My Step-By-Step Guides to Implementing ISO 27001

---

---

Initiation Phase Overview

< Back to the ISO 27001 Project Overview

The Initiation phase of ISO 27001 implementation lays a solid foundation for an Information Security Management System (ISMS).

The phase ensures that all necessary preparatory steps are taken to set up the ISMS effectively. It involves demonstrating an understanding of the organisational context, defining the scope, and ensuring leadership commitment.

In short, we are establishing the scope and outlining the ISMS framework.

Each step helps ensure a comprehensive and systematic implementation of the ISMS.

Everything I discuss here is based on the utilisation of my toolkit and the templates therein, so I encourage you to download my ISO 27001 toolkit and use that as the basis of your ISMS’ foundations.

Let’s take a look at each one in turn.

---

Activities

Create a Detailed Project Charter

This document should include the scope, objectives, deliverables, timelines, resources, and stakeholders involved in the ISMS project.

Define Key Milestones

Break down the implementation into manageable phases with specific milestones to track progress.

Guess what; that’s what this document helps with. You’re welcome.

Allocate Resources

Identify and allocate the necessary resources, including personnel, budget, and tools, required for implementation.

At this stage, it can only be roughly what you think you’ll need, but later, you’ll build out the actual resources based on a more detailed evaluation of requirements.

Capture Project Risks

Develop a plan to identify potential challenges and mitigation strategies. All project plans should manage risk, and this is no different, but they could include;

• Insufficient Resources – Use the plan as a basis, but clarify that requirements will unfold as the project is implemented. Ensure you have estimates for consultancy, auditing, and other related services.
• Management commitment – If your senior executives are indifferent to the ISO 27001 process, you will likely not receive the essential support and traction when you need it most.
• Lack of expertise – This guide is here to help, but you could overengineer things if you get caught up in the details or make an incorrect assumption.
• Resistance to change – If you don’t bring stakeholders along and attempt to apply ISO 27001 and its controls to them without active engagement and listening, then brace yourself for pushback.

Define a Communication Plan

Establish a communication plan to ensure all stakeholders are informed and engaged throughout the implementation process.

A more detailed communication and awareness programme is needed. Still, this part of the project plan explains how you will keep your stakeholders informed of the progress of your move to ISO 27001, rather than how the ISMS needs to be applied, etc. For example, highlight reports, meetings, etc.

  

---

Activities

Define the Terms of Reference

These outline the Steering Group’s purpose and responsibilities.

 In the short term, it will act like a project team, but in the long term, it’ll become the management review body for your ISMS.

Select Attendees

Choose members from across IT, HR, legal, and senior management to ensure diverse perspectives and expertise.

Leave people out at your peril, but don’t invite the world and his mother; it never makes for good governance.

Define Roles and Responsibilities

Clearly outline each member’s roles and responsibilities to ensure accountability and effective decision-making.

Set Up Regular Meetings

Schedule regular meetings to review progress, discuss challenges, and adjust the implementation plan as needed.

Document Meetings

Maintain detailed records of steering group meetings, decisions, and action items to ensure transparency and accountability.

You’ll need these as evidence of management commitment later in the audit, so make sure you capture them.

Create the Information Security Statement

The ISMS must evidence senior support and commitment.

I recommend having an overarching statement that lays out the ISMS’s stall and makes it clear to everyone what the expectations are, thus helping address Clause 5.1 (Leadership and Commitment).

It’s not mandatory but recommended.  

---

Activities

Conduct an Asset Inventory

Identify all information assets, including hardware, software, data, and personnel, and document their importance to the organisation.

Depending on your organisation, this may be relatively easy or very hard. I recommend starting by capturing things at a high level and then gradually increasing the level of detail.

You will ultimately need a detailed list of every information asset (who owns it, where it is, etc). However, at this point, it may be easier to capture the various types of assets that fall within the scope of your ISMS.

For example, start by acknowledging laptops, desktops, databases, and systems as asset groups. Then, catalogue them in more detail or point to where an asset register is maintained, such as an automated hardware inventory system.

Understand Legal and Regulatory Requirements

Identify applicable statutory, regulatory, and contractual requirements that affect information security.

 I’ve documented some examples to get you started, based on EU/UK law, but they will be unique to your organisation, customers, and locale. E.g.

• GDPR (EU / UK)
• Australian Privacy Act (1988)
• HIPAA health data legislation, USA
• PCI DSS Payment card protection

Define & Document the ISMS Scope

Define the boundaries of the ISMS, considering the organisation’s context, internal and external issues, and the expectations of interested parties.

I’ve created a document to walk you through this, but my advice is simple:

KEEP THE SCOPE AS TIGHT AS POSSIBLE TO START.

You can always build it out later. Look at what is most important to protect and start there, such as customer-facing services and data.

Ensure that the ISMS scope is documented, agreed and communicated to all relevant stakeholders.

 

---

Activities

Policy Drafting

Develop a comprehensive information security policy that includes the organisation’s commitment to information security, its objectives, and the principles guiding its implementation.

This will likely become a document that needs to be revisited as you build up sub-policies that detail some aspects in more detail but only for specific groups or areas.

I strongly advise making the policy as clear and easy to understand as possible. Our main objective is to achieve compliance, not to create a stick to beat people. Avoid overwhelming readers with legal terminology and confusing phrases, such as ‘notwithstanding‘.

An information security policy is not a legal document, so don’t word it like one. Sure, it can have legal implications if someone fails to adhere to it, but that makes it even more critical to make it readable and in plain English.

Additionally, the policy should be worded in a positive rather than a negative tone. Say what you want people to do, not what you don’t want them to do. E.g.

“Always lock your computer when stepping away from your desk to ensure data security.”

 Rather than

 “Do not leave your computer unlocked when you are away from your desk.”

Approval and Communication

Obtain senior management approval and communicate the policy to all employees.

Regular Review

Establish a process for regular review and updates to the policy to ensure it remains relevant and effective.

 

---

Activities

Identify & Document Key Roles & Responsibilities

Determine the necessary roles for ISMS implementation, including information security officer, risk manager, compliance officer, and other relevant positions.

In smaller organisations, there may be fewer roles, and a person can potentially wear multiple hats, recognising that a role is not necessarily the same as a job.

Clearly outline the responsibilities of each role, ensuring they cover all aspects of the ISMS implementation and ongoing management.

Assign these roles to individuals based on their expertise and organisational responsibilities.

Communicate R&Rs

You can’t tuck the roles and responsibilities away in a corner; it’s essential to communicate them so people know what is expected and can identify any gaps in coverage and skills.

Training and Support

Provide the necessary training and support to enable individuals to fulfil their roles effectively.

You’ll need to determine the best time to do this. Some people may need training early (for example, if they need to know more about ISO 27001 and its structure), while others may need it later as part of the awareness and communication campaign.

At this stage, focus on what people need to know to get your ISMS off the ground.

 

---

Activities

Identify Objectives

Based on the organisational goals, identify specific objectives for the ISMS. These might include improving data protection measures, achieving regulatory compliance, or enhancing incident response capabilities.

Assuming it’s your initial venture, setting objectives early can define your project more successfully. They could be relatively basic, such as setting up an ISO 27001-compliant Information Security Management System (ISMS) by the end of the quarter, etc.

 However, to get you thinking, here are some suggestions;

Communicate Objectives

Once ready, communicate the objectives to all relevant stakeholders to ensure everyone is aware of the goals and their respective roles in achieving them.

Monitor and Review

Establish processes to monitor progress towards these objectives and review them regularly to ensure they align with organisational goals and ISMS requirements.

 

---

Alignment with ISO 27001:2022 Clauses 4 & 5

Let’s examine briefly how these steps align with clauses 4 (Context of the Organisation) and 5 (Leadership).

 

 

Hopefully, you can see the clear correlation between this phase’s activities and the requirements outlined in the standard’s clauses.

Next up? Planning: exploring risk and our responses to it.

---