ISMS implementation approaches

The company is a start-up company, yet to processes in place yet. This company get a long term project to deliver a system (IT infrastructure and Application System).
They will operate & maintain this system after the completion of delivering the project. In the contract; they are required to get certifications for 27001, 22301 and 20000 after it is in operation - at year 4 or 5.
Certifications for System in Operation & the operation and maintenance of the system. The company is just about to start to Design stage - there is no assets, process in place yet.
At the end of Design Stage, we are require to deliver Security Policy & System Security Plan and Risk Treatment Plan (a sign-off of Residual Risk)
Here the risk assessment is get the security requirements, beside from user requirements, technical requirements, business requirements and contractual & best practices. From here, we get a Security Design to be implemented for the System.
There are 2 school of taught:
1. Implementation of ISMS should only start a fter Design Stage is completed (this where all being firms - technology solutions (IT assets), Locations of DC and DR firm-up, Applications System Design completed, etc. Suggest to do ISMS Scoping, Detail Risk Assessments, all required steps of ISMS implementations. (ISMS implementation and certifications is a journey after design start)
2. ISMS Implementation start now, the scoping, risk assessment and all the ISMS implementation steps start now. Issue here - risks of project delivery, scoping is based on assumption, ISMS risk assessment within the context of the scope is quite difficult (IT assets (not firm-up), systems (not ready to risk assessment), system design is not firm-up yet.

Please advice on the best approach - because the ISMS certifications objective for Secure Operation of the System that the company operate and maintenance.
The Secure System Deliverable is done by implementing all the controls in 27001, NIST, CIS Guidelines, STIG Guidelines. The project can be delivered with implementing the ISMS from the start but only start after the design is completed and sign-off.

Answer: I understand that yo can adopt a mixed approach. The design stage is one of the most important steps of a system development (it can save you a lot of time, effort and money by avoiding development errors and rework), so applying ISMS practices at this stage should be considered, but you do not need to implement the ISMS in all your intended scope (the operation and maintenance processes), only for the project activities.

With this approach you can gather the benefits of information security management system practices for your project, while you gain experience to expand the ISMS to your intended scope. It is also important to note that you do not need to go for the certification at the beginning. You cn just implement the practices and do this later on.

These articles will provide you further explanation about ISO 27001 in projects:
- How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/
- How to set security requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/

These materials will also help you regarding ISO 27001 in projects:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/