Home / All Posts / IT Management Standards / ISO/IEC 20000-1 / ISO 27001 (ISMS) Metrics And Step By Step Implementation Guide 2018
ISO 27001

ISO 27001 (ISMS) Metrics And Step By Step Implementation Guide 2018

If you are planning to integrate and implement ISO 27001 within your organization, you will probably look for an easy way out. Unfortunately, there isn’t any “easy-way-out” for the successful implementation.

However, to make it easier for you we have compiled a step by step implementation guide for ISO 27001 to successfully implement. The year 2018 has brought great revisions and updates in ISO standards and one of them is ISO 27001. Below are the required steps that you should be following for the upright implementation of ISO 27001.

Step 1 – Identify the objectives of your Business

It is important to identify and prioritize objectives in order to gain full management support. To start off, the primary objectives of the organization can be extracted from but not limited to company’s mission, IT goals and other strategic plans. Some prominent objectives of the organization can be:

  • Amplified marketing potential
  • Assurance and confirmation to other business partners of the company’s status in compliance with information security and security.
  • Increased total company’s revenue and profits by providing utmost security to client’s data and information.
  • Reassurance to company’s clients and stakeholders about the company’s commitment towards information security, data and information protection along with privacy.
  • Proper compliance with industry regulations and guidelines

Step 2 – Obtain Management Support

Involvement of Management is important to successfully commit to, in compliance with planning, implementation, monitoring, operation, detailed reviews, continuous maintenance and iterative improvement of ISO 27001 (ISMS). Consistent commitment must incorporate activities, for example, guaranteeing that the correct assets are accessible to deal with the ISMS and that all representatives influenced by the ISMS have the best possible training, know-how, and competency.

Step 3 – Define the scope

According to ISO 27001 (ISMS), any scope of implementation may be applied to all or any part of the organization. If you are a small organization, implementing it in all parts of the organization would help you lower down the risks occurrence.  According to section B.2.3 of ISO 27001 – Scope of the ISMS, only the procedures, business units, and external vendors or contractors falling within the “scope of implementation” must be specified for certification to occur.

The scope of the project/organization should be kept manageable and it is advised to add only those parts of the organization – logical or physical within the organization.

Step 4 – Write a brief ISMS Policy

In your organization’s ISMS, an ISMS policy is the highest level and most important document. It doesn’t have to be extensive, however a brief information about the basics issues of information security management framework within in your company. The purpose of having an ISMS Policy is for the management to explain your employees and resources about what needs to be achieved and how it can be controlled.

Step 5 – Define your risk assessment methodology and strategy

Prepare a list of information assets and services that need to be protected. To do that, it is important to formulate a risk assessment methodology to follow in order to assess, resolve and control risks as per their importance. The different risks associated with resources, alongside the proprietors, present locality, criticality, and substitution estimation of such assets, ought to be identified and distinguished separately.

Step 6 – Create a Risk Treatment Plan and Manage those Risks

Through risk treatment plan, as an organization, you will be able to distinguish and categorize risks as per their impact and sensitivity. To successfully control the impact related to different risks associated with assets, the organization should follow risk mitigation by accepting, avoiding, transferring, or reducing the risks to a certain level of acceptance. The plan will brief you on who will do what, with whom, with what budget in the organization in terms of risk assessment and treatment. This is a crucial step to follow for a successful implementation of ISO 27001.

Step 7 – Set Up Policies and Procedures to Control Risks

The organization regardless of its size will need to have a detailed procedure or statements of policy for the controls adopted along with a user responsibility document. This would allow the organization to identify user roles and responsibilities for the consistent, effective and actual implementation of those policies and practices. The accurate documentation of policies and procedures are required by ISO 27001. However, the list of policies and procedures and their applicability depends on the organization’s location, assets, and overall structure.

Step 8 – Allocate Required Resources and Implement Training plus Awareness Programs

If you want your employees and workers to adopt and implement all new procedures and policies, then first you need to brief them about what it is and why these policies are important, and further train your personnel to have the required skills and capacity to perform and execute the policies and procedures. An absence of such required exercises is yet another important reason behind ISO 27001 project failures.

Step 9 – Carefully Monitor the ISMS

As an organization, you should be aware of what’s happening in your integrated ISMS? What incidents have occurred so far and of what type? Are all the procedures and policies are carried out properly as described?

This a point where the objectives of monitoring, control, and measurement methodologies come all together. This is where you should evaluate and monitor if the achieved goals are met in accordance with the set objectives or not. If you are not achieving goals as per your set standards then it is an indicator that there is something wrong and you should perform some corrective actions to make it right.

Step 10 – Prepare for an Internal Audit

Most of the times, in any organization employees, perform certain acts knowingly or unknowingly that is wrong and affect the organization’s performance and reputation. In order to pinpoint such existing and potential problems, it is important to perform an internal audit. The point of an internal audit is to take required preventive or corrective actions rather initiating any disciplinary actions against the employees.

Step 11 – Periodic Management Review

Management is not required to create and work on building a firewall for information security rather they should know what is going on within ISMS and how efficiently and effectively the policies and procedures are being dealt with. Management review includes whether the policies of ISMS are being followed or not and if desired results have been achieved or not. On the basis of such factors, management takes crucial decisions.


ISO 27001 can be achieved by its proper alignment with the set business objectives and efficiency in comprehending those goals. Information Technology and other departments of an organization play a significant role in employing ISO 27001 (ISMS).

About Sunita Verma

Sunita Verma, Founder and President of Sync Resource started the company in 2009 with a vision to provide management consulting to small & medium size businesses around the country. Sunita holds a Master’s Degree in Mechanical Engineering from Cleveland State University, Cleveland, Ohio, Bachelors in Mechanical Engineering(India) with prestigious gold medal by then President of India and renowned Scientist Dr Abdul Kalam Azad. As an active philanthropist she believes in pay it forward and is a contributing member of charitable organizations like St. Jude’s Foundation and North Fulton Charities.

Check Also


Pointers to Make ISO Meetings More Productive

ISO 9001 is the quality management system (QMS) standard, which works towards increasing efficiency of …

Leave a Reply

Your email address will not be published. Required fields are marked *