{ "@context": "https://schema.org", "@type": "Person", "name": "Dr. John FitzGerald", "jobTitle": "Founder and Director, deGRANDSON Global", "url": "https://www.degrandson.com/", "email": "johnf@degrandson.com", "description": "Founder of deGRANDSON Global. Consultant and trainer in management systems with over 25 years of experience.", "image": "https://2769805.fs1.hubspotusercontent-na1.net/hubfs/2769805/JohnF.png", "sameAs": [ "https://www.linkedin.com/company/degrandson-global", "https://twitter.com/de_GRANDSON", "https://www.facebook.com/deGRANDSONGlobal/", "https://www.youtube.com/channel/UCPa1lrybmc8YxRqCA5wTFgA" ], "role": "Author" }


    Implement ISO 27001 yourself: it's easy with our 24/7 Tutor Support

    information security 2-2-1-1- compressed

    Need to develop a viable Information Security Management System (ISMS) Project Plan?

    And then secure ISO 27001 Certification?

    Our ISO 27001 Lead Implementer Course has all you need.

    The ISO 27001:2022 Implementation Model developed by deGRANDSON Global:  The 31 Steps to ISO 27001 Implementation is the model we have developed for implementing an ISMS to meet the requirements of ISO 27001:2022 Standard and to secure accredited Certification.

    It is the foundation on which our ISO 27001 training Lead Implementer Course is built.

    Visit the ISO 27001 Lead Implementer Product Page

    Basis of the 31 Steps to ISO 27001 Certification Flowchart

    So, where does it come from?

    The International Standards Organisation (ISO) has published two standards that focus on developing and implementing an organization's ISMS:

    • The information security management system standard: ISO 27001:2022. This standard is the specification for an ISMS. It specifies the requirements of an information security management system for organizations seeking to establish, implement and maintain a framework to consistently meet and exceed customer expectations;
    • It addresses all of the requirements of the 2022 Standard (knowledge of the Standard and of Annex A: Statement of Applicability requirements);
    • Use of ISO 27002, Guide to information security controls, and the other ISO 27000 Series Guidelines.

    To help make sense of it all from an ISMS Implementer/Project Manager’s viewpoint, we have developed the 31-Step Infographic.

    How to Implement ISO 27001 in Your Information Security Management System (ISMS)

    CTA ISO 27001 Infographic


    1. Obtain Management Support (ISO 27001 Clause 5.1)
    2. Assemble ISMS Project Team
    3. Prepare Gap Analysis and Project Plan
    4. Identify the context of the organization (ISO 27001 Clause 4.1)
    5. Identify legal and other requirements)
    6. Identify other interested parties' needs (ISO 27001 Clause 4.2)
    7. Define the scope of the Information Security Management System (ISMS) (ISO 27001 Clause 4.3)
    8. Prepare the Information Security Policy (ISO 27001 Clauses 4.4 and 5.2)
    9. Define key roles and responsibilities (ISO 27001 Clause 5.3)
    10. Develop a Risk Management and Methodology (ISO 27001 Clause 6.1)
    11. Prepare a register of information security assets (ISO 27001 Clause 6.1)
    12. Prepare a Risk Assessment (Threats and Opportunities) (ISO 27001 Clause 6.1)
    13. Prepare SoA (ISO 27001 Clause 6.1)
    14. Prepare a Risk Treatment Plan (ISO 27001 Clause 6.1)
    15. Prepare Operational Controls (specific responsibilities) (ISO 27001 Clause 6.1)
    16. Establish information security objectives (ISO 27001 Clause 6.2)
    17. Prepare an Information Security improvement plan to achieve objectives (ISO 27001 Clause 6.2)
    18. Identify monitoring and measurement needs (ISO 27001 Clause 9.1)
    19. Develop mandatory and other documentation (ISO 27001 Clauses 4.4 and 7.5)
    20. Establish Operational Controls and Monitoring (ISO 27001 Clause 9.1)
    21. Secure required resources (ISO 27001 Clause 7.1)
    22. Establish initial employee awareness (ISO 27001 Clause 7.3)
    23. Establish internal and external communication (ISO 27001 Clause 7.4)
    24. Finalize and issue Information Security and Management System Documentation (ISO 27001 Clauses 4.4 and 7.5)
    25. Complete job-specific training (ISO 27001 Clause 7.2)
    26. Go Live! Procedures and Information Security objectives plan (ISO 27001 Clauses 5.1 and 10.1)
    27. Implement Risk Treatment Plan (ISO 27001 Clause 5.3)
    28. Conduct periodic Information Security risk assessment (ISO 27001 Clause 5.2)
    29. Conduct Internal Audits (ISO 27001 Clause 9.2)
    30. Conduct Management Reviews (ISO 27001 Clause 9.3)
    31. Implement Improvement (ISO 27001 Clause 10.2)


    For ease of understanding, the 31 steps have been set out in a simple sequence.  In reality, you will frequently be working on several steps simultaneously.  This will help reduce the overall timescale for the project.  When project planning with your project team, you should seek out and document such opportunities.

    This Flowchart is part of the extensive pack of Course Materials that is included free-of-charge with the ISO 27001 Lead Implementer Training.


    Click here to download ’31-Steps to ISO 27001:2013 Certification’


    After downloading, please study it carefully and note…

    1. It’s a PDF file for you to print and/or save as you wish.
    2. The main headings throughout have numbers in brackets (e.g. #12) to indicate Step numbers.
    3. The numbers in brackets at the bottom of each activity box (e.g. 8.1 & 10.1) are the Clause Number(s) corresponding to the requirement that is being addressed by the activity in question.

    CTA 27001 Gap Analysis

    Related Courses

    Related Articles


    deGRANDSON Global is an ISO Certified Educational Organization

    In October 2021, we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of  …

    • ISO 21001, Educational Organizational Management System,
    • ISO 29993, Learning Services outside formal Education,  and
    • ISO 29994, Learning Services – additional requirements for Distance Learning.

    We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which, in our opinion, are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.


    Written by Dr John FitzGerald

    Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
    Find me on:

    Subscribe to Email Updates

    Recent Posts