Implementing ISO 27001:2013 security framework may be become a big task if not planned well before the action. Here we tried to simplify the crucial steps to be taken in order to implement the same.

If you are early in your career and don't have much implementation knowledge this guide would help you for sure. Feel free to put your thoughts in comment section if you find this guide useful.

Implementing ISO 27001:2013 from scratch in 35 simple steps

1.  Obtain top management approval for implementation of ISO 27001:2013 based ISMS (Information Security Management System) in the organization.

2.  Gather as much information about the organization and its industry.

3.  Better understand the organization industry.

4.  Gather background information about the organization products and services.

5.  Understand the organization external and internal known issues.

6.  Identify the organization competitors in the market.

7.  Identify the organization’s interested stakeholders.

8.  Understand needs and expectations of interested stakeholders.

9.  Understand the organization’s legal, regulatory and contractual requirements where applicable.

10.  Understand interfaces and interdependencies between activities performed by the organization.

11.  Understand the organization ISMS requirements, as this varies company to company.

12.  Understand the requirements of interested parties relevant to the ISMS.

13.  Determine scope for ISMS implementation (locations, sites and/or functions ready to implement ISMS) - Critical part.

14.  Define overall IS Policy, including IS Objectives, applicable business requirements and top management commitment for continual improvement.

15.  Define risk assessment process which includes (risk assessment criteria and risk acceptance criteria).

16.  Define risk treatment process (how the risk should be remediated or treated)

17.  Develop project plan for ISO 27001:2013 based of ISMS implementation.

18.  Demonstrate the project plan to the top management for approval and secure top management assurance for the project and necessary support and resources.


19.  Define IS objectives at all relevant functions and levels across organization.

20.  Perform risk assessment by following below points.

                           a. Identify IS risks

                           b. Identify Risk Owners

                           c. Analyze IS risks (assess consequences, likelihood and risk level)

                           d. Evaluate IS Risks (compare with risk criteria and prioritizing)

21.  Perform risk treatment by following below points.

                           a. Select appropriate controls

                           b. Compare controls with Annex A of ISO 27001:2013 Standard

                           c. Develop Statement of Applicability (SoA)

                           d. Develop Risk Treatment Plans

22.  Obtain Risk Owners’ approval. Identification of the risk owner is important.

23.  Implement risk treatment plans (Staff, Infrastructure, technical controls, managerial controls such as Employment/Contract agreements, NDA etc.)

24.  Define ISMS performance measurements and metrics reporting.

25.  Develop ISMS Audit program plan, Which will be utilized for recertification.

26.  Define and assign ISMS roles and responsibilities.

27.  Develop necessary Information Security (IS) documentation.

28.  Develop ISMS Communication Plan considering all ISMS interested parties.

29.  Conduct necessary IS training to employees and contractors.

30.  Carry necessary Information Security awareness initiatives.

31.  Operate ISMS (record IS events, activities, communications, changes, incidents, accidents and NCs)      


32.  Check ISMS performance on regular basis

                           a. Various ISMS performance measurements and metrics

                           b. Conduct periodic risk assessments

                           c. Perform periodic internal and regulatory audits 

                           d. Collect feedback from interested parties

                           e. Carry periodic Management Reviews for reviewing ISMS performance

33.  Report to appropriate management in defined frequency


34.  Decide on corrective actions to be taken

35.  Develop plans for implementing ISMS improvements

Post a Comment

Please do not enter any spam link in the comment box.

Previous Post Next Post