ISO 27001:2013 Certification

Please note that ISO 27001 provides a systematic way to implement Information Security management, and its sequence is a bit different from what you proposed:

1. getting management buy-in for the project
2. defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational and the requirements of interested parties
3. development of risk assessment and treatment methodology
4. perform a risk assessment and define a risk treatment plan
5. controls implementation (e.g., policies and procedures documentation, acquisitions, etc.)
6. people training and awareness
7. controls operation
8. performance monitoring and measurement
9. perform internal audit
10. perform management critical review
11. address nonconformities, corrective actions, and opportunities for improvement.

In short:

• part of the mandatory documents and records are created before risk assessment and treatment processes (e.g., scope, objectives, organizational structure), and the other part after it (e.g., policies and procedures documentation related to implemented controls, internal audit report, management review, etc.)
• controls are implemented after the approval of the Statement of Applicability, not before

This article will provide you with further explanation about ISO 27001 implementation:

• ISO 27001 implementation steps https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/