Expert Advice Community


ISO 27001 implementation

Guest user Created:   Apr 16, 2021 Last commented:   Apr 16, 2021

ISO 27001 implementation

'm responsible for an ISO 27001 implementation on my company. I took some courses to gain knowledge on how to implement the standard, but I still feel insecure to be leading a project so complex.

In the moment I have a ponderation:

- Is there other way to go over the process mapping for implementation (involves ISO 38500) or it is an indispensable pre requisite?

0 0

Assign topic to the user


Step-by-step implementation for smaller companies.


Step-by-step implementation for smaller companies.

Rhand Leal Apr 16, 2021

First is important to note that although process mapping can help the implementation process, it is not a mandatory requirement for ISO 27001.

Considering that, the general steps for ISO 27001 implementation are:
1) getting management buy-in for the project;
2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational and requirements of interested parties;
3) development of risk assessment and treatment methodology;
4) perform a risk assessment and define a risk tent plan (at this point you can make use of processes frameworks like ISO 38500 and ISO 20000 as a reference to help identify risks, but please note that this approach is not mandatory by the standard);
5) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
6) people training and awareness;
7) controls operation;
8 performance monitoring and measurement;
9) perform internal audit;
10) perform management critical review; and
11) address nonconformities, corrective actions, and opportunities for improvement.

This article will provide you a further explanation about ISMS implementation:

Regarding implementation approaches, the most common are:

  • Use your own staff to implement the ISMS
  • Use a consultant to perform most of the effort to implement the ISMS
  • Use a consultant only to support the staff on specific issues, leaving the organization's staff with most of the implementation effort.

Each one of them has its advantages and disadvantages. For more information, I suggest you the following materials:

These materials will also help you regarding ISO 27001 implementation:

0 1

Comment as guest or Sign in

HTML tags are not allowed

Apr 16, 2021

Apr 16, 2021