How to Implement ISO 27001: Step by Step
The implementation sequence matters
Implementing ISO 27001 typically takes 4-8 months for a small to medium organization. The standard follows a logical sequence - scope, risk assessment, controls, documentation, internal audit, management review, then certification. Skipping steps or doing them out of order creates rework. Here is what each phase actually involves and what you should expect to produce at each stage.
Define your ISMS scope
Clause 4.3 requires you to determine the boundaries and applicability of your ISMS. In practice, this means deciding which parts of your organization, which locations, and which services are covered.
For a 50-person SaaS company, scope might be: “The development, delivery, and support of the [product name] platform, including all supporting infrastructure, personnel, and processes at [office location] and remote working environments.”
Get this right early. A scope that is too broad creates unnecessary work. A scope that is too narrow will not satisfy client expectations. Most organizations scope to a specific product or service line rather than the entire company.
What you produce: A documented scope statement, plus context analysis (Clause 4.1) and interested parties register (Clause 4.2) that justify why the scope makes sense.
Run your risk assessment
Clause 6.1.2 is where the real work begins. You need a repeatable methodology for identifying information security risks, analyzing their likelihood and impact, and deciding how to treat them.
A practical approach:
- Identify your information assets - systems, data stores, processes, people, physical locations
- Identify threats and vulnerabilities for each asset - what could go wrong and why
- Rate likelihood and impact using a consistent scale (we typically use a 5x5 matrix)
- Determine risk level and compare against your risk acceptance criteria
- Choose treatment - mitigate with controls, accept, transfer (insurance), or avoid
The output is a risk register and a risk treatment plan. These documents drive every control decision that follows. Do not treat this as a checkbox exercise - a genuine risk assessment produces different results for every organization.
Common mistake: Copying a generic risk register from a template. Auditors spot this immediately, and it means your controls will not match your actual risks.
Select and implement controls
Based on your risk treatment plan, select controls from ISO 27001:2022 Annex A (93 controls across organizational, people, physical, and technological categories) and document your choices in a Statement of Applicability.
For each control, you need to justify why it is included or excluded. “Because the template said so” is not a valid justification. Every inclusion should trace back to a risk in your risk register.
The controls you implement will vary widely. A cloud-native SaaS company will focus heavily on access management, encryption, secure development, and supplier security. A manufacturing firm might prioritize physical security and operational technology controls instead.
What you produce: Statement of Applicability, implemented controls with evidence, and updated policies and procedures.
Build your documentation
ISO 27001 requires specific documented information. At minimum, you need:
- Information security policy - endorsed by top management, setting direction and commitment
- Risk assessment methodology and results - how you assess risks and what you found
- Statement of Applicability - which controls apply and why
- Risk treatment plan - how you address unacceptable risks
- Supporting procedures - access control, incident management, change management, backup, and others relevant to your scope
Keep documentation practical. A 5-person startup does not need 200-page policy manuals. What matters is that policies are clear, communicated, and actually followed. We have seen organizations pass certification with 15-20 concise documents.
Train your people
Clauses 7.2 and 7.3 require competence and awareness. Everyone in scope needs to understand the information security policy, their role in the ISMS, and the consequences of not following procedures.
Effective training is role-specific. Developers need secure coding guidance. Finance teams need to recognize invoice fraud. Everyone needs phishing awareness. Document who received what training and when - auditors will check.
Common mistake: Running a single annual presentation and calling it done. Clause 7.3 requires ongoing awareness, not a yearly tick.
Conduct internal audits
Clause 9.2 requires you to audit your own ISMS before any external auditor arrives. Internal audits check whether your ISMS conforms to the standard’s requirements and your own policies, and whether it is effectively implemented and maintained.
Plan your internal audit program to cover every clause and every applicable Annex A control over the audit cycle. You can do this in a single comprehensive audit or spread it across several targeted audits throughout the year.
Internal auditors must be objective - they should not audit their own work. For small teams, this often means bringing in an external internal auditor or cross-training team members to audit each other’s areas.
What you produce: Audit plan, audit reports, findings with corrective actions, and evidence that nonconformities were addressed.
Hold management review
Clause 9.3 requires top management to review the ISMS at planned intervals. This is not a rubber stamp - auditors expect to see genuine discussion and decisions.
The agenda should cover: internal audit results, status of corrective actions, risk assessment changes, feedback from interested parties, and opportunities for improvement. The output should include decisions about resource allocation, ISMS changes, and improvement actions.
Schedule this before your certification audit so you can demonstrate a complete PDCA cycle.
Pass certification
Certification involves two stages with an accredited certification body:
Stage 1 (documentation review): The auditor reviews your ISMS documentation to confirm it meets ISO 27001 requirements and that you are ready for Stage 2. This typically takes 1-2 days on-site or remote. The auditor will flag any gaps that need fixing before Stage 2.
Stage 2 (implementation audit): The auditor verifies that your ISMS is implemented and operating effectively. They interview staff, review evidence, and check that controls work in practice. This takes 2-5 days depending on organization size and scope.
After Stage 2, you receive your certificate (assuming no major nonconformities). Annual surveillance audits follow, with full recertification every three years.
Realistic timeline
| Phase | Duration | What happens |
|---|---|---|
| Scope and context | 2-3 weeks | Define boundaries, analyze context, identify interested parties |
| Risk assessment | 3-4 weeks | Asset inventory, threat analysis, risk register, treatment plan |
| Controls and documentation | 6-10 weeks | Implement controls, write policies, build evidence |
| Training and awareness | 2-3 weeks | Role-specific training, policy communication |
| Internal audit | 2-3 weeks | Audit program, conduct audit, address findings |
| Management review | 1 week | Review meeting, document decisions |
| Certification audit | 3-6 weeks | Stage 1, gap remediation, Stage 2 |
Total: roughly 5-8 months for a focused team. Larger organizations or those starting with minimal existing controls should plan for 9-12 months.
How 27kay can help
We guide organizations through ISO 27001 implementation from scoping to certification. We have taken teams from zero documentation to certified ISMS in as little as four months - though we will be honest about whether that timeline is realistic for your situation.
Whether you need help with the full implementation or specific phases like risk assessment or internal audit preparation, let’s talk - we will scope the work based on where you are today and where you need to get to.