The ISO 27001 Implementation Phase Key Steps
Implementation Phase Overview
< Back to the Planning Phase of the project
The Implementation Phase is a critical stage in the ISO 27001 certification journey. It involves implementing the policies, procedures, and controls defined during the planning phase.
The success of the phase hinges on the thoroughness of the planning and the commitment of the organisation’s staff. Implementation transforms theoretical frameworks into operational realities, ensuring that information security measures are effective and integrated into daily operations.
This phase encompasses several key activities, including the deployment of security controls, staff training, and the monitoring and measurement of the effectiveness of these controls. Each activity must be documented and executed to ensure compliance with ISO 27001 standards.
In this phase, the focus shifts from planning to action. It is where the organisation begins to see tangible changes in its security posture.
Successful implementation requires continuous communication, proper resource allocation, and a culture of security awareness across the organisation.
Each step is crucial in ensuring a comprehensive and systematic implementation of an Information Security Management System (ISMS). Let’s take a look at each one in turn.
Everything I discuss here is based on the utilisation of my toolkit and the templates therein, so I encourage you to download my ISO 27001 toolkit and use that as the basis of your ISMS’ foundations.
My FREE Information Security Toolkit
Every mandatory document template
ISO 27001 Compliant
Step 1: Create a Resource Plan
Things should start to become clearer in terms of the resources we need to maintain our ISMS, and implement the changes we want to see in the Risk Treatment Plans.
Earlier in the Initiation Phase, we discussed the high-level resources required to initiate the project; now, we need to focus on what we need to deliver change.
Creating a resource plan is important for outlining the necessary resources—such as personnel, budget, tools, and time—needed to establish, implement, maintain, and improve the Information Security Management System (ISMS).
A resource plan is not a mandatory document in 27001, but the requirements in section 7.1 require you to provide evidence that you have considered sufficient resources for your ISMS. Creating one is good project management and ensures that the ISMS implementation process is well-supported and can proceed without resource-related interruptions.
Activities
Identify Resource Needs
Using the ISMS Objectives, Risk Treatment Plans, and Statement of Applicability, we need to assess the organisation’s current resources and identify any additional resources required to meet the ISMS objectives.
It may be that you can deliver what you need without additional resources, and it’s okay to cut your cloth accordingly; however, you do need to outline the resources required for the ISMS.
And it’s not just people, consider human resources (e.g., security specialists, IT staff), financial resources (budget for tools and training), technological resources (software, hardware), and informational resources (policies, procedures).
Develop the Resource Plan
Next, we need to create the resource plan itself and document what we need and where it will come from.
Draft a comprehensive resource plan that details the allocation of identified resources, their roles, responsibilities, and the timeline for their deployment.
Include considerations for any potential constraints and how they will be managed.
Approval and Communication
Present the resource plan to top management / ISG for approval to ensure there is a commitment to providing the necessary resources.
Communicate the approved resource plan to all relevant stakeholders to ensure everyone is aware of their roles and responsibilities.
Step 2: Document Policies & Procedures
Sorry, but you can’t get away with just one Information Security policy in 27001, well, not unless you combine all sub-policies into it, which I wouldn’t recommend. Who’d want to read that?
Documenting policies and procedures involves creating detailed documentation for the management and operation of the ISMS.
This ensures consistency, compliance, and clarity across all information security practices within the organisation.
| Policy | Clause |
|---|---|
| Information Security Policy | 5.2 Policy |
| “Topic-Specific” Policies | Annex A 5.1 |
| Access Control Policy | Annex A 5.18, 8.5, 8.11 |
| Backup Policy | Annex A 8.13 |
| Acceptable Use Policy | Annex A 5.10 |
| Procedure | Clause |
|---|---|
| “Topic-Specific” Procedures | Annex A 5.4 |
| Information Labelling Procedure (or policy) | Annex A 5.13 |
| Information Transfer Procedure (or policy) | Annex A 5.14 |
| Supplier Management Procedure (or policy) | Annex A 5.19, 5.21 |
| Incident Response Procedure | Annex A 5.26 |
| Collection of Evidence Procedure | Annex A 5.28 |
| Protection of Intellectual Property Rights | Annex A 5.32 |
| Operating Procedures | Annex A 5.37 |
| Secure Authentication | Annex A 8.5 |
| Installation of Software on Operational Systems | Annex A 8.19 |
| Change Management Procedure | Annex A 8.32 |
Some documents can be combined, while others may be both policy and procedure (this is quite possible), and some may be a policy, while others are procedures. There is room for interpretation here, but how you apply it is for you to defend in your audit.
For example, if you combine the Incident Response Procedure with the Collection of Evidence Procedure (if it feels a natural fit), then you can tick off both at the same time.
Equally, you may have a Supplier Management Procedure (with step-by-step instructions), or you may choose to have a Supplier Management Policy (with guidance and instructions), or both.
ISO 27001 is flexible enough for you to determine what is best for your organisation, but you may need to justify your approach during an audit.
I’ve provided several policies in my toolkit. You can take them all, use your own, or adapt some to suit your needs.
Activities
Develop and Document Policies
Create comprehensive policies that outline the organisation’s approach to information security, including general security policies, access control policies, and incident management policies.
Ensure policies align with the organisation’s goals and regulatory requirements.
Develop and Document Procedures
Create detailed procedures that support the implementation of policies. These should include step-by-step instructions for various security processes such as data handling, incident response, and system access controls.
Please note that some policies and procedures are mandatory; refer to the information above.
Approval and Dissemination
Submit the documented policies and procedures to top management for review and approval.
Distribute the approved policies and procedures to all relevant employees and stakeholders to ensure they are aware of and understand them. I’ve created a comms plan to help you do this in a later section, so that you can hold off on the communication aspect for now. Equally, nothing is stopping you from communicating information to those who need to know as it comes off the production line.
Step 3: Implement Controls
Implementing controls involves putting in place the necessary measures from your risk treatment plans in the previous stage to manage and mitigate identified information security risks.
This ensures that the organisation’s information assets are adequately protected and that the ISMS operates effectively.
For example, you may have identified a need to implement a more secure password policy as a result of reviewing the Statement of Applicability and your risks, so here is where you would take that action.
Activities
Identify Necessary Controls
Determine the specific controls necessary to address the identified risks and comply with established policies and procedures. There are several sources, but ideally, they should be derived from your risk treatment plan(s).
Implement the Controls
Develop and deploy the identified controls. This could include technical controls (e.g., firewalls, encryption), administrative controls (e.g., security policies, training), and physical controls (e.g., secure access points).
Document Control Implementation
Maintain detailed records of the implemented controls, including descriptions, locations, responsible personnel, and effectiveness. Depending on your system, you could do this in the risk register, change control or elsewhere.
Monitor and Review Controls
Regularly monitor the effectiveness of the implemented controls to ensure they are working as intended. This involves ongoing assessments, audits, and reviews to ensure controls are functioning as intended.
Make necessary adjustments based on monitoring results to improve control effectiveness. Update your risk register and treatment plans on a regular basis.
Update Risk Assessment and Treatment
Based on the monitoring results, update the risk assessment and treatment plans to reflect any changes in the risk environment or control effectiveness.
Step 4: Conduct an Awareness Campaign
So, you’ve made changes, and now you need to make sure people understand what you’ve done and why you’ve done it.
Conducting an awareness campaign ensures that all employees understand the importance of information security and their roles within the ISMS.
This step involves selecting and implementing the measures to mitigate, transfer, avoid, or accept the identified risks based on their evaluation. We capture this information in the Risk Treatment Plan(s) or RTP.
The goal is to reduce information security risks to an acceptable level, aligning with the organisation’s risk appetite and compliance requirements.
Activities
Develop Awareness Materials
Develop materials to educate employees about the Information Security Management System (ISMS), security policies, procedures, and their associated responsibilities. This can include posters, newsletters, emails, and presentations.
I’ve created 21 generic communications for you, which you are free to use if they suit your purposes, but you may wish to create your own.
Plan the Awareness Campaign
Create a plan to outline the objectives, target audience, and schedule for the awareness activities.
My advice is to plan it out in quarterly or half-year intervals. There should always be an active communication plan as part of your ISMS, but it doesn’t stipulate how far in advance it needs to be.
Also, try not to overwhelm people. The greatest level of compliance comes from the simplest messages.
Conduct Training Sessions
You may wish to supplement your written communications with workshops, seminars, and online courses to educate employees on information security principles, the ISMS, and their specific roles in maintaining security.
Disseminate Awareness Materials
Distribute the created materials through various channels such as email, intranet, and physical postings within the office.
I would recommend distributing information through multiple channels, such as email, and then maintaining posts on the Intranet. The posts may then become part of the induction materials for new starters.
Monitor and Evaluate Campaign Effectiveness
Gather feedback from employees to assess the effectiveness of the awareness campaign using surveys, quizzes, and feedback forms to measure understanding and engagement.
Update Training and Awareness Materials
Based on the feedback and evaluation over time, update the training and awareness materials to address any gaps or areas for improvement.
Step 5: Provide Training
Providing training ensures that all personnel have the necessary knowledge and skills to perform their roles effectively within the ISMS.
This step is crucial for building competence and maintaining a high level of information security awareness throughout the organisation.
You may wonder why we have a training and communication plan. The truth is that there is an amount of overlap, but consider the communication plan to be short and sharp, with potentially all staff being informed about what they need to know regarding the ISMS, including policies, procedures, etc.
Training is slightly more involved and potentially tailored to individuals depending upon their roles in the organisation. So, for example, if you are a developer, you might need to undertake a course on static code analysis, or something similar.
Activities
Identify Training Needs
Assess the training needs of employees based on their roles and responsibilities within the ISMS. Consider areas such as information security policies, risk management, incident response, and specific technical skills.
Develop a Training Plan
Create a detailed training plan that outlines the training objectives, content, delivery methods, schedule, and target audience.
Conduct Training Sessions
Organise and deliver training sessions using various formats such as workshops, online courses, seminars, and on-the-job training.
Ensure that the training covers all necessary aspects of the ISMS and is tailored to the needs of different employee groups.
Evaluate Training Effectiveness & Adjust
Over time, collect evidence of the effectiveness of your training by using assessments, quizzes, and feedback forms to evaluate the training sessions. This helps to ensure that the training objectives are met and that employees have understood the content.
Maintain Training Documentation
Keep detailed records of all training activities, including attendance, content, and evaluation results. This documentation is essential for demonstrating compliance and continuous improvement.
These records should include any relevant training someone has brought to the organisation with them.
Think of it from an auditing point of view; an auditor may ask, “What does Bob need to know for his role in the IT Helpdesk?”, “How can you provide evidence that Bob has had sufficient training?”.
Output: Training Records (Mandatory)
Alignment with ISO 27001:2022 Clauses 7 & 8
The implementation phase is the most significant effort in implementing ISO 27001. It directly addresses Clauses 7 and 8 “Support” and “Operation” respectively.
Here’s a summary of how the implementation activities align with and support these clauses:
Clause 7: Support
7.1 Resources
- Created a Resource Plan – We identified and allocated the necessary resources (human, financial, technological) to establish, implement, maintain, and continually improve the ISMS. This ensures that the organisation has the necessary support to achieve its information security objectives.
7.2 Competence
- Provided Training – We ensured that employees have the necessary competence to perform their roles effectively through training programs are developed based on identified needs, and training records are maintained to document competence.
7.3 Awareness
- Conducted Awareness Campaign – We’ve educated employees about the ISMS, their roles, and the importance of information security. Awareness materials and campaigns ensure that all personnel are informed and engaged.
7.4 Communication
- Develop a Communications Plan (as part of the Awareness Campaign) – Establishes clear communication strategies to ensure that relevant information regarding the ISMS is shared with all stakeholders. This includes internal and external communication as necessary.
7.5 Documented Information
- Documented Policies & Procedures – We developed comprehensive documentation for ISMS policies, procedures, and controls to ensure that all necessary information is documented, controlled, and available as needed. This includes creating, updating, and controlling documented information itself.
Clause 8: Operation
8.1 Operational Planning and Control
- Implemented Controls – We established necessary controls to manage and mitigate risks identified during the risk assessment process, ensuring that the processes required to meet ISMS requirements are implemented, controlled, and maintained.
- Monitored and Reviewed Controls – We have clarified the need for continuous monitoring and regular review of controls to ensure they are effective and aligned with the ISMS objectives. This involves assessing the performance and making adjustments as necessary. It’ll be important in the next stage.
8.2 Information Security Risk Assessment
- Updated Risk Assessments – We will update the risk assessment based on the implementation and monitoring of controls, ensuring the organisation continually identifies and evaluates information security risks.
8.3 Information Security Risk Treatment
- Updated Risk Treatment(s) – Developed and implemented the risk treatment plans to address identified risks. Appropriate controls are selected and applied to mitigate risks, and these are documented and updated as necessary.
Next Step: The Monitoring & Review Phase
Explore The Other Project Phases of ISO 27001
ISO 27001 Implementation Overview
27001 Project Initiaiton Phase
