Here, we continue our exploration of implementing ISO 27001 through my series of guides, based on my information security toolkit. This phase focuses specifically on the ‘Implementation Phase’ of ISO 27001.

The Implementation Phase is a critical stage in the ISO 27001 certification journey. It involves implementing the policies, procedures, and controls defined during the planning phase.

The success of the phase hinges on the thoroughness of the planning and the commitment of the organisation’s staff. Demonstrating the organisation’s commitment to security and compliance standards is essential, as it builds trust with stakeholders and supports long-term success. Implementation transforms theoretical frameworks into operational realities, ensuring that information security measures are effective and integrated into daily operations.

This phase encompasses several key activities, including the deployment of security controls, staff training, and the monitoring and measurement of the effectiveness of these controls. Each activity must be documented and executed to ensure compliance with ISO 27001 standards.

In this phase, the focus shifts from planning to action. It is where the organisation begins to see tangible changes in its security posture.

Implementing ISO 27001 can also provide a competitive advantage by differentiating your organisation in the market, attracting privacy-conscious customers, and fostering loyalty.

Successful implementation requires continuous communication, proper resource allocation, and a culture of security awareness across the organisation.

A diagram representing the implementation phase of an ISO 27001 project

Across the world, organisations world achieve compliance with ISO 27001 by following proven methodologies, highlighting the global success and applicability of the standard.

The Implementation Phase of ISO 27001

Each step is crucial in ensuring a comprehensive and systematic implementation of an Information Security Management System (ISMS). A systematic approach provides a structured method for managing and securing information assets, ensuring that security measures and risk management processes are organized and effective throughout ISO 27001 implementation. Let’s take a look at each one in turn.

Everything I discuss here is based on the utilisation of my toolkit and the templates therein, so I encourage you to download my ISO 27001 toolkit and use that as the basis of your ISMS’ foundations.

ISO 27001 Online Course + Full Toolkit

Stop guessing. Follow a proven step-by-step process.

“Highly recommended for anyone looking to understand ISO 27001, whether attempting it on your own or even using a consultant.“

Verified Trust.me Review

£285

Instant access

View Details Try the demo →

Includes full document toolkit · 30-day consultancy upgrade credit

✓ Full toolkit included ✓ Learn as you build ✓ 12-month access ✓ 6 hours of video ✓ Email consultancy

Step 1: Create a Resource Plan

Things should start to become clearer regarding the resources we need to maintain our ISMS and implement the changes we want to see in the Risk Treatment Plans.

Earlier in the Initiation Phase, we discussed the high-level resources required to initiate the project; now, we need to focus on what we need to deliver change. Developing a comprehensive project plan is crucial for guiding implementation and ensuring that all necessary steps are clearly defined.

A process diagram of the resource plan steps for ISO 27001.

Creating a resource plan is important for outlining the necessary resources—such as personnel, security budget, tools, and time—needed to establish, implement, maintain, and improve the Information Security Management System (ISMS). Appointing a project leader to oversee the implementation of the project is crucial for effective coordination. It is also important to form a project team that includes representatives from various departments and department heads, ensuring all perspectives are considered and high-level decision-making is supported.

A resource plan is not a mandatory document in 27001, but the requirements in section 7.1 require you to provide evidence that you have considered sufficient resources for your ISMS. Creating one is good project management and ensures that the ISMS implementation process is well-supported and can proceed without resource-related interruptions. Allocating resources in a cost effective and cost efficient manner helps maximise value and ensures the organisation achieves compliance cost effectively.

Activities

Identify Resource Needs

Using the ISMS Objectives, Risk Treatment Plans, and Statement of Applicability, we need to assess the organisation’s current resources and identify any additional resources required to meet the ISMS objectives.

It may be that you can deliver what you need without additional resources, and it’s okay to cut your cloth accordingly; however, you do need to outline the resources required for the ISMS.

And it’s not just people, consider human resources (e.g., security specialists, IT staff), financial resources (budget for tools and training), technological resources (software, hardware), and informational resources (policies, procedures).

Develop the Resource Plan

Next, we need to create the resource plan itself and document what we need and where it will come from.

Draft a comprehensive resource plan that details the allocation of identified resources, their roles, responsibilities, and the timeline for their deployment.

Include considerations for any potential constraints and how they will be managed.

Approval and Communication

Present the resource plan to top management / ISG for approval to ensure there is a commitment to providing the necessary resources.

Communicate the approved resource plan to all relevant stakeholders to ensure everyone is aware of their roles and responsibilities.

Step 2: Document Policies & Procedures

Sorry, but you can’t get away with just one Information Security policy in 27001, well, not unless you combine all sub-policies into it, which I wouldn’t recommend. Who’d want to read that?

Documenting policies and procedures involves creating detailed documentation for the management and operation of the ISMS.

This ensures consistency, compliance, and clarity across all information security practices within the organisation. When developing these policies and procedures, it is essential to address legal requirements and various regulations to ensure your ISMS meets all necessary obligations. Implementing ISO 27001 also supports IT governance by helping align security practices with organisational governance frameworks and regulatory requirements.

The process steps for Creating documents and procedures for ISO 27001

When creating policies, consider the needs and expectations of interested parties when defining the scope of the ISMS. This helps ensure that your information security management system is comprehensive and aligned with the requirements of stakeholders.

Policy	Clause
Information Security Policy	5.2 Policy
“Topic-Specific” Policies	Annex A 5.1
Access Control Policy	Annex A 5.18, 8.5, 8.11
Backup Policy	Annex A 8.13
Acceptable Use Policy	Annex A 5.10

Procedure	Clause
“Topic-Specific” Procedures	Annex A 5.4
Information Labelling Procedure (or policy)	Annex A 5.13
Information Transfer Procedure (or policy)	Annex A 5.14
Supplier Management Procedure (or policy)	Annex A 5.19, 5.21
Incident Response Procedure	Annex A 5.26
Collection of Evidence Procedure	Annex A 5.28
Protection of Intellectual Property Rights	Annex A 5.32
Operating Procedures	Annex A 5.37
Secure Authentication	Annex A 8.5
Installation of Software on Operational Systems	Annex A 8.19
Change Management Procedure	Annex A 8.32

Note: Ensure that policies for protecting confidential data are included in your ISMS documentation.

Some documents can be combined, while others may be both policy and procedure (this is quite possible), and some may be a policy, while others are procedures. There is room for interpretation here, but how you apply it is for you to defend in your audit.

For example, if you combine the Incident Response Procedure with the Collection of Evidence Procedure (if it feels like a natural fit), then you can tick off both at the same time.

Equally, you may have a Supplier Management Procedure (with step-by-step instructions), or you may choose to have a Supplier Management Policy (with guidance and instructions), or both.

ISO 27001 is flexible enough for you to determine what is best for your organisation, but you may need to justify your approach during an audit. ISO management system standards and best practices—meaning established standards and recommended methods—provide useful frameworks and guidelines that improve credibility, effectiveness, and compliance outcomes in ISO 27001 implementation, helping you document your ISMS effectively.

I’ve provided several policies in my toolkit. You can take them all, use your own, or adapt some to suit your needs.

Activities

Develop and Document Policies

Create comprehensive policies that outline the organisation’s approach to information security, including general security policies, access control policies, and incident management policies.

Ensure policies align with the organisation’s goals and regulatory requirements.

Develop and Document Procedures

Create detailed procedures that support the implementation of policies. These should include step-by-step instructions for various security processes such as data handling, incident response, and system access controls.

Please note that some policies and procedures are mandatory; refer to the information above.

Approval and Dissemination

Submit the documented policies and procedures to top management for review and approval.

Distribute the approved policies and procedures to all relevant employees and stakeholders to ensure they are aware of and understand them. I’ve created a communications plan to help you with this in a later section, so you can hold off on the communication aspect for now. Equally, nothing is stopping you from communicating information to those who need to know as it comes off the production line.

Step 3: Implement Controls

Implementing controls involves putting in place the necessary measures from your risk treatment plans in the previous stage to manage and mitigate identified information security risks. This step is part of a broader risk management process, which provides a systematic approach to identifying, assessing, and addressing information security risks within the ISO 27001 framework.

This ensures that the organisation’s information assets are adequately protected and that the ISMS operates effectively. Asset management is also essential at this stage to safeguard both physical and digital assets and ensure compliance with ISO 27001 standards. Information technology departments play a key role in deploying and managing technical controls to support the ISMS and maintain effective information security.

For example, you may have identified a need to implement a more secure password policy as a result of reviewing the Statement of Applicability and your risks, so here is where you would take that action. When documenting controls, it is important to record project risk and maintain a project risk register to track, assign owners, and mitigate risks throughout the implementation process. Additionally, establishing an audit programme will help ensure regular, objective, and competent assessment of control effectiveness.

Activities

Identify Necessary Controls

Determine the specific controls necessary to address the identified risks and comply with established policies and procedures. There are several sources, but ideally, they should be derived from your risk treatment plan(s).

Implement the Controls

Develop and deploy the identified controls. This could include technical controls (e.g., firewalls, encryption), administrative controls (e.g., security policies, training), and physical controls (e.g., secure access points).

Document Control Implementation

Maintain detailed records of the implemented controls, including descriptions, locations, responsible personnel, and effectiveness. Depending on your system, you could do this in the risk register, change control or elsewhere.

Monitor and Review Controls

Regularly monitor the effectiveness of the implemented controls to ensure they are working as intended. This involves ongoing assessments, audits, and reviews to ensure controls are functioning as intended.

Make necessary adjustments based on monitoring results to improve control effectiveness. Update your risk register and treatment plans on a regular basis to ensure they remain accurate and current.

Update Risk Assessment and Treatment

Based on the monitoring results, update the risk assessment and treatment plans to reflect any changes in the risk environment or control effectiveness.

Step 4: Conduct an Awareness Campaign

So, you’ve made changes, and now you need to make sure people understand what you’ve done and why you’ve done it.

Conducting an awareness campaign ensures that all employees understand the importance of information security and their roles within the ISMS. These campaigns should include cyber security awareness to address human error, which is a major vulnerability in information security, and emphasize the importance of staff training. Effective awareness campaigns and adherence to ISO 27001 standards help mitigate the risk of data breaches, which are critical incidents that can damage brand reputation and have financial or legal consequences.

This step involves selecting and implementing the measures to mitigate, transfer, avoid, or accept the identified risks based on their evaluation. We capture this information in the Risk Treatment Plan(s) or RTP.

The goal is to reduce information security risks to an acceptable level, aligning with the organisation’s risk appetite and compliance requirements. Regular audits are essential to ensure ongoing compliance and to evaluate the effectiveness of the ISMS.

Activities

Develop Awareness Materials

Develop materials to educate employees about the Information Security Management System (ISMS), security policies, procedures, and their associated responsibilities. This can include posters, newsletters, emails, and presentations.

I’ve created 21 generic communications for you, which you are free to use if they suit your purposes, but you may wish to create your own.

Plan the Awareness Campaign

Create a plan to outline the objectives, target audience, and schedule for the awareness activities.

My advice is to plan it out in quarterly or half-year intervals. There should always be an active communication plan as part of your ISMS, but it doesn’t specify how far in advance it should be.

Also, try not to overwhelm people. The greatest level of compliance comes from the simplest messages.

Conduct Training Sessions

You may wish to supplement your written communications with workshops, seminars, and online courses to educate employees on information security principles, the ISMS, and their specific roles in maintaining security.

Disseminate Awareness Materials

Distribute the created materials through various channels such as email, Intranet, and physical postings within the office.

I would recommend distributing information through multiple channels, such as email, and then maintaining posts on the Intranet. The posts may then become part of the induction materials for new starters.

Monitor and Evaluate Campaign Effectiveness

Gather feedback from employees to assess the effectiveness of the awareness campaign using surveys, quizzes, and feedback forms to measure understanding and engagement.

Update Training and Awareness Materials

Based on feedback and ongoing evaluations, update the training and awareness materials to address any gaps or areas for improvement.

Step 5: Provide Training

Providing training ensures that all personnel have the necessary knowledge and skills to perform their roles effectively within the ISMS. Training also plays a key role in supporting data security by ensuring employees understand how to protect customer information and comply with data protection regulations, which is essential for building trust and meeting ISO 27001 standards. Leveraging a comprehensive software solution can help manage and track training activities, ensuring compliance with ISO 27001 requirements.

This step is crucial for building competence and maintaining a high level of information security awareness throughout the organisation.

You may wonder why we have a training and communication plan. The truth is that there is an amount of overlap, but consider the communication plan to be concise and clear, with potentially all staff being informed about what they need to know regarding the ISMS, including policies, procedures, and other relevant information.

Training is slightly more involved and potentially tailored to individuals depending upon their roles in the organisation. So, for example, if you are a developer, you might need to undertake a course on static code analysis, or something similar.

Activities

Identify Training Needs

Assess the training needs of employees based on their roles and responsibilities within the ISMS. Consider areas such as information security policies, risk management, incident response, and specific technical skills.

Develop a Training Plan

Create a detailed training plan that outlines the training objectives, content, delivery methods, schedule, and target audience.

Conduct Training Sessions

Organise and deliver training sessions using various formats such as workshops, online courses, seminars, and on-the-job training.

Ensure that the training covers all necessary aspects of the ISMS and is tailored to the needs of different employee groups.

Evaluate Training Effectiveness & Adjust

Over time, collect evidence of the effectiveness of your training by using assessments, quizzes, and feedback forms to evaluate the training sessions. This helps to ensure that the training objectives are met and that employees have understood the content.

Maintain Training Documentation

Keep detailed records of all training activities, including attendance, content, and evaluation results. This documentation is essential for demonstrating compliance and continuous improvement.

These records should include any relevant training someone has brought to the organisation with them.

Think of it from an auditing point of view; an auditor may ask, “What does Bob need to know for his role in the IT Helpdesk?”, “How can you provide evidence that Bob has had sufficient training?”.

Output: Training Records (Mandatory)

Internal Audit and Certification Audit

Regular internal audits and certification audits are vital for maintaining an effective information security management system. Internal audits provide an opportunity for organisations to review and assess their ISMS, ensuring that security controls are functioning as intended and that the management system remains compliant with ISO 27001 requirements.

Certification audits, conducted by an independent certification body, are the next step in the ISO 27001 journey. These audits verify that the organisation’s ISMS meets the rigorous standards set by ISO 27001 and that it is being effectively implemented and maintained. Achieving certification demonstrates to customers, partners, and regulators that the organisation is committed to best practices in information security management.

By conducting regular internal audits and preparing for certification audits, organisations can identify areas for improvement, address potential weaknesses, and continually strengthen their information security posture.

Supplier Relationships and Third-Party Management

In today’s interconnected business environment, managing supplier relationships and third-party risks is a critical component of any information security management system. Many organisations rely on external suppliers for essential services, which often involves sharing sensitive data or granting access to information systems.

To effectively manage these risks, organisations must implement robust controls and contractual requirements that address data protection regulations and information security risks. This includes conducting due diligence on suppliers, defining clear data protection and security obligations in contracts, and regularly monitoring supplier performance to ensure compliance.

By proactively managing supplier relationships and third-party risks, organisations can protect sensitive data, maintain compliance with data protection regulations, and ensure that their information security management system remains comprehensive and resilient.

Maintenance and Continual Improvement

An effective information security management system is not a one-time project—it requires ongoing maintenance and continual improvement. Regularly reviewing and updating the ISMS ensures that it remains aligned with the organisation’s business objectives and responsive to new security risks. These continual reviews and updates directly enhance the organisation’s resilience, strengthening its ability to withstand and recover from information security threats.

Continual improvement involves systematically identifying areas for enhancement, implementing new security controls, and reassessing existing processes to ensure they remain effective and efficient. Following a structured approach, such as the nine-step approach outlined in ISO 27001, helps organisations to improve their ISMS and achieve their ISMS objectives continually.

By fostering a culture of continual improvement, organisations can stay ahead of emerging threats, demonstrate their commitment to managing information security, and maintain the trust and confidence of their stakeholders. This ongoing process is essential for ensuring that the management system remains robust, effective, and aligned with best practices in information security management.

Alignment with ISO 27001:2022 Clauses 7 & 8

The implementation phase is the most significant effort in implementing ISO/IEC 27001:2022, the latest version of the international standard for Information Security Management Systems (ISMS). This phase directly addresses Clauses 7 and 8, “Support” and “Operation” respectively, and ensures alignment with the requirements of ISO/IEC 27001.

Here’s a summary of how the implementation project—a structured initiative to establish the ISMS—aligns with and supports these clauses:

Management support: Securing management support is essential for successful implementation, as top-level commitment ensures adequate resources, clear direction, and organisational buy-in throughout the project.
Operational planning and control: Effective operational planning and control not only fulfil the requirements of ISO/IEC 27001:2022 but also contribute to the organisation’s resilience by strengthening its ability to withstand and respond to information security threats.
Internal audits and certification: Conducting internal audits is a key step in the certification process. Organisations seeking certification must follow a step-by-step approach, including independent assessment, to achieve certification. Successfully achieving certification demonstrates compliance, builds stakeholder confidence, and validates the organisation’s commitment to information security.
Continual improvement: The ISMS should be continually improving, with regular reviews and updates to processes and controls to maintain effectiveness and adapt to emerging risks, as required by ISO/IEC 27001.

Clause 7: Support

7.1 Resources

Created a Resource Plan – We identified and allocated the necessary resources (human, financial, technological) to establish, implement, maintain, and continually improve the ISMS. This ensures that the organisation has the necessary support to achieve its information security objectives.

7.2 Competence

Provided Training – We ensured that employees have the necessary competence to perform their roles effectively by developing training programs based on identified needs, and maintaining training records to document competence.

7.3 Awareness

Conducted Awareness Campaign – We’ve educated employees about the ISMS, their roles, and the importance of information security. Awareness materials and campaigns ensure that all personnel are informed and engaged.

7.4 Communication

Develop a Communications Plan (as part of the Awareness Campaign) – Establishes clear communication strategies to ensure that relevant information regarding the ISMS is shared with all stakeholders. This includes internal and external communication as necessary.

7.5 Documented Information

Documented Policies & Procedures – We developed comprehensive documentation for ISMS policies, procedures, and controls to ensure that all necessary information is documented, controlled, and available as needed. This includes creating, updating, and controlling documented information itself.

Clause 8: Operation

8.1 Operational Planning and Control

Implemented Controls – We established necessary controls to manage and mitigate risks identified during the risk assessment process, ensuring that the processes required to meet ISMS requirements are implemented, controlled, and maintained.

Monitored and Reviewed Controls – We have clarified the need for continuous monitoring and regular review of controls to ensure they are effective and aligned with the ISMS objectives. This involves assessing the performance and making adjustments as necessary. It’ll be important in the next stage.

8.2 Information Security Risk Assessment

Updated Risk Assessments – We will update the risk assessment based on the implementation and monitoring of controls, ensuring the organisation continually identifies and evaluates information security risks.

8.3 Information Security Risk Treatment

Updated Risk Treatment(s) – Developed and implemented the risk treatment plans to address identified risks. Appropriate controls are selected and applied to mitigate risks, and these are documented and updated as necessary.

Next Step: Monitoring & Review Phase