Introduction

In this article I am going to show you how to implement ISO 27001 yourself. Using over two decades of experience and hundreds of ISO 27001 audits and certifications I am going to expose the insider trade secrets, giving you the templates that will save you hours of your life and show you exactly what you need to do to satisfy it for ISO 27001:2022 certification.

I show you exactly what changed in the ISO 27001:2022 update.

I am Stuart Barker the ISO 27001 Ninja and this is how to implement ISO 27001:2022.

How To Implement ISO 27001: A Step By Step Guide author Stuart Barker High Table

Before You Start

This ISO 27001 Implementation Guide PDF is available to download for free.

All of the training videos are free on my ISO 27001 YouTube channel.

YouTube Logo

To fast track rather than create the documents yourself the ISO 27001 Toolkit has your back.

ISO 27001 Toolkit Business Edition

This guide is a more detailed version of the ISO 27001 Implementation Checklist. It will walk you through the steps, the suggested order and give you additional information. In a combination with this guide, the ISO 27001 Implementation Checklist, the videos, and the additional guides you should have everything you need. 

If at any point you get stuck, you can arrange a free 30 minute consultation with me by clicking this link: Book Free Session. 

Let me show you for free how to implement ISO 27001 in this step by step guide so you can do it yourself. Whether you are an information security professional or a business looking to save money, the process is the same. Simple and straightforward.

These ISO 27001 videos are designed to help people like yourself who want to learn how to implement ISO 27001 themselves and avoid the high costs associated with hiring an expert. I show you step-by-step what needs to be done in order for your organization become ISO 27001 compliant and get ISO 27001 certified.

Everything you need to do it yourself is in the ISO 27001 Toolkit. The knowledge and training is free. Let us begin.

Table of contents

You can see exactly how I did it and apply those same techniques in your own organization. It’s easy, fast, and doesn’t require any special skills or knowledge on your part – just follow along with me as I explain everything from start to finish! This is the best way possible of getting started with ISO 27001 without having to spend thousands of dollars on consultants or other experts that will charge by the hour. You won’t find this type of information anywhere else online – only here at High Table!

Everything you need to know to get started

Start here with everything you need to know about ISO 27001 to get started. This video answers the questions that come up the most when starting and ISO 27001 implementation from how it fits, how much it costs, what the process is, what the difference with SOC 2 is, and how the implementation process will go.

The tutorials are based on the ISO 27001 Toolkit

Orientate Yourself with ISO 27001 Gap Analysis and why the ISO 27001 Toolkit is as it is

Take a first look at the mapping of the standard and how the ISO 27001 toolkit meets the requirements of the standard. Understand how ISO 27001 gap analysis and ISO 27001 Internal Audit will be performed.

The ISO 27001 Standard Walkthrough Part 1

A walkthrough of the ISO 27001 Standard. Part 1 using the ISO 27001 Toolkit and years of experience to explain what the ISO 27001 standard is, what it is looking for and how you can go about satisfying it for ISO 27001 certification.

The ISO 27001 Standard Walkthrough Part 2

Following on from the ISO 27001 Standard Walkthrough Part 1 we continue and finish our look at the ISO 27001 standard.

BRAND THE TOOLKIT

If you do not have the ISO 27001 Toolkit you can skip this step.

You are going to want to make the documents look like you. All the documents have standard mark-up such as version control and classification and it is recommended that you do not remove these elements from the pages to remain compliant. Of course, you can move them around, change the layout as needed. 

When Branding

  • Update the logo to your company
  • Change all occurrences of the place holder text [Company] with your company name.
  • Change the font if applicable to your company font although based on experience this can be a ball ache and my advice is to leave as is.

ASSIGN YOUR TEAM

Assign Owners of Documents

You want to assign owners to documents. Owners of documents are going to be responsible for completing the required documents, maintaining the documents, and reviewing the documents. Think of it this way, if someone was to ask about a particular document – who is the person that knows everything about it and what it covers? We are going to get audited at some point and you want to know exactly who to speak to about the document and its topic.

Getting this right is a key step. It will require agreement with the person that you assign ownership. 

You can assign it to a team not a person. I advise against it and recommend assigning to a person. This is about accountability. In my experience assigning it to a team means no one is accountable, so no one maintains it, people in the team will not know about it, it will cause problems come the audit. Think, accountability. Nothing focuses the mind like having your name on the document.

Complete: Information Security Assigned Roles and Responsibilities

This document is a required document with place holders for key roles. Add the names of the people that are responsible and at this point consider who is on your Management Review Team. The Management Review Team is the oversight body that you will implement that has key responsibilities and meets to follow a structured, dictated agenda, for which we have provided a template. For now, complete this document. 

Complete: Information Security Management System Document Tracker

Complete the following document adding in any other relevant documents that are missing:

Information Security Management System / Information Security Management System Document Tracker

Maintain this document throughout your build. For now, do not worry about updating the version information until you have your first complete version 1 milestone pack. Just record the document owners.

Assign Owners of the ANNEX A Controls

Annex A is the business controls. You will rely on the people in the business that run and manage those departments, functions, and controls to bring their areas of responsibility up to speed. Whilst Annex A implementation is part of the Stage 2 and not covered here, having the owners assigned is required. The standard does not require it but to have any kind of a chance you want accountability, to know who is responsible and as with the document assignment above, who the auditor is going to speak to about each control. 

Complete: ISMS Annex A Controls – Accountability Matrix

Information Security Management System / ISMS Annex A Controls – Accountability Matrix

The ISMS Annex A Controls – Accountability Matrix is a great little document. It is a cut down version of a RACI matrix. You want to complete at least column D with the primary name of the primary person for the ANNEX A control. 

You have both versions of the standard / controls, and it is recommended you complete this for both versions, even if you are not certifying against both control sets.

The Annex A Controls are straight forward. 

Update each document in the toolkit to assign the owner

Every document in the toolkit has a place holder for the document owner. In each document replace the text in brackets – [Document Owner] – with the person that you have assigned and agreed as the document owner. 

CHECKPOINT 1

At this check point you now have 

  • A Branded Pack that is branded to your company
  • Document owners assigned for the ISMS 
  • Control owners assigned for the ANNEX A Controls
  • An understanding of the requirements of ISO 27001 and how the pack addresses those requirements. Where to find that information. 

DOCUMENT WHO YOU ARE AND WHAT YOU HAVE

In the last section you allocated owners to documents in the Information Security Management System Document Tracker. 

Now is the time to go ahead and complete those documents. 

Either assigning to the document owner or working with the document owner review each document, updating the variables (see section above) as required and filling in the required information. 

To help you there are video guides provided on each significant document. 

Create your organisation overview

The organisation overview is straightforward information about you that you know about you. You may have it in different locations, or some of it, or none of it. Now is the time to collate it into one document. We are making a link between who we are and the information security management system we have built. 

When we built it, did we consider our business objectives? Our strategy? Our locations. Simple stuff but you want to draw a link and demonstrate it. 

A guide to the organisation overview and more details are covered in the ISO 27001 Organisation Overview Guide/

What does ISO 27001 say? ISO 27001:2022 Clause 4.1 Understanding The Organisation And Its Context – Certification Guide

Document Internal / External Issues and Interested Parties

Context of Organisation wants us to show that we have worked out who our interested parties are (our stakeholders), what their requirements are and again to show link between that and our information security management system. In addition, it talks about internal and external issues, which are in effect risks, so we record them here. We will show if we have considered it and it is NOT a risk. This is valid and great as auditors love to test us and check we have considered all possibilities. Here we can say, yes, we considered and for us, no it was not a risk. It will also show if we do in fact, YES, consider it a risk. If this is the case, make sure to include it in your risk register and to put the risk reference number here in this document. This creates the link between issues and risks that need to be managed. 

A guide to the context of organisation and more details are covered in ISO 27001 Context Of Organisation Beginner’s Guide

What does ISO 27001 say? There are 2 relevant ISO 27001 clauses:

Decide and document the ISO 27001 Scope

Getting the ISO 27001 scope right is absolutely key. It drives the complexity, the work you have to do, the costs and more. Take time to get this right. High level you want the scope to cover the products / services that you provide to customers that customers are asking for you to be certified for. It is customer driven.

A guide to the ISO 27001 scope and more details and guidance in ISO 27001 Scope Statement Beginner’s Guide

What does ISO 27001 say? 

ISO 27001:2022 Clause 4.3 Determining The Scope Of The Information Security Management System

Record the laws and regulations that apply to your business

There are laws that govern how a business operates. You should know the laws that apply to your organisation and we review them and we record them.

You are expected to run your business in line with the laws and regulations of where you operate. Using the guidance of legal counsel complete the legal register. What you should note here is that whatever law or regulation you say applies to you, is fair game an in scope for your certification audit. People can fail on this. So, if you say it applies, before you go for certification, make sure that you do and can evidence you do. It is a massive catch all and one downside of the standard. Things like PAT testing, Fire Extinguishers, Data Protection all come in scope to catch you out if relevant laws apply to you. 

Download the Legal Register Template

A guide to the Legal and Contractual Requirements Register and more details and guidance are in the ISO 27001 Legal Register Beginner’s Guide

Document and Control Physical and Virtual Assets

If it stores, process or transmits information or data then record it in the asset register along with the required control points for assets.

You need a physical asset register which is actually a register of every device, both physical and virtual (if you have a VM environment) that can store, process, or transmit data. Of course, here we are looking at things that are in scope as defined in the scope statement. It will also include bring your own devices and user owned equipment that connects. For this we may not control is directly, but we do want to know about it and be able to control what it can access. The spreadsheet is the minimum information requirement. If you can get this information direct from a system, you do not have to also complete the spreadsheet. Being able to generate the reports from the systems is the ideal but if you cannot, the spreadsheet is the way to go. Potentially you will have a hybrid and use a combination. 

Download the Physical Asset Register Template

A guide to the Physical Asset Register and more details and guidance are covered in the ISO 27001 Physical Asset Register Beginner’s Guide

Document and record your Data Assets

A record of the data assets is required by the standard and by many laws and regulations. Create your data asset register.

You need an asset register of all of your data assets. Now, ideally you have this already from your data protection implementations but if not, this template will meet the need. It is based on the GDPR best practice, and each field should be completed. 

You identify your data assets and data stores by reviewing technical documentation, system documentation, process documentation, process mapping, brainstorming and just asking folks. If you have this information already, use that, if not, complete the data asset register

Download the Data Asset Register Template

Decide and record which ISO 27002 / Annex A Controls Apply

ISO 27002 / Annex A is a list of ISO 27001 controls that your business should consider implementing. Decide which ones apply to you, review them and record them.

The ISO 27001 statement of applicability is the list of controls that apply to your organisation, and it is a core mandatory document. The list of controls is taken from Annex A to the standard, which is also confusingly a standard called ISO 27002. You need to know the control list changed in 2022. You have both control lists as you will need to confirm with your certification body which control set you will be certified against. For now, and best proactive, complete both control sets. 

It is simple to go through and set whether control applies or not, and if not put a compelling reason that is believable to an auditor as to why it does not apply. Set the review dates and consider if you need to make changes to the columns on why you need it. 

Download the ISO 27001 SOA – Statement of Applicability Template

A guide to the Statement of Applicability and more details and guidance is covered in the ISO 27001 Statement Of Applicability Beginner’s Guide

Third Party Supplier Register / Supplier Contracts / Supplier Security Certificates

In information security we need to secure the supply chain. Our supply chain is one of our biggest risks and potential vulnerabilities. You will identify all the suppliers for the in-scope products and services and list them. You will add in the required details, and you will rank them for importance to your organisation and the assurance you have they are doing the right thing. We don’t want to get into having to send questionnaires and audit companies, so we are going to place reliance on third party ISO 27001 or similar certifications. Guidance in the guidance tab allows you to rank and rate suppliers. For each supplier you need an in-date contract, with security clauses, that covers what you are buying AND you need a copy of the ISO 27001 or equivalent certificate for your assurance. You should be able to show both of these to an auditor. 

If you have neither a contract nor a certificate, go ask for one. If they do not have a certificate, then you need to manage that via risk management by adding to the risk register and following the risk management process. This will likely include following the continual improvement process and adding it to the Incident and Corrective Action Log. Make sure there are NO GAPS in the third-party supplier register when you go for certification audit.

Download the ISO 27001 Third Party Supplier Register Template

A guide to the Third-Party Supplier registers and more details and guidance: ISO 27001 Supplier Register Ultimate Guide

DOCUMENT WHAT YOUR INFORMATION SECURITY MANAGEMENT SYSTEM IS

There are key decisions when building the information security management system and when those decisions have been taken, record them so you can explain your information security management system clearly.

The Information Security Management System

This document sets a description of the information security management system. Complete it and pay attention to the information security objectives. You should not need to change them for a first build but just double check them. You need to ensure that the objectives here are word for word the same in your information security policy and in your management review team meeting minutes that you track each month / set period you decide.

Show you have the competencies to run ISO 27001

Record the skills and competencies of the team and their ability to effectively run the ISO 27001 information security management system. Identify gaps and plans to close those gaps.

For everyone involved in information security add them to the competency matrix and complete it. That is everyone in the roles and responsibilities matrix, the document tracker, and the accountability matrix as a minimum. If you have a third-party consultant helping, add them too. You are demonstrating that you have the resources with the required skills to operate and manage the information security management system and that you are managing where there are gaps. 

Download the Competency Matrix Template

Management Review Team Minutes – Template

These are the draft templated minutes. You will need to ensure that the objectives that you have set in the document ‘Information Security Management System’ are also contained in the Information Security Policy AND that you have them in the Management Review Team Meeting minutes template and all minutes you create.

A guide to how to conduct a Management Review meeting and more details and guidance: How To Conduct An ISO 27001 Management Review Meeting

Information Security Measures Report

( ** you have to create this)

For the objectives you have defined, you have to decide what you are going to measure. It could be machine patching, machine antivirus, staff training – whatever you are measuring create a report that you can populate each month to track your measures. Make sure each objective has measures you can track, and your report includes them. Keep historical records of the reports.

Define your classification scheme

We classify data and assets and set controls and requirements based on those classifications. Take what is provided or adapt to requirements.

This is a reference document – no action needed other than review and know you have it. It is a summary of the information classification and handling policy, and you will communicate this to all staff as part of the implementation.

Download the Classification Summary Template

WRITE, IMPLEMENT AND DEPLOY ISO 27001 POLICIES

We implement policies that tell people what to do and what we do for information security.

Download the ISO Policy Bundle

Using and following the guide: Getting Started – How to Deploy and Implement Policies, complete the policy build. 

CONDUCT YOUR RISK REVIEW

ISO 27001 is a risk-based management system with risk management at its heart. You need to complete your risk review meeting and complete your risk register and start your active risk management. 

Risk Review Meeting

The risk review meeting is a risk workshop that you conduct at least annually. Arrange a meeting with the Management Review Team, invite anyone else that can add value. Work through any risks you have identified in the Context of Organisation document, review the example risks provided and then brainstorm any other risks that are appropriate to you. Minute the meeting and update the risk register.

Risk Register

Complete the risk register for your organisation. You can review the example risks that are provided to see if they apply. Make sure that:

  • If you have issues in the Context of Organisation that say they are added to the risk register, that they are added to the risk register.
  • That the risks identified in your risk review workshop meeting are on the risk register

You have a copy of the Risk Management Process document for ongoing risk management. 

Supporting articles and resources: 

ISO 27001 Risk Register Beginner’s Guide

ISO 27001 Risk Management Policy Beginner’s Guide

Risk Register Template Walkthrough YouTube Video

CREATE YOUR PLANS

Audit Plan

You have to audit everything at least once annually and definitely before the certification audit. Plan your audits and document them including 12 months in advance. Be sure that everything is audited at least once, and some areas may need auditing more than once based on risk. You can do small audits each month or one / two large audits a year. Plan what is right for you and your business. Once planned ensure you follow the plan and conduct the audits.


Consider, if you find a non-conformity that goes into the continual improvement process and is entered on the incident and corrective action log for managing that it is likely that you would then schedule an audit of that area at a future date to check that the corrective action was effective. I would check this an auditor. This is not a consideration per se for a first build and certification audit, but it can be.

Communication Plan

You have to communicate, plan and evidence it. Plan your communications and document them including 12 months in advance. Consider different communication types. Your meetings are a form of communication so include them (Management Review Meeting, Security Ops Meeting, Risk Review Meeting, Business Continuity meetings for example).

An auditor will check the plan and for complete communications expect to see evidence that it was completed. This can be meeting minutes, copies of emails, screenshots of SharePoint / Intranet posts. 

TRAIN EVERYONE

You need to train everyone on at least on basic information security and data protection and you need to evidence that they understood and accepted it. This is one place where a tool will do the heavy lifting for you as they come with prebuilt modules, have tests and quizzes built it to demonstrate understanding and come with reports that show who has completed the training. You should make sure that everyone has completed the basic training before the certification audit, and you should plan in additional training for the next 12 months. Remember that the basic training should be conducted and evidenced at least annually.

IMPLEMENT AND TEST BUSINESS CONTINUITY

You need to implement the business continuity and disaster recovery. The documents here are self-explanatory. Business continuity is technically a standard in its own right called ISO 22301 but for now, complete the documents. You then need to run a test and evidence that you have keeping records. 

Business Impact Assessement

Document your systems, locations and teams and follow the guide to prioritise them.

Business Impact Analysis Exec Summary

Summaries your business impact assessment in a nice summary

Business Continuity Objectives and Strategy

Set the objectives and strategy for your business continuity

Business Continuity Plan

Create your business continuity plan and put in place disaster recovery documents

Disaster Recovery Scenario Plans

Work out common scenarios that may occur that would impact your business and its ability to operate and document what they might be, and the plans associated.

Disaster Recovery Tests

Conduct tests of the scenarios recording evidence of the test. Evidence may be screen shots, screen recordings or output reports from systems. You have to have tested before going for certification.

IMPLEMENT YOUR OPERATIONAL PROCESSES

Operations Manual

You need to write your operational processes. This is something that we cannot pre do for you as every business is different. The Operations Manual has prepopulated headings for common processes, so you need to add / remove from that list of processes. Then you need to write the how for how your processes work. Tip: The policy documents say what you do so working through the policies you can write the processes for how you do it. This is down to your business and is straightforward. Write simple process steps of what you do do, not what you think someone wants to hear. You will be audited on what you say you do. The auditor will read the process and then say – show me that you do this. Always include at least one exceptions step in your processes. An exception step is what you do if something common does not work. Imaging if a HR background check came back and failed. What are the process steps if it fails? Often these simple exceptions are missed, and auditor will easily pick up on it.

Implement and Evidence Operational Processes

Once the process is written, technically implement it. This may or may not take the most time. Implement each process. Then you need to be able to evidence the process before you do the internal audit and definitely before the external certification audit. 

Implement and evidence the operation of operational processes.

CONDUCT YOUR INTERNAL AUIDIT

Guide: How To Conduct An ISO 27001 Internal Audit

You also have a document called How to Conduct and Internal Audit

Audit Template ISO 27001 2013 and 2022 Version

Using the template and the step-by-step guide provided conduct your internal audits and follow the process.

Audit Report – Template

Complete an Audit Report high level summary of the audit conducted with findings.

Incident and Corrective Action Log

Update the incident and corrective action log and follow the continual improvement process as a result of the audit.

You have a document called How to Continual Improvement.

HOLD YOUR MANAGEMENT REVIEW MEETING

Create a folder for the management review meeting. Create the management review meeting agenda from the template. In the documents relevant to meeting list ALL the documents in the management system – all the documents here. Create an agenda item for ‘Review and Sign Off ISMS documents’. Share the location of the documents before the meeting with the management review team and ask them to review them before the meeting. In the meeting walk through them / seek approval that everyone agrees with them, and they can be signed off. This includes the audit results and incident and corrective actions log. Be sure to include your measures and update the section on objectives. You will clearly have everything for the first pass – policies, risk register, plans … everything. At the conclusion of this meeting, you set all documents to version 1 and you set the last review date to the date of this meeting and you set the version control to include the update that the document was reviewed and signed off at the management review meeting (and you include the date of it). This is a fair chunk of admin, copy and paste but it gets you set for a stable version 1 of the ISMS, and you are Stage 1 ready and ISO 27001 certification ready. 

Minute the meeting and keep a record. Now is the time to update and complete your document tracker document.

You have a document called: How to Conduct A Management Review Team Meeting. 

COMMUNICATE YOUR NEW INFORMATION SECURITY MANAGEMENT SYSTEM

Once you have signed of and set the baseline version control you are going to publish the documents and communicate to the business that they exist and where they are. Update your communication plan to reflect this. 

OPERATE YOUR INFORMATION SECURITY MANAGEMENT SYSTEM

We will cover in another guide how to manage the information security management system day in day out but in basic terms you will operate the processes you have implemented. You will run your management review meetings, review your measures, conduct your internal audits based on the plan, run your incident management process, run your continual improvement process. 

PREPARE TO BE AUDITED 

These are some high-level considerations before you go for audit. The audit is down to the auditor auditing you. You get good ones and bad ones. It is the luck of the draw. 

Consider when you know the auditor’s name checking them out on LinkedIn to get a feel for what their background is. Whatever it is, as a rule, that is what they will go to town on come the audit. Do they have a software development background, get your software development house in tip top order. Do they have a GDPR background? Then you better be sure your Data Protection is top notch. Networking background?  .. you get the idea. 

Ensure all your documents are up to date, that the version control matches, that all documents have been updated to show as a minimum a review in the last 12 months.

Ensure your processes are operating as expected and even though you have done, and internal audit now is a good time to double check before the auditor comes. Remember the audit is show and tell, don’t trip yourself up by not checking and doubling checking before they come. 

Ensure that those being audited are aware that they answer the questions asked and do not offer up any additional information that may get you in hot water. An auditor likes to pick a thread and watch in unravel. Do not give them threads to pluck.

Ensure that close to the audit you once again communicate to everybody, especially those being audited.

            Where the information security policies are 

            How they raise and incident 

            Who is responsible for information security and who they would go to

Check that the machines of those being audited are patched, have up to date antivirus. Check and clear download folders and trash / waste bins. Have clean desktops. 

Now is a good time to go into key systems and check admin accounts. Yes, you have done it, but do it again. Is there anyone in there that has left? Are there any generic accounts that should not be there? 

If you have an office walk the floor and make sure you meet your clear desk policy. Lock confidential data away, tidy up, don’t have things that could raise questions lying around. 

Make sure that you meet the legal requirements you say you do. Here are common things an auditor will check

  • The cookie policy on your website
  • They will run tracker checks on your website and see your policy matches
  • They will check data protection registers such as the ICO website to see you are registered
  • They will check fire extinguishers to check they are checked and in date
  • They may check things like PAT testing of devices
  • If you have them, they will check printer areas for print outs left around
  • If you have them, they will check confidential waste bins, make sure the waste is IN them
  • They will check things that you think, and you are right, are not relevant. If it is a law or regulation, it is fair game. 

There are more tips, but these are the most common. Remember, you are PAYING THEM to audit you. They do not want you to fail. As a rule. So be confident, you have got this. 

The worst case is they raise some issues and give you time to fix and then issue the certificate. 

You basically have to have nothing in place and not be doing any of this guide and toolkit to fail. You are doing it, so, be cool.

CHECKPOINT 2

At this check point you now have 

  • A Branded Pack that is branded to your company
  • Document owners assigned for the ISMS 
  • Control owners assigned for the ANNEX A Controls
  • An understanding of the requirements of ISO 27001 and how the pack addresses those requirements. Where to find that information. 
  • A complete build of the Information Security Management System updated to your own specific situation.

CONCLUSION

You have now completed the build of your information security management system. You have branded the pack and made it your own. You have included and recorded key information. You have created policies that say what you do, if not just yet how you to do it. 

As you move forward towards certification you are now going to build on the information security management system. 

As with everything you can reach out to us for ad hoc guidance, adhoc pre checking, adhoc taking the audit guidance – whatever you need. If you need help – ask. We bill in half day blocks. We are here for you. 

GOOD LUCK. YOU’VE GOT THIS

How to implement ISO 27001 looking to do things yourself – here are some how to’s

If you don’t use the ISO 27001 Toolkit but would rather create the documents yourself, here is where we show you how.

How to create an Organisation Overview

How to create a Context of Organisation

Defining Scope

How to create an Asset Register

How to create a Statement of Applicability

How to create an information security policy

How to create a risk register

How to build a competency matrix

How to build a third party supplier register

View all the free videos and tutorials on YouTube: