ISO 27001 implementation checklist

If you are currently starting to Implement ISO 27001, you are searching to execute it. Let you disappoint: there is not any means. However, I will try to make your job easier – here’s the listing of three steps you have to go through if you want to achieve ISO 27001 certification:

Obtain management support

This one may seem it and obvious is not taken. But this is the reason ISO 27001 jobs fail – direction is not supplying enough people to work on not cash or the job. (Read Four important advantages of ISO 27001 executions for ideas how to present the case to management.)

Treat it as a job

As stated, ISO 27001 Implementation is a complicated issue involving a variety of activities, tons of people, lasting several months (or more than a year). If you do not specify clearly what is to be done, who’s going to do it and in what time period (i.e. apply project management), then you may as well never complete the job.

27001 training price

Define the scope

If you are a bigger Organization, it makes sense to employ ISO 27001 only in one part of your company lowering your job risk.

Write an ISMS Policy


ISMS Policy is the Document on your ISMS – it should specify some issues for information security, although it should not be detailed. The objective is to specify what it wants to achieve and how to control it.

Define the Risk Assessment methodology

Risk evaluation is the most Job in the iso 27001 training job – the purpose is also to specify the level of risk and also to define the principles for identifying vulnerabilities, the assets, threats, impacts and chances. You may end up in a situation where you get results that are unusable if those rules were not clearly defined.

Perform the risk assessment & risk treatment

You defined – it may take for organizations, so an effort should be coordinated by you with care. The point is to obtain a picture of the risks for the information of your organization. The Objective of the risk Treatment procedure is to decrease the dangers that are not acceptable – this is typically achieved by intending to use the controllers from Annex A. In this step a Risk Assessment Report needs to be composed, which documents of the actions taken during risk treatment procedure and risk assessment. An approval of risks must be obtained – as part of the Statement of Applicability, or as a separate file.

Write the Statement of Applicability

When you finished your risk Treatment procedure, you will learn exactly which controllers from Annex you need (there are a total of 133 controllers but you probably would not need them). The objective of this document (often known as SoA) is to record all controls and to specify which are applicable and that are not and the reasons for such a decision, the goals to be achieved together with the controllers along with a description of how they are implemented. Applicability’s Statement Is the record to obtain management authorization.