ISO 27001 Checklist - Your Expert Guide to Implementing ISO27001

ISO 27001 Checklist - Your Expert Guide to Implementing ISO27001

While ISO 27001 implementation may seem like a daunting task, breaking it down into manageable steps can simplify the process.

In this article, I will walk you through my 10 step guide to implementing ISO 27001 and offer some pro tips to help you on your path to success.

Let's dive in.

Table of Contents

What is ISO 27001?

Before talking about how to implement ISO 27001, it probably makes sense to define what it is...right?

ISO 27001 is the international standard for defining, implementing, managing and continuously improving and Information Security Management System (or ISMS).

An ISMS is a framework of policies, processes, procedures, people and technology that - together - help you manage and mitigate the information security risks that impact your business.

The scope of ISO 27001 is quite broad and includes a wide range of themes including:

  • Risk management
  • Asset management
  • Access control
  • Incident response
  • Business continuity
  • and much much more...

But it's important to understand that your ISMS is not a technology thing.

It's not a piece of software, a platform, a tool.

Yes, technology obviously plays an important role.

But your ISMS is your method for managing information security within your organisation that combines the effective use of policies, processes, procedures, people and technology to identify, manage and mitigate the risks that impact your business.

Why is an ISMS so important?

An ISMS is designed to provide you with a structured and systematic approach to how you identify, protect, detect, respond and recover from threats, risks and vulnerabilities that impact your business.

It is mean 't to be in the context of your organisation and exist as a living system that adapts and evolves with your business. For example:

  • Legal and regulatory changes
  • Customer expectations and requirements
  • Technology changes
  • Changes in the threat landscape
  • New vulnerabilities that affect your business

10 Steps to Implementing ISO 27001

Step #1 - Get Management Support

The journey begins with obtaining support from top management.

This one may seem rather obvious, and it is usually not taken seriously enough.

In my experience, this is the main reason why ISO 27001 certification projects fail – management is either not providing enough people to work on the project, or not enough money.

Their approval is critical as implementing an ISMS can demand significant resources.

Without this visible and active sponsorship from management, progressing further is inadvisable.

#ProTip - Treat ISO 27001 implementation as a project. Implementing ISO 27001 doesn't have to be complicated. But it does require a structured approach that may involve multiple people performing multiple different tasks.

Step #2 - Define the Scope

Deciding the scope of the ISMS is a strategic early step.

It sets the entire context of your ISMS.

Depending on the context of your organisation and the outcomes you are looking to achieve, this process may involves selecting specific parts, processes, or services of the organisation that will fall under the ISMS.

#ProTip - The scope of your ISMS is included on ISO 27001 Certificate. So keep that in mind when thinking about your scope.

Step #3 - Establish Your Information Security Policy

This step involves writing a high-level policy that outlines the organisation's information security objectives, laying the groundwork for the ISMS.

The Information Security Policy (or ISMS Policy) is the highest-level internal document in your ISMS and is also one of the mandatory documents required within an ISO27001 compliant ISMS.

Your The Information Security Policy shouldn’t be very detailed, but it should define some basic requirements for information security in your organization.

#ProTip - Your Information Security Policy should be approved by top management and receive active and visible sponsorship. Additionally, you need to ensure that it is well communicated and accessible to the wider organisation.

Step #4 - Identify and Classify Your Assets

Identifying your assets is a crucial set in understanding what you need to protect.

It's essential that you inventory all of your information assets (including IT assets, documents, papers, files, folders, facilities) in order to establish a clear and shared understanding of your asset landscape.

Once you've identified your assets, you will need to determine the classification in terms of business criticality. This classification helps you identify what's important, and forms a key data point for your risk management strategy.

Remember - A thorough asset inventory is crucial to understanding what requires protection.

Step #5 - Define Your Risk Management Methodology

When implementing ISO 27001, risk assessments can be one of the most complex tasks. Particularly if it is a new concept.

Regardless of where you are on your risk management journey, it is key to establish a risk management process and methodology for conducting information security risk assessments and treatments, including:

  • The criteria for performing a risk assessment
  • The rules for identifying risks
  • Impact statements (relevant to your organisation)
  • Criteria for determining likelihood
  • Risk appetite
  • Establishing your risk register
#ProTip - Your Risk Management Methodology should be communicated and accessible to key stakeholders across your organisation. This helps drive a shared understanding, whilst ensuring consistency in how the organisation approaches information security risk.

Step #6 - Assess Your Risks

Having established your risk management methodology, you now have to execute your risk assessment to determine what risks your organisation is exposed too.

The key is to get as comprehensive picture as possible to the risks that impact your organisations information security.

These risks should be logged in your risk register so that they can be centrally managed and communicated to stakeholders.

#ProTip - Please don't underestimate the value or significance of the risk register. Your risk register is a critical tool within your ISMS and is a mandatory document in the context of ISO 27001.

Step #7 - Treat Your Risks

Now that you have a comprehensive picture of the risks that impact your organisation. You now need to treat them through the use of controls.

The likelihood is that you already have some controls in place.

But in the world of ISO 27001, your starting point for treating information security risks are the ISO 27001 Annex A Controls.

To treat risk using the Annex A Controls, you take the following high level steps:

  1. Select the relevant ISO 27001 Annex A Control and map it to the risk(s) in your risk register
  2. Create and update your ISO 27001 Statement of Applicability with the controls you've selected
  3. Implement the control
  4. Test and validate the control
  5. Update your risk register to reflect the impact of your control on the corresponding risk

If the control that you've implemented has been effective, what you should observe in your risk assessment is the likelihood and/or impact of the risk materialising should have reduced; therefore improving your overall security posture and risk profile.

#ProTip - The Statement of Applicability is a mandatory document for ISO27001, so please ensure you keep this in mind. Additionally, you must update your risk register to reflect the risk treatment options that have been implemented and the associated residual risk.

Step #8 - Evaluate Your Performance

At this stage, you have got management support, defined the scope of your ISMS, established your information security policy and gone through the process of identifying, assessing and treating your risks.

Congratulations. You have an ISMS.

The next stage of the process is to evaluate it's performance by:

  • Monitoring Key Performance Indicators (KPIs)
  • Conducting internal audits
  • Providing top management with relevant data for management review
#ProTip - Make sure that you retain and securely store all records, reports, papers, meeting minutes and management approvals surrounding the evaluation of your performance. This is considered documented information and needs to be controlled in accordance with ISO 27001 Clause 7.5.1

Step #9 - Drive Continuous Improvement

Based on the performance evaluation, it is inevitable that there will be things that aren't performing to the desired level.

That's ok, it is expected.

The purpose of this step is to implement necessary corrections and corrective actions to improve the ISMS and ensure compliance with ISO 27001 standards.

#ProTip - Ensure that you tie back any log and monitor any corrections and corrective actions in your risk register. Also, ensure that you capture the supporting evidence in accordance with ISO 27001 Clause 7.5.1

Step #10 - Get Certified

Once an organization has implemented ISO 27001, the next natural step is seeking certification to demonstrate compliance.

The certification process typically involves an accredited certification body conducting an audit to assess an organisation's ISMS against the requirements of ISO 27001.

Preparing for certification involves:

  • thorough documentation
  • internal audits
  • ensuring that non-conformities identified through both internal and external assessments have been addressed

A well-prepared organization stands a greater chance of achieving ISO 27001 certification successfully.


So there you have it. Your expert guide to implementing ISO 27001 in 10 steps.

By following these 10 steps, you will have a systematic approach to implementing the standard in your organisation.

Implementing ISO 27001 doesn't have to be complicated, but it does require effort. So remember to get management support and to treat it like a project.

P.S. Whenever you're ready, here are 3 ways I can help you:

  1. Subscribe to GRCMANA and each week you will get more tips, strategies and resources that will help you accelerate your GRC career.
  2. Join the Cyber Resilience Network: Join 16,000+ other members in the largest LinkedIn Community dedicated to building cyber resilience in the cloud.
  3. Follow me on LinkedIn for more tools, strategies and insights on how to govern your clod, secure your cloud and defend your cloud.
About the author
Harry is a technologist and security leader with 20+ years experience in helping organisations govern their cloud, secure their cloud and defend their cloud.