ISO 27001 Implementation Guide:
Checklist of Steps, Timing, and Costs involved

ISO 27001 Implementation Guide: Checklist of Steps, Timing, and Costs involved - 27001Academy
ISO 27001 compliance software
ISO 27001 Implementation Guide: Checklist of Steps, Timing, and Costs involved - 27001Academy
ISO 27001 Templates
ISO 27001 Implementation Guide: Checklist of Steps, Timing, and Costs involved - 27001Academy
ISO 27001 Courses

ISO 27001 checklist: 16 steps for the implementation

If you are starting to implement ISO 27001:2022, you are probably looking for an easy way to implement this standard. I’ll try to make your job easier – here is a list of 16 steps summarizing how to implement ISO 27001. From getting buy-in from top management, to going through activities for implementation, monitoring, and improvement, in this ISO 27001 checklist you have the main steps your organization needs to go through if you want to achieve ISO 27001 certification.

Each ISO 27001 implementation needs to start with the following steps:
  1. Obtaining management support
  2. Setting up project management
  3. Defining the ISMS scope
  4. Writing a top-level Information Security Policy
  5. Defining the risk assessment methodology
  6. Performing risk assessment and risk treatment

1) Obtain management support

This one may seem rather obvious, and it is usually not taken seriously enough. But in my experience, this is the main reason why ISO 27001 certification projects fail – management is either not providing enough people to work on the project, or not enough money.

In the sections below you’ll find some tips on how to convince your management, and how much the implementation costs.

2) Treat it as a project

As I already said, the implementation of an Information Security Management System (ISMS) based on ISO 27001 is a complex undertaking involving various activities and lots of people, lasting from a couple of months (for smaller companies) all the way to more than a year (for large corporations).

If you do not clearly define what is to be done, who is going to do it, and in what time frame (i.e., apply project management), you might as well never finish the job.

3) Define the scope

If you are a larger organization, it probably makes sense to implement ISO 27001 only in one part of your organization, thereby significantly lowering your project risk; however, if your company is smaller than 50 employees, it will probably be easier for you to include your whole company in the scope.

Learn more about defining the scope in the article How to define the ISMS scope.

4) Write an Information Security Policy

The Information Security Policy (or ISMS Policy) is the highest-level internal document in your ISMS – it shouldn’t be very detailed, but it should define some basic requirements for information security in your organization.

But what is its purpose if it is not detailed? The purpose is for management to define what it wants to achieve, and how to control it. (Learn more in the article What is the ISO 27001 Information Security Policy, and how can you write it yourself?)

5) Define the risk assessment methodology

Risk assessment is the most complex task in the ISO 27001 project – the purpose of the methodology is to define the rules for identifying the risks, impacts, and likelihood, and to define the acceptable level of risk.

If those rules were not clearly defined, you might find yourself in a situation where you get unusable results. (For more, read the article ISO 27001 Risk Assessment, Treatment, & Management: The Complete Guide).

6) Perform the risk assessment & risk treatment

Here you have to implement the risk assessment you defined in the previous step – it might take a couple of days for a small company, and up to several months for larger organizations, so you should coordinate such an effort with great care. The point is to get a comprehensive picture of the internal and external dangers to your organization’s data.

The purpose of the risk treatment process is to decrease the risks that are not acceptable – this is usually done by planning to use the controls from Annex A. During this step, a Risk Assessment Report has to be written, which documents all the steps taken during the risk assessment and risk treatment process. Also, an approval of residual risks must be obtained.

Learn more about the details of risk assessment and treatment in the article ISO 27001 Risk Assessment, Treatment, & Management: The Complete Guide.

7) Write the Statement of Applicability

Once you have completed your risk assessment and treatment process, you will know exactly which controls from ISO 27001 Annex A you need. The purpose of this document (frequently referred to as the Statement of Applicability, or SoA) is to list all controls and to define which are applicable and which are not, the reasons for such a decision, and a description of how they are implemented in the organization.

The Statement of Applicability is also the most suitable document to obtain management authorization for the implementation of the ISMS. (Read the article Statement of Applicability in ISO 27001 – What is it and why does it matter? to learn more).

8) Write the Risk Treatment Plan

Just when you thought you had resolved all of the risk-related documents, here comes another one – the purpose of the Risk Treatment Plan is to define exactly how the controls from the SoA are to be implemented – who is going to do it, when, with what budget, etc.

This document is actually an implementation plan focused on your controls, without which you wouldn’t be able to coordinate further steps in the project.

9) Define how to measure the effectiveness of controls

This is another task that is usually underestimated in a management system. The point here is – if you can’t measure what you’ve done, how can you be sure you have fulfilled the purpose?

Therefore, be sure to define how you are going to measure the fulfillment of objectives you have set both for the whole ISMS, and for security processes and/or controls. (Read more in the article ISO 27001 control objectives – Why are they important?)

10) Implement the security controls

This might be easier said than done. This is where you have to implement all documents and technology, and consequently change the security processes in your company. For more about ISO 27001-required documents and records, read the article List of mandatory documents required by ISO 27001. For more about Annex A, read the article How to structure the documents for ISO 27001 Annex A controls.

This is usually the most difficult task in your project because it means enforcing new behavior in your organization. Often, new policies and procedures are needed (meaning that change is needed), and people usually resist change – this is why the next task (training and awareness) is crucial for avoiding that risk.

11) Implement training and awareness programs

If you want your personnel to implement all of the new policies and procedures, first you have to explain to them why they are necessary, and train your people to be able to perform as expected.

The absence of training and awareness is the second most common reason for ISO 27001 project failure. (For more about training and awareness, read the article How to perform training & awareness for ISO 27001 and ISO 22301).

12) Operate the ISMS

This is the part where ISO 27001 becomes an everyday routine in your organization. The crucial word here is: “records.” ISO 27001 certification auditors love records (including logs) – without records, you will find it very hard to prove that an activity has really been done.

But records should help you in the first place – by using them, you can monitor what is happening; you will actually know with certainty whether your employees (and suppliers) are performing their tasks as required. (Read more in the article Records management in ISO 27001 and ISO 22301).

13) Monitor and measure the ISMS

What is happening in your ISMS? How many incidents do you have, and of what type? Are all the procedures carried out properly?

This is where the objectives for your controls and your measurement methodology come together – you have to check whether the results you obtain are achieving what you have set in your objectives. If not, you know something is wrong – you have to perform corrective and/or preventive actions. (Learn more in the article How to perform monitoring and measurement in ISO 27001).

14) Internal audit

Very often, people are not aware that they are doing something wrong (on the other hand, they sometimes are, but they don’t want anyone to find out about it). But being unaware of existing or potential problems can hurt your organization – you have to perform an internal audit in order to find out such things.

The point here is not to initiate disciplinary actions, but to take corrective actions so that such problems do not happen again. (Read the article How to prepare for an ISO 27001 internal audit for more details).

15) Management review

The top management of your company does not have to configure your firewall, but they must know what is going on in the ISMS, i.e., if everyone performed their duties, and if the ISMS is achieving the desired results, fulfilling the defined requirements, etc.

Based on that, the management must make some crucial decisions like approving the security budget, aligning security with business strategy, etc. (Learn more in the article Why is management review important for ISO 27001 and ISO 22301?)

16) Corrective actions

The purpose of the management system is to ensure that everything that is wrong (so-called “non-conformities”) is corrected, or hopefully prevented. Therefore, ISO 27001:2022 requires that corrective actions be done systematically, which means that the root cause of a non-conformity must be identified, and then resolved and verified. (Read the article Complete guide to corrective action vs. preventive action).

Hopefully, this ISO 27001 checklist has clarified what needs to be done – although ISO 27001 is not an easy task, it is not necessarily too complicated. You just have to plan each step carefully, and don’t worry – you’ll get the ISO 27001 certification for your organization.

Implement ISO 27001 | Easy ISO 27001 implementation checklist

Time, effort, and roles needed to implement ISO 27001

How long will it take? This is probably the second most common question I hear about ISO 27001 (the first one is “How much does it cost?”). Well, the answer is not really encouraging – most of the people I speak to expect it to be a couple of weeks. But this is not realistic – the reality is a couple of months for smaller companies all the way to more than a year for larger organizations.

Of course, you can always produce dozens of documents in a matter of days claiming you are compliant with ISO 27001, but this is not what I’m writing about here. I’m writing about the implementation that is meaningful, i.e., that produces results – a lower number of incidents, higher efficiency, cost savings, etc.

Time needed for the initial implementation

Your main implementation effort will be spent on the so called “Plan” and “Do” phases of ISO 27001, i.e., the first two mandatory phases in which the risk assessment is being done and in which all the safeguards (security controls) are being implemented.

The duration of implementation for these two phases depends primarily on the size of the organization:

  • Companies of up to 20 employees – up to 3 months
  • 20 to 50 employees – 3 to 5 months
  • 50 to 200 employees – 5 to 8 months
  • More than 200 employees – 8 to 20 months

These times are valid if you use a consultant or an online tool to help you with the implementation; if you’re trying to do this by yourself without any help, it will take you much longer.

Also, what can considerably extend your implementation time is if your company does not have support from the top management or does not have an experienced project manager.

Roles in the implementation project

In smaller companies, the person who runs the project (i.e., who acts as a project manager) will also perform the role of the security officer, whereas larger companies will have these two roles separated – a professional project manager will run the project, and another person acting as a security officer will be responsible for overall security and will participate in the project.

ISO 27001 does not require that you establish a project team, but this will be helpful for companies of 200 or more employees; for smaller companies it will be enough to have only a project manager who will coordinate the project with other colleagues.

In larger companies it would be best if you include heads of various departments in the project team – e.g., head of IT department, head of legal, head of HR, head of marketing & sales, head of operations, etc. This way you can ensure that all major security decisions are made at a high enough level, and that there is enough commitment for their implementation.

In any size company, you’ll need to include part of your employees in the following activities:

  • Risk assessment – finding out what can go wrong with your information
  • Risk treatment – finding out which mitigation options to use to decrease risks
  • Reviewing policies and procedures – to make sure security documents are aligned with existing business processes
  • Approval of security objectives, documentation, and required resources – to ensure commitment and alignment with company strategy

For the first three bullets, you can use department heads for these activities, whereas the last bullet needs to be performed by the top management – e.g., the CEO in a smaller company, or the CIO or CTO in larger companies.

Roles and effort needed for the initial implementation of ISO 27001

Roles < 200 employees 200 - 2,000 employees > 2,000 employees
Project manager (merged role) 1 day per week 50% of time 100% of time
Security officer 50% of time 100% of time
Project team (not needed) Heads of departments are members of the project team – 15 hours per each department head (throughout the whole project) Heads of departments are members of the project team – 30 hours per each department head (throughout the whole project)
Heads of departments 7 hours per each department head (throughout the whole project)
Top management 5 hours in total 10 hours in total 15 hours in total

Effort needed for the initial implementation

In companies of up to 200 employees, the project manager will typically need to spend roughly 20% of his or her time throughout the whole project, e.g., 1 day per week. The larger and/or the more complex the company, the more time this project manager will need to invest – in companies of a couple of thousand employees, the project manager will probably need to work full time on a project like this.

If you have a separate security officer from the project manager, this person will probably need to spend the same amount of time on the project as the project manager – e.g., in a company of 2,000 employees you might have a full-time project manager and a full-time security officer working on ISO 27001.

In a smaller company, the workload for the heads of the departments for activities mentioned in the previous section will be about 7 hours per each department for risk assessment and treatment, and for reviewing documents; the top management will need to invest about 5 hours for making all the approvals.

Again, this effort will be needed if you use an ISO 27001 tool or a consultant to help you; if not, you will need considerably more effort.

Effort needed for the maintenance of the ISMS

It is worth mentioning that the work on ISO 27001 doesn’t stop with the Plan and Do phases – the Information Security Management System (ISMS) that you create needs to be maintained (and improved), meaning that the work on information security is not one-off, but continuous.

However, the effort for maintaining the system is not as great as in the initial implementation – it will probably be at 25% of the effort that was needed for the Plan and Do phases.

How much does ISO 27001 implementation cost?

This is usually the first question I receive from the potential client. To their disappointment, there is no one amount to give them, because this is not a purchase of an off-the-shelf product.

Total cost of the implementation will depend on the following:

  • the size of your company, i.e., the number of employees (you should calculate only the employees that will be included in your ISO 27001 scope)
  • the level of criticality of information (for instance, information in banks is considered more critical and demands a higher level of protection)
  • the technology the organization is using (for instance, data centers tend to have higher costs because of their complex systems)
  • legislation requirements (usually, the financial and government sectors are heavily regulated with regards to information security)

Further, there are several types of costs you need to take into account:

  1. the literature and training
  2. the cost of external assistance
  3. the cost of employees’ time
  4. the cost of new technology
  5. the cost of certification

Here’s an explanation of each of these costs and a rough estimate of amounts (all amounts are in US dollars):

1. The cost of literature and training

Implementation of ISO 27001 is rather complex, requires changes in your organization, and requires new skills. You can prepare your employees by buying various books on the subject and/or sending them to courses (in-person or online) – the duration of these courses varies from 1 to 5 days. Here you can see Advisera’s ISO 27001 courses – the cost is between $250 and $1,700 per person.

And don’t forget to buy the ISO 27001 standard itself – too often, I run across companies implementing the standard without actually seeing it. Cost: around $100.

2. The cost of external assistance

Unfortunately, training your employees is not enough. If you don’t have a security officer with in-depth experience in ISO 27001 implementation, you’ll need someone who does have such knowledge – you can either hire a consultant or get some online alternative.

Consultant costs differ greatly from one country to another, but for small companies in the United States, the cost could be around $15,000; the cost of Advisera’s Conformio ISO 27001 software is about $2,000 annually.

However, be careful here – do not expect the consultant or online software to do the whole implementation for you – your employees will have to invest some time as well.

3. The cost of employees’ time

As explained in the sections above, your employees have to spend some time figuring out where the risks are, how to improve existing procedures and policies or implement new ones, and they have to take some time to train themselves for new responsibilities and for adapting to new rules.

In the section “Effort needed” above, you can see the amount of time needed, so that you can calculate the associated costs of this time investment of your employees.

4. The cost of technology

It might seem funny, but most companies I’ve worked with did not need an investment in hardware, software, or anything similar. They already had all the technology they needed – however, during the implementation of ISO 27001 they had to start using that technology in a more secure way.

So, from technology point of view most costs will be related to changing your existing activities, and those costs will be captured under the previous category – the cost of employees’ time.

5. The cost of certification

If you want to obtain public proof that you have complied with ISO 27001, the certification body will have to do a certification audit – this cost will also depend on the size of the company. In the United States, the certification of a smaller company might be around $7,500.

See also: How to get ISO 27001 certified.

To conclude, you have to be very careful not to underestimate the true cost of an ISO 27001 project – if you do, your management will start looking at your project in a negative light. On the other hand, forecasting all costs correctly will show your level of professionalism; and don’t forget – you always have to present both the cost and the benefits.

Three strategies for ISO 27001 implementation

In essence, you have three strategic options for implementing ISO 27001:

a) Do it on your own without external help

In this option, your employees are doing all the work without using any help from consultants or tools.

This is the best option if you don’t want any outsiders in your company and if your budget is really tight, but it is feasible only if you have an employee who is already experienced in ISO 27001.

b) Do it yourself with external help

This where you implement the standard yourself (by performing all the analysis, interviews, writing the documentation, etc.), but you’re using an ISO 27001 tool and guidance from external experts to complete the project.

This is the best option if you have a moderate budget, and if you want your employees to learn the most on how to manage security. Advisera’s Conformio is an example of such a tool.

c) Consultant is doing most of the work

This is where you hire an outside expert (i.e., ISO 27001 consultant) to do the whole job – this person will do all the work and will deliver you completed documentation.

This is usually the quickest option for implementing the standard, but also the most expensive. Read also 5 criteria for choosing an ISO 22301 / ISO 27001 consultant.

Four key benefits of ISO 27001:2022 implementation

Have you ever tried to convince your management to fund the implementation of information security? If you have, you probably know how it feels – they will ask you how much it costs, and if it sounds too expensive, they will say no.

Actually, you shouldn’t blame them – after all, their ultimate responsibility is the profitability of the company. That means their every decision is based on the balance between investment and benefit, or to put it in management’s language – ROI (return on investment).

This means you have to do your homework first before trying to propose such an investment – think carefully about how to present the benefits, using language the management will understand and will endorse.

I’ll help you – the benefits of information security, especially the implementation of ISO 27001:2022, are numerous. But in my experience, the following four are the most important:

1) Compliance

It might seem odd to list this as the first benefit, but it often shows the quickest “return on investment” – if a company must comply with various regulations regarding data protection, privacy, and IT governance (particularly if it is a financial, health, or government organization), then ISO 27001 can bring in the methodology that enables it to do so in the most efficient way.

Even more important, if an existing customer asks you to comply with ISO 27001, then you need to comply with the standard to keep the client.

2) Marketing edge

In a market that is more and more competitive, it is sometimes very difficult to find something that will differentiate you in the eyes of potential customers.

ISO 27001 could be a unique selling point that can set you apart from your competitors, especially if new clients want their data to be treated with great care.

3) Lowering the expenses

Information security is usually considered as a cost with no obvious financial gain. However, there is financial gain if you lower your expenses caused by incidents. You probably do have interruptions in service, or occasional data leakage, or disgruntled employees. Or disgruntled former employees.

To be honest, there is still no methodology and/or technology to calculate how much money you could save if you prevented such incidents. But it always sounds good if you bring such cases to management’s attention.

4) Bringing order to your business

This one is probably the most underrated – if you are a company that has been growing rapidly for the last few years, you might experience problems like – who has to decide what, who is responsible for certain information assets, who has to authorize access to information systems, etc.

ISO 27001 is particularly good in sorting these things out – it will force you to define roles and responsibilities very precisely, and therefore strengthen your internal organization.

To conclude – ISO 27001 could bring in many benefits besides being just another certificate on your wall. In most cases, if you present those benefits in a clear way, the management will start listening to you.

ISO 27001 project – key success factors

Many companies don’t realize this, but setting up the ISO 27001 project properly at the beginning of the implementation is one of the most important elements if you want to complete the implementation within an acceptable time frame and budget.

Don’t try this without management support

Management commitment must come before anything else – if your top executives don’t see real benefit in increasing the level of security by setting clear rules, you would be better off investing your energy in something else.

But this cannot happen in a short time, let alone in one meeting with a PowerPoint presentation. This is a process where you need to play an active role – first, you need to recognize the applicable benefits for your business, and then consistently push this message toward the decision makers.

Get the knowledge

Unless you’ve already implemented ISO 27001 a couple of times, you’ll need to learn how it is done. ISO 27001 implementation is way too complex to understand only by reading the standard.

There are several ISO 27001 courses available for beginners or for advanced users – see the list of ISO 27001 trainings here.

Run the implementation as a project

If you know exactly what the objectives are, who is responsible for what, if the resources are available, and what the deliverables are, you will not only speed up the process – but also increase your chances of a successful outcome. (See here an example of a Project checklist for ISO 27001 implementation).

The point is – the implementation of standards like these does take quite a lot of time, so you need to make sure you do it with a structure in mind. If implementation is done superficially or without clear objectives, you’ll not only lose time, but miss an opportunity to help your company improve and grow. And of course, you can decrease the implementation time – if you plan your project carefully.

Choosing the right project manager

The most natural person to lead the project should be a person who is in charge of information security in your company – there are different titles for this job: Chief Information Security Officer (CISO), Information Security Officer (ISO), Security Manager, etc. See also: Chief Information Security Officer (CISO) – where does he belong in an org chart?

In any case, you have to choose a person with the following characteristics:

  • Good knowledge of both business and IT processes in your company – this person does not need to be an IT expert, but this person needs to have a working knowledge of IT
  • He or she needs to have enough time to run the project
  • And, most importantly, this person needs to have enough authority to push all the changes that are required

In some cases, I’ve seen companies giving this project to a trainee, only to realize that the project has failed after a lot of effort.

How to choose an ISO 27001 implementation tool

Managing an ISO 27001 project without any guidance is like putting together a big jigsaw puzzle with a thousand pieces, but without the picture in front of you. What you really need in this situation is a guide.

In this section, we propose the use of an ISO 27001 tool for managing the implementation. This alternative will hand over all the pieces of the puzzle with numbers on the backs and peace of mind.

What to look for in an ISO 27001 implementation management tool

Having an online tool to help you drive your ISO 27001 project forward is definitely a plus. However, before choosing a software solution, you need to understand that not every tool will fit your needs – you might be seduced by numerous features, but not all of these will be necessary for you, whereas there might be some other features you did not think of.

So, you need to find a tool that has the functionalities to drive the ISO 27001 project forward, and that has the built-in expertise on how to comply with ISO 27001 requirements.

You need a platform that will:

  • Provide clear steps for ISO 27001 project implementation
  • Provide easy-to-use wizards for creation of all documentation (policies, procedures, reports, etc.)
  • Automate the risk management process by suggesting assets, threats, vulnerabilities, and related controls
  • Automatically fill out the Statement of Applicability based on the risk treatment and requirements of interested parties
  • Enable easy collaboration between the people who work on the ISO 27001 implementation
  • Provide a clear overview of tasks received and tasks given to other people, as well as their status
  • Enable automation not only for the initial implementation, but also for the maintenance of the ISMS

Besides the criteria listed above, the software should:

  • Be adapted for your company size – the documentation and the flow of steps is adapted to how big your company is
  • Provide support from experienced experts – if you have some questions on how to approach your specific case
  • Teach all the people about security – the point is not only to mechanically ask people to do some tasks, but also to explain them why these tasks are needed

And last but not least, perhaps the most important criterion for selecting the ISO 27001 implementation tool is that it needs to have built-in expert logic on how to do the implementation properly – in other words, it needs to be designed by ISO 27001 experts, not only by designers and software developers.

Advisera’s Conformio ISO 27001 software

What if you had all the steps for your ISO 27001:2022 project set right before you, so that with a single glance you could understand each step ahead of you? Beautiful, right? Now, imagine that you have an explanation for how to complete each step, and you can access those guidelines any time and easily share them as actionable tasks with your team.

Understanding the importance of such guidance, we have created Conformio, which will guide you through your ISO 27001 implementation and maintenance. Conformio is an online collaborative software designed around the steps to implement ISO 27001, including years of expertise on developing documents and providing support to organizations all around the world.

This expertise is materialized in two essential elements, with the first one being the Document Wizards, which provide guidance on documentation development, and help in the definition for how tasks are distributed during implementation and ongoing maintenance of your ISMS. The second one is the Responsibility Matrix, which consolidates the information on who does what, and when, in each document, providing a basis for the automation of tasks, such as document review and internal audit.

Conformio is designed for smaller companies, and provides you with the following:

  • Step-by-step guide for implementation and maintenance of the ISMS
  • Automation of risk assessment and treatment, as well as the Statement of Applicability
  • Sending tasks and messages between project members, enabling the collaboration on, e.g., document review and other tasks
  • Training videos for each step in the implementation

In the screenshot below, you can see what the Step-by-step wizard in Conformio looks like:

ISO 27001 Implementation Guide: Checklist of Steps, Timing, and Costs involved - 27001Academy

As you can see, when you have an online tool to drive your project forward, combined with concrete expert guidance, you have the right conditions to successfully implement and maintain any project. This is something that we recognized early on, and perfected, to provide you with the best possible tool for your ISO 27001 project management.

If this makes sense, go on and give it a try.

To learn how to implement ISO 27001 through a step-by-step wizard and get all the necessary policies and procedures, sign up for a free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Dejan Kosutic
Author
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.