ISO 27001 implementation tips

Answer: The implementation of ISO 27001 is quite similar regardless the industry and size (what differs is the quantity of resources and complexity of deliverables), and the general steps are:
1) getting management buy-in for the project;
2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
3) development of risk assessment and treatment methodology;
4) perform risk assessment and define risk tent plan;
5) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
6) people training and awareness;
7) controls operation;
8 performance monitoring and measurement;
9) perform internal audit;
10) perform management critical review; and
11) address nonconformities, corrective actions and opportunities for improvement.

This article will provide you further explanation about ISMS implementation:
- ISO 27 001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

Regarding implementation approaches, the most common are:
- Use your own staff to implement the ISMS
- Use a consultant to perform most of the effort to implement the ISMS
- Use a consultant only to support the staff on specific issues, leaving the organization's staff with most of the implementation effort.

Each one of them have their advantages and disadvantages. For more information, I suggest you the following materials:
- 3 strategic options to implement any ISO https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
- Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach

These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- Diagram of ISO 27001:2013 Implementation https://info.advisera.com/27001academy/free-download/diagram-of-iso-27001-implementation-process
- ISO 27001 Documentation Toolokit https://advisera.com/27001academy/iso-27001-documentation-toolkit/

2. Is risk committee necessary?

Answer: ISO 27001 does not prescribe the specific need for a risk committee, only that relevant information security responsibilities are defined, so you can assign responsibilities for risk management the way it best fit your organization (e.g., you can adopt a risk committee, or this responsibility can be assigned to the CISO)

This article will provide you further explanation about responsibilities:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/