Need to develop a viable Information Security Management System (ISMS) Project Plan that will be in compliance with ISO 27001?

Our ISO 27001 Lead Implementer Course has all you need.

The ISO 27001:2022 Implementation Model developed by deGRANDSON Global:  The 31 Steps to ISO 27001 Implementation is the model we have developed for implementing an ISMS to meet the requirements of ISO 27001:2022 Standard and to secure accredited Certification.

It is the foundation on which our ISO 27001 training Lead Implementer course is built.

Table of Contents

1. Basis of the 31 Steps to ISO 27001 Compliance Flowchart
2. How to Implement ISO 27001 in Your Information Security Management System (ISMS)
   1. Obtain Management Support (ISO 27001 Clause 5.1)
   2. Assemble ISMS Project Team
   3. Prepare Gap Analysis and Project Plan
   4. Identify the organization's context (ISO 27001 Clause 4.1)
   5. Identify legal and other requirements
   6. Identify other interested parties' needs (ISO 27001 Clause 4.2)
   7. Define the scope of the Information Security Management System (ISO 27001 Clause 4.3)
   8. Prepare the Information Security Policy (ISO 27001 Clauses 4.4 and 5.2)
   9. Define key roles and responsibilities (ISO 27001 Clause 5.3)
   10. Develop a Risk Management and Methodology (ISO 27001 Clause 6.1)
   11. Prepare a register of information security assets (ISO 27001 Clause 6.1)
   12. Prepare a Risk Assessment (Threats and Opportunities) (ISO 27001 Clause 6.1)
   13. Prepare SoA (ISO 27001 Clause 6.1)
   14. Prepare a Risk Treatment Plan (ISO 27001 Clause 6.1)
   15. Prepare Operational Controls (specific responsibilities) (ISO 27001 Clause 6.1)
   16. Establish information security objectives (ISO 27001 Clause 6.2)
   17. Prepare an Information Security Improvement Plan to achieve objectives (ISO 27001 Clause 6.2)
   18. Identify monitoring and measurement needs (ISO 27001 Clause 9.1)
   19. Develop mandatory and other documentation (ISO 27001 Clauses 4.4 and 7.5)
   20. Establish Operational Controls and Monitoring (ISO 27001 Clause 9.1)
   21. Secure required resources (ISO 27001 Clause 7.1)
   22. Establish initial employee awareness (ISO 27001 Clause 7.3)
   23. Establish internal and external communication (ISO 27001 Clause 7.4)
   24. Finalize and issue Information Security and Management System Documentation (ISO 27001 Clauses 4.4 and 7.5)
   25. Complete job-specific training (ISO 27001 Clause 7.2)
   26. Go Live! Procedures and Information Security Objectives Plan (ISO 27001 Clauses 5.1 and 10.1)
   27. Implement Risk Treatment Plan (ISO 27001 Clause 5.3)
   28. Conduct periodic Information Security risk assessment (ISO 27001 Clause 5.2)
   29. Conduct Internal Audits (ISO 27001 Clause 9.2)
   30. Conduct Management Reviews (ISO 27001 Clause 9.3)
   31. Implement Improvement (ISO 27001 Clause 10.2) 

Basis of the 31 Steps to ISO 27001 Compliance Flowchart

So, where does it come from?

The International Standards Organisation (ISO) has published two standards that focus on developing and implementing an organization's ISMS:

• The information security management system standard: ISO 27001:2022. This standard is the specification for an ISMS. It specifies the requirements of an information security management system for organizations seeking to establish, implement and maintain a framework to consistently meet and exceed customer expectations;
• It addresses all of the requirements of the 2022 Standard (knowledge of the Standard and of Annex A: Statement of Applicability requirements);
• Use of ISO 27002, Guide to information security controls, and the other ISO 27000 Series Guidelines.

To help make sense of it all from an ISMS Implementer/Project Manager’s viewpoint, we have developed the 31-Step Infographic.

How to Implement ISO 27001 in Your Information Security Management System (ISMS)

1. Obtain Management Support (ISO 27001 Clause 5.1) - Obtaining management support for ISO 27001 compliance is critical for the success and sustainability of your Information Security Management System. 
   
   With it, it becomes easier to implement necessary security measures, gain your co-workers’ cooperation, and effectively manage information security risks across the organization.
   
   
2. Assemble ISMS Project Team - Forming the Information Security Management System (ISMS) Project Team is important in implementing ISO 27001 or any extensive information security framework.
   
   This team will be in charge of planning, executing, and upholding the ISMS, so choosing a capable project leader with a firm grasp of information security principles and who possesses solid project management skills is crucial, along with the inclusion of a diverse team that holds expertise in IT, legal, human resources, and operational matters.
   
   
3. Prepare Gap Analysis and Project Plan - The gap analysis will evaluate your organization's existing information security practices against ISO 27001 requirements, identifying strengths, weaknesses, and areas for improvement.
   
   The project plan, on the other hand,  will lay out the objectives, scope, and responsibilities for implementing ISO 27001. 
   These include the creation of a timeline, the allocation of resources, the development of a risk treatment plan, and the establishment of necessary documentation and policies, among other things.
   
   
4. Identify the organization's context (ISO 27001 Clause 4.1) - Identifying the organization's context involves clearly understanding your organization’s internal and external operations so that you can define the scope and objectives of your ISMS more effectively. 
   
   This involves understanding your organization's structure, the specific traits of its industry, its internal culture, and its existing security practices. It also involves considering external factors such as legal requirements, market conditions, and technological advancements impacting information security.
   
   
5. Identify legal and other requirements - Identifying legal and other requirements for ISO 27001 involves managing complex information security requirements within an organization. This includes understanding industry laws, contracts, standards, and internal policies, and staying updated with changes. 
   
   By integrating these obligations into the ISMS through updated documentation, you not only ensure the alignment of your organizational goals with standard requirements, but you also ensure meeting your stakeholders’ expectations.
   
   
6. Identify other interested parties' needs (ISO 27001 Clause 4.2) - ISO 27001's Clause 4.2 emphasizes identifying and meeting the needs of your organization’s stakeholders, including customers, employees, regulators, and partners. 
   
   By doing so, you can better understand their concerns, expectations, and requirements regarding data protection, confidentiality, and compliance.
   
   
7. Define the scope of the Information Security Management System (ISO 27001 Clause 4.3) - Defining the scope of an ISMS involves outlining its boundaries and relevance within the organization. It considers the organization's context, goals, stakeholders, and assets and uses them to decide which aspects fall within the coverage of the ISMS. 
   
   This optimizes resources, directs efforts effectively, and clarifies implementation for stakeholders, ensuring targeted and aligned security measures.
   
   
8. Prepare the Information Security Policy (ISO 27001 Clauses 4.4 and 5.2) - ISO 27001 Clauses 4.4 and 5.2 highlight the importance of creating an Information Security Policy (ISP). 
   
   Clause 4.4 underscores the ISP as a foundational document that sets the direction, objectives, and framework of the ISMS. It outlines security objectives and guides the organization. 
   
   Clause 5.2, on the other hand, emphasizes the top management's role in aligning the ISP with organizational goals, legal requirements, and risk management. 
   
   By crafting a strong ISP following these clauses, your organization can establish a central guide for security practices that can satisfy the requirements and expectations of both internal and external stakeholders.
   
   
9. Define key roles and responsibilities (ISO 27001 Clause 5.3) - ISO 27001, Clause 5.3 stresses defining roles and responsibilities in information security management within an organization. 
   
   This involves identifying specific roles vital for the ISMS, assigning clear responsibilities and authority to individuals, ensuring their competence, and promoting communication and collaboration among these roles. 
   
   
10. Develop a Risk Management and Methodology (ISO 27001 Clause 6.1) - ISO 27001's Clause 6.1 underlines crafting a solid organizational risk management methodology. 
    
    This involves a structured approach to assessing information security risks by identifying threats, vulnerabilities, and their potential impacts on assets. It also requires categorizing internal and external risks, conducting analyses to prioritize threats, and creating treatment plans. 
    
    
11. Prepare a register of information security assets (ISO 27001 Clause 6.1) - ISO 27001 Clause 6.1 stresses the creation of an information security asset register that will assist in risk assessment, resource allocation, the implementation of security measures, and the prioritization of risks.
    
    By creating a risk register, your organization can better understand your critical assets, improve your risk management, and ensure your systematic protection against potential threats.
    
    
12. Prepare a Risk Assessment (Threats and Opportunities) (ISO 27001 Clause 6.1) - ISO 27001's Clause 6.1 covers a comprehensive risk assessment focusing on both threats and opportunities in information security.
    
    It requires organizations to identify threats like cyberattacks, unauthorized access, and potential opportunities such as technological advancements. Prioritizing these risks leads to strategic plans for mitigation or exploitation, which your organization can document for continuous review and improvement. 
    
    
13. Prepare SoA (ISO 27001 Clause 6.1) - ISO 27001's Clause 6.1 requires the creation of the Statement of Applicability (SoA) within the ISMS based on ISO 27001's Annex A.
    
    The SoA details the applicable controls considering risks, legal requirements, and business goals while documenting explanations for excluding irrelevant controls. It also describes how each control is implemented or planned while addressing potential risks. 
    
    
14. Prepare a Risk Treatment Plan (ISO 27001 Clause 6.1) - ISO 27001's Clause 6.1 requires a comprehensive Risk Treatment Plan that will enable proactive risk management, goal alignment, continuous improvement, and the strengthening of the management system.
    
    This involves prioritizing risks, developing strategies, specifying actions for each, assigning clear responsibilities, setting timelines for implementation and monitoring, aligning with organizational procedures and ISMS objectives, documenting for transparency, and regularly reviewing and updating the plan. 
    
    
15. Prepare Operational Controls (specific responsibilities) (ISO 27001 Clause 6.1) - ISO 27001's Clause 6.1 requires creating Operational Controls by defining specific responsibilities to manage information security risks efficiently. 
    
    This includes creating personalized controls for identified risks, assigning clear roles for implementation and management, and methodically documenting these controls and responsibilities. 
    
    
16. Establish information security objectives (ISO 27001 Clause 6.2) - ISO 27001's Clause 6.2 emphasizes establishing measurable and achievable information security objectives aligned with an organization's ISMS.
    
    These objectives should address identified risks, vulnerabilities, and legal requirements specific to your organization while aligning them with applicable laws and industry mandates. 
    
    
17. Prepare an Information Security Improvement Plan to achieve objectives (ISO 27001 Clause 6.2) - ISO 27001's Clause 6.2 revolves around creating an Information Security Improvement Plan. 
    
    This clause stresses identifying areas for improvement, setting clear objectives aligned with organizational goals, outlining actions needed, and continually reviewing progress for ongoing improvement.
    
    
18. Identify monitoring and measurement needs (ISO 27001 Clause 9.1) - ISO 27001's Clause 9.1 emphasizes identifying monitoring and measurement requirements.
    
    It highlights the importance of defining important parameters like KPIs and metrics to assess effectiveness and alignment with information security objectives, along with regular reviews and updates to ensure adaptability with changes in the organizational landscape, emerging risks, and evolving technological advancements. 
    
    
19. Develop mandatory and other documentation (ISO 27001 Clauses 4.4 and 7.5) - ISO 27001 Clauses 4.4 and 7.5 center on documentation within an organization's ISMS. 
    
    Clause 4.4 highlights the creation of an Information Security Policy (ISP) as a crucial document setting objectives and guidelines, demonstrating the top management's commitment to security. 
    
    Clause 7.5, on the other hand, outlines the broader need for documented information in the ISMS, including policies, procedures, records, and evidence necessary for planning, operating, and improving processes. 
    
    
20. Establish Operational Controls and Monitoring (ISO 27001 Clause 9.1) - ISO 27001's Clause 9.1 focuses on establishing operational controls and continuous monitoring. 
    
    It highlights the need to create controls to manage identified information security risks effectively. It also underscores the importance of ongoing monitoring to assess control performance, effectiveness, and adherence to objectives and compliance requirements.
    
    
21. Secure required resources (ISO 27001 Clause 7.1) - ISO 27001 Clause 7.1 emphasizes the need to secure various resources essential for an effective ISMS. 
    
    It highlights the requirement for personnel, technology, finances, training, and infrastructure to establish, maintain, and enhance information security measures – ensuring organizations have the necessary resources to sustain and continually improve their ISMS.
    
    
22. Establish initial employee awareness (ISO 27001 Clause 7.3) - ISO 27001 Clause 7.3 emphasizes educating staff about their roles, responsibilities, and the importance of information security. 
    
    It requires training sessions to familiarize employees with security policies, best practices, and guidelines – enabling a better understanding of potential risks and the significance of adhering to security protocols. 
    
    
23. Establish internal and external communication (ISO 27001 Clause 7.4) - ISO 27001's Clause 7.4 focuses on establishing solid internal and external communication methods for sharing security-related information with customers, suppliers, regulatory bodies, and other entities.
    
    It also emphasizes the need for regular updates and consistency in relaying information to all concerned parties, especially in relation to security policy changes, incidents, or ISMS improvements.
    
    
24. Finalize and issue Information Security and Management System Documentation (ISO 27001 Clauses 4.4 and 7.5)
    ISO 27001 Clauses 4.4 and 7.5 center on completing documentation for the Information Security Management System (ISMS). 
    
    Clause 4.4 emphasizes creating the comprehensive Information Security Policy (ISP) as a guiding document, while Clause 7.5 addresses the broader documentation needs within the ISMS. 
    
    Together, these clauses stress the significance of well-defined documentation to support the ISMS, ensuring alignment with information security standards and practices while facilitating implementation, maintenance, and continuous improvement.
    
    
25. Complete job-specific training (ISO 27001 Clause 7.2) - ISO 27001's Clause 7.2 emphasizes training programs designed to align with employees' roles in information security. 
    
    It involves identifying individual training needs based on ISMS responsibilities and providing role-specific training on policies, procedures, and best practices – ensuring employees gain the necessary competencies for effective ISMS execution. (Note that keeping detailed records of completed training is crucial to comply with Clause 7.2.)
    
    
26. Go Live! Procedures and Information Security Objectives Plan (ISO 27001 Clauses 5.1 and 10.1) - ISO 27001 Clauses 5.1 and 10.1 emphasize the role of procedures and the Information Security Objectives Plan in enhancing ISMS efficiency, encouraging continual improvement, and ensuring alignment with strategic objectives.
    
    Specifically, Clause 5.1 requires documented procedures crucial for an effective ISMS, covering various security-related processes such as risk assessment, training, and incident management. 
    
    In contrast, Clause 10.1 focuses on creating a clear and measurable Information Security Objectives Plan aligned with the organization's broader business goals. 
    
    
27. Implement Risk Treatment Plan (ISO 27001 Clause 5.3) - ISO 27001's Clause 5.3 concentrates on implementing a Risk Treatment Plan to manage and mitigate identified information security risks.
    
    It emphasizes executing specific strategies, assigning clear responsibilities, and continual monitoring to assess the effectiveness of these actions. 
    
    
28. Conduct periodic Information Security risk assessment (ISO 27001 Clause 5.2) - ISO 27001's Clause 5.2 requires regular Information Security risk assessments emphasizing systematic evaluations to identify, analyze, and assess potential risks to information security. 
    
    This involves scheduled assessments or evaluations during significant changes to uncover threats, vulnerabilities, and their impact on information assets, including risks like cyber threats, data breaches, human error, and system failures. 
    
    
29. Conduct Internal Audits (ISO 27001 Clause 9.2) - ISO 27001's Clause 9.2 underscores the significance of systematic and periodic Internal Audits. 
    
    It emphasizes planned audit scheduling based on process significance and organizational changes, evaluating compliance with security requirements, and documenting findings for potential improvements. 
    
    This helps ensure compliance and continual improvement, using audits to identify areas for refining information security practices.
    
    
30. Conduct Management Reviews (ISO 27001 Clause 9.3) - ISO 27001's Clause 9.3 emphasizes Management Reviews in an organization's ISMS. 
    
    These assess the ISMS's performance, its alignment with goals, and its effectiveness. These can identify improvement areas that can help in deciding how to allocate resources – ensuring transparency through documentation and communication. 
    
    
31. Implement Improvement (ISO 27001 Clause 10.2) - ISO 27001 Clause 10.2 directs organizations to implement systematic improvements in their ISMS following audits or assessments. 
    
    This involves planning specific actions to address weaknesses via improved policies, procedures, or control changes, continuously monitoring their effectiveness, and reviewing outcomes for continual enhancement. 

Note:

For ease of understanding, the 31 steps have been set out in a simple sequence.  In reality, you will frequently be working on several steps simultaneously.  This will help reduce the overall timescale for the project.  When project planning with your project team, you should seek out and document such opportunities.

This Flowchart is part of the extensive pack of Course Materials that is included free-of-charge with the ISO 27001 Lead Implementer Training.

After downloading, please study it carefully and note…

1. It’s a PDF file for you to print and/or save as you wish.
2. The main headings throughout have numbers in brackets (e.g. #12) to indicate Step numbers.
3. The numbers in brackets at the bottom of each activity box (e.g. 8.1 & 10.1) are the Clause Number(s) corresponding to the requirement that is being addressed by the activity in question.
   
   

• ISO 27001 Lead Auditor Course

• ISO 27001 Lead Auditor Extension Course

• ISO 27001 Internal Auditor Course

Related Articles

• Lead Implementer Courses: Overview

• If you manage a QMS, don’t take a Lead Auditor Course!

deGRANDSON Global is an ISO Certified Educational Organization

We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which, in our opinion, are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.