ISO 27001 Implementation Guide

Section 2

Implementation Roadmap

Ten phases from preparation to recertification. Timeframes are estimates and vary with scope and organisational maturity.

  1. 0

    Phase 0: Preparation and scoping

    2–4 weeks (estimate)

    Objective. Establish executive sponsorship, define the boundaries of the ISMS and secure the resources needed for the project.

    Key activities

    • Identify interested parties and their requirements (clause 4.2)
    • Define ISMS scope considering services, locations, processes and information assets
    • Appoint a project lead and steering committee
    • Define information security policy at the highest level

    Deliverables

    • Interested parties register
    • ISMS Scope Statement
    • Top-level Information Security Policy
    • Project plan and budget

    Common pitfalls

    • Scoping the ISMS too broadly in the first cycle
    • Treating it as an IT-only project without business ownership
  2. 1

    Phase 1: Gap analysis

    2–6 weeks (estimate)

    Objective. Benchmark current practice against ISO/IEC 27001:2022 clauses 4–10 and Annex A to identify what is already in place, what is missing and what is partially implemented.

    Key activities

    • Document current security controls and processes
    • Interview process owners
    • Map evidence to each requirement
    • Produce a prioritised remediation backlog

    Deliverables

    • Gap analysis report
    • Remediation roadmap

    Common pitfalls

    • Confusing absence of documentation with absence of control
    • Skipping evidence collection at this stage
  3. 2

    Phase 2: Risk assessment and treatment

    4–8 weeks (estimate)

    Objective. Apply a documented methodology to identify, analyse and evaluate information security risks, then decide on treatment options consistent with the organisation's risk appetite.

    Key activities

    • Define risk criteria, acceptance criteria and methodology (clause 6.1.2)
    • Identify assets, threats, vulnerabilities and existing controls
    • Determine inherent and residual risk
    • Select controls and produce the Statement of Applicability
    • Produce the Risk Treatment Plan and obtain risk owners' approval

    Deliverables

    • Risk Assessment Methodology
    • Risk Register
    • Statement of Applicability (SoA)
    • Risk Treatment Plan

    Common pitfalls

    • Treating the SoA as a tick-box exercise rather than a justified selection
    • Risk owners not formally accepting residual risk
  4. 3

    Phase 3: ISMS design and documentation

    4–8 weeks (estimate)

    Objective. Produce the mandatory and supporting documentation that defines how the ISMS operates day to day.

    Key activities

    • Draft policies and procedures
    • Define metrics and objectives (clause 6.2)
    • Define document control and records management

    Deliverables

    • Policy set
    • Procedures
    • Metrics and ISMS objectives

    Common pitfalls

    • Copy-pasting templates without tailoring them to the organisation
    • Over-documenting and creating unmaintainable artefacts
  5. 4

    Phase 4: Controls implementation (Annex A)

    2–6 months (estimate)

    Objective. Deploy or strengthen the technical, organisational, physical and people controls selected in the SoA.

    Key activities

    • Deploy technical controls (identity, logging, vulnerability management, backup, cryptography, etc.)
    • Run awareness and training
    • Integrate suppliers and third parties
    • Operate the incident process for a meaningful period before audit

    Deliverables

    • Implemented controls with evidence
    • Training records
    • Operational metrics

    Common pitfalls

    • Closing controls on paper without verifying operating effectiveness
    • Ignoring controls covered by third parties
  6. 5

    Phase 5: Internal audit

    2–4 weeks per cycle (estimate)

    Objective. Verify independently that the ISMS conforms to the standard and to the organisation's own requirements, and that it is effectively implemented and maintained (clause 9.2).

    Key activities

    • Establish an internal audit programme
    • Train or contract competent and impartial auditors
    • Audit every clause and applicable Annex A control at least once per certification cycle
    • Record findings and agree corrective actions

    Deliverables

    • Audit programme
    • Audit reports
    • Corrective action log

    Common pitfalls

    • Internal auditors auditing their own work
    • Treating findings as personal criticism instead of system inputs
  7. 6

    Phase 6: Management review

    At least annually (estimate)

    Objective. Top management reviews the ISMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness (clause 9.3).

    Key activities

    • Prepare inputs: audit results, risk status, incidents, metrics, feedback from interested parties, status of previous actions, opportunities for improvement
    • Document decisions on changes to the ISMS, resources and objectives

    Deliverables

    • Management review minutes with documented decisions and actions

    Common pitfalls

    • Holding the review just before the audit and not as an ongoing governance practice
  8. 7

    Phase 7: Stage 1 audit (documentation review)

    1–3 days on-site (estimate)

    Objective. The certification body assesses the documented ISMS, scope, SoA and readiness for Stage 2.

    Key activities

    • Provide documentation to the auditor
    • Discuss scope, risk methodology and SoA justifications
    • Address any areas of concern before Stage 2

    Deliverables

    • Stage 1 report identifying areas of concern (not non-conformities yet)

    Common pitfalls

    • Underestimating the time needed to act on Stage 1 findings before Stage 2
  9. 8

    Phase 8: Stage 2 audit (on-site assessment)

    3–10 days on-site depending on scope (estimate)

    Objective. The certification body assesses the operating effectiveness of the ISMS through interviews, sampling and evidence collection.

    Key activities

    • Facilitate auditor access to people, systems and records
    • Manage non-conformities through documented corrective actions
    • Receive the audit report and, if positive, the certification recommendation

    Deliverables

    • Stage 2 report
    • ISO/IEC 27001:2022 certificate issued by the accredited body

    Common pitfalls

    • Coaching staff to memorise answers instead of relying on the system
    • Disputing minor non-conformities instead of treating them as improvement opportunities
  10. 9

    Phase 9: Surveillance and recertification

    Ongoing (estimate)

    Objective. Maintain the certificate through annual surveillance audits and a full recertification audit every three years.

    Key activities

    • Operate the ISMS continuously, not only around audit dates
    • Track and close non-conformities
    • Update risk assessment, SoA and policies when context changes
    • Repeat internal audit, management review and corrective action cycles

    Deliverables

    • Annual surveillance audit reports
    • Renewed certificate every three years

    Common pitfalls

    • Letting the ISMS decay between audits and rebuilding it in panic before each visit