials:
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
- ISO 27001 implementation: How to make it easier using ISO 9001 [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/

Regarding your approach, it seems fine considering a system development project. The only point you should consider is documenting a risk assessment and treatment methodology before performing it (so everyone in the project will have the same procedure to follow) and write the security policies, procedures and guidelines in relation to the systems before implementing the security measures and controls in the system design, because during the elaboration of these documents you can find further system adjustments to be made, and it will be easier to make the corrections before the security measures and controls implementation. For more information, please see these materials
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/

These materials will also help you regarding implementing ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/