ISO 27001 ISMS Implementation Guide: Building an Information Security Management System from Scratch
- What is ISMS?
- ISMS Definition
- Relationship with ISO 27001
- PDCA Continual Improvement Cycle
- 8 Steps to ISMS Implementation
- Step 1: Obtain Management Commitment
- Step 2: Define ISMS Scope
- Step 3: Risk Assessment
- Step 4: Establish Controls
- Step 5: Documentation
- Step 6: Training
- Step 7: Implementation and Operation
- Step 8: Monitoring and Measurement
- Internal Audit Practices
- Internal Auditor Role and Qualifications
- Audit Plan Development
- Audit Execution Techniques
- Nonconformity Handling
- Management Review
- Review Input Items
- Review Output Items
- Meeting Minutes Key Points
- Continual Improvement
- Corrective Actions
- Preventive Actions
- Identifying Improvement Opportunities
- FAQ: Common ISMS Questions
- Q1: How long does ISMS implementation take?
- Q2: Can we do it without dedicated security staff?
- Q3: Must internal audit be done internally?
- Q4: Can ISMS documents use existing ones?
- Q5: How much effort does ISMS maintenance require?
- Next Steps
- Further Reading
- References
- Need Professional Cloud Advice?
ISO 27001 ISMS Implementation Guide: Building an Information Security Management System from Scratch
You've been assigned the task of "implementing ISO 27001."
Now what?
This article will tell you what ISMS is, how to build it from scratch, and how to conduct internal audits. Practical-oriented, no empty talk.
For a complete introduction to ISO 27001, see ISO 27001 Complete Guide.
What is ISMS?
ISMS Definition
ISMS stands for Information Security Management System.
In plain language: A system for managing your company's information security.
Note that it's a "management system," not a piece of software or tool.
ISMS includes:
| Component | Description |
|---|---|
| Policies | Company's commitment and direction for security |
| Procedures | Processes and steps for doing things |
| People | Who is responsible for what |
| Technology | Firewalls, encryption, access control, etc. |
| Records | Evidence that you've done things |
Relationship with ISO 27001
ISO 27001 is the standard for building ISMS.
| Concept | Description |
|---|---|
| ISO 27001 | Tells you "what ISMS should look like" |
| ISMS | The "actual system" built according to ISO 27001 |
So when we say "implement ISO 27001," we actually mean "build an ISMS that conforms to ISO 27001."
PDCA Continual Improvement Cycle
The core spirit of ISMS is the PDCA cycle.
| Phase | Full Name | What to Do |
|---|---|---|
| P | Plan | Assess risks, develop plans |
| D | Do | Implement controls |
| C | Check | Monitor effectiveness, internal audit |
| A | Act | Improve issues, continuously optimize |
Key point: This is a "cycle," not a one-time thing.
Every year (or even every quarter) you need to go through this cycle again.
Want to implement ISMS but don't know where to start? Book a free consultation and let us help you plan.
8 Steps to ISMS Implementation
Step 1: Obtain Management Commitment
Why is this important?
Without management support, nothing can be done.
ISMS requires:
- Manpower (who will do it)
- Budget (consultant fees, certification fees, tools)
- Time (employees need to cooperate)
- Authority (can require departments to change)
All of these need management approval.
How to do it?
Prepare a presentation for management explaining:
| Item | Content |
|---|---|
| Why do this | Customer requirements, tender needs, risk management |
| How much it costs | Estimate of consulting + certification fees |
| How much manpower | Which people need to be involved |
| Expected benefits | Which tenders and customers you can win |
| Timeline | How long until you can get the certificate |
Output: Management commitment letter (can be meeting minutes or formal document)
Step 2: Define ISMS Scope
Why is this important?
Not the entire company needs to be included in ISMS.
Scope too large: High cost, high complexity Scope too small: Limited certificate value
How to define it?
Consider these factors:
| Factor | Description |
|---|---|
| Customer requirements | Which service does customer require to be certified |
| Business core | What is the most important business |
| Risk level | Which area has the highest risk |
| Budget constraints | How large a scope can you afford |
Common approaches:
- Only include a certain department (e.g., R&D)
- Only include a certain service (e.g., SaaS product)
- Only include a certain location (e.g., headquarters)
Output: ISMS scope document
Step 3: Risk Assessment
This is the core of ISMS.
Risk assessment determines which controls you need to implement.
Steps:
| Step | Description | Example |
|---|---|---|
| 1. Asset inventory | List information assets within scope | Servers, databases, documents |
| 2. Threat identification | Events that could harm assets | Hacker attacks, employee negligence |
| 3. Vulnerability identification | Weaknesses that could be exploited | No encryption, weak passwords |
| 4. Impact assessment | How serious the consequences | Score 1-5 |
| 5. Likelihood assessment | How likely to occur | Score 1-5 |
| 6. Risk value calculation | Impact × Likelihood | Score 1-25 |
| 7. Risk prioritization | Determine priority order | High risk first |
Output: Risk register
Step 4: Establish Controls
Based on risk assessment results, decide which controls to implement.
Steps:
- For each risk, choose treatment approach (mitigate, transfer, avoid, accept)
- If choosing "mitigate," select appropriate controls
- Reference ISO 27001 Annex A's 93 controls
- Can also use controls outside Annex A
Output:
- Risk treatment plan
- Statement of Applicability (SoA)
For detailed control explanations, see ISO 27001 Clause Guide.
Step 5: Documentation
ISMS needs documents for support.
Four-tier documentation system:
| Tier | Type | Example |
|---|---|---|
| Tier 1 | Policy | Information Security Policy |
| Tier 2 | Procedure | Risk Assessment Procedure, Incident Management Procedure |
| Tier 3 | Work Instruction | Backup SOP, Account Request SOP |
| Tier 4 | Records | Risk Register, Audit Records |
Document writing principles:
- What's written should match what's done
- Don't write just for the sake of writing
- Concise and clear is better than lengthy and detailed
- Maintain version control
Output: Policies, procedures, SOPs, forms
Step 6: Training
Employees won't do what they don't know.
Training targets and content:
| Target | Training Content |
|---|---|
| All employees | Security awareness, policy understanding |
| IT staff | Technical control operations |
| Management | ISMS concepts, management responsibilities |
| Internal auditors | Audit techniques and methods |
Training methods:
- In-person courses
- Online learning
- Awareness emails
- Posted announcements
Output: Training records, sign-in sheets
Step 7: Implementation and Operation
Put plans into action.
| Work | Description |
|---|---|
| Implement controls | Install firewalls, set permissions, establish processes |
| Execute procedures | Operate according to written procedures |
| Record activities | Keep evidence of execution |
| Handle incidents | Handle according to incident management procedure |
Key point: Keep records; auditors will review them.
Output: Operational records
Need professional help with implementation? Let us help, accompanying you from planning to execution.
Step 8: Monitoring and Measurement
After doing, confirm if it's effective.
| Monitoring Item | Description |
|---|---|
| Security objective achievement | Are objectives being met |
| Control effectiveness | Are controls working |
| Security incident count | Are incidents increasing or decreasing |
| Training completion rate | Have employees completed training |
Output: Monitoring reports, KPI records
Internal Audit Practices
Internal Auditor Role and Qualifications
What do internal auditors do?
- Check if ISMS complies with standard requirements
- Check if actual operations match documented procedures
- Find issues, propose improvement suggestions
Qualification requirements:
| Requirement | Description |
|---|---|
| Independence | Cannot audit your own work |
| Competence | Understand ISO 27001 standard |
| Training | Recommend taking internal auditor course |
Common approaches:
- Small companies: Cross-department mutual audits
- Large companies: Dedicated audit team
- Or: Outsource audits
Audit Plan Development
An audit plan must be developed annually.
Plan content:
| Item | Description |
|---|---|
| Audit scope | Which departments/processes to audit |
| Audit schedule | When to audit |
| Auditor assignment | Who audits which area |
| Audit criteria | What standard to audit against |
Principles:
- Audit all scope at least once a year
- High-risk areas can increase frequency
- Usually do internal audit before certification audit
Audit Execution Techniques
Three audit steps:
| Step | What to Do |
|---|---|
| 1. Prepare | Read documents, prepare checklists |
| 2. Execute | Interview, review records, observe operations |
| 3. Report | Organize findings, write report |
Interview techniques:
- Ask open-ended questions ("How do you do...")
- Ask them to demonstrate actual operations
- Request to see records and evidence
- Stay objective, non-judgmental
Audit focus:
- Are they following procedures
- Are they keeping records
- Are records complete and accurate
- Do people understand their responsibilities
Nonconformity Handling
When issues are found, classify them.
| Classification | Definition | Example |
|---|---|---|
| Major nonconformity | Systemic deficiency, serious impact | Never did risk assessment |
| Minor nonconformity | Single deficiency, limited impact | One record not signed |
| Observation | Improvement suggestion, not a deficiency | Suggest increasing backup frequency |
Handling process:
- Record: Clearly describe the issue found
- Analyze: Find root cause
- Correct: Take improvement measures
- Verify: Confirm improvement is effective
- Close: Update records
Management Review
Review Input Items
Data management must review:
| Input Item | Content |
|---|---|
| Previous review follow-up | Execution status of previous decisions |
| Internal/external changes | Regulatory changes, business changes |
| Security performance report | Objective achievement rate, incident statistics |
| Audit results | Internal audit, external audit findings |
| Stakeholder feedback | Customer, employee opinions |
| Risk assessment results | Risk change status |
| Improvement opportunities | Areas that can be done better |
Review Output Items
Decisions management must make after review:
| Output Item | Description |
|---|---|
| Resource needs | Need to add manpower/budget |
| Improvement decisions | What to improve, how to improve |
| Objective adjustments | Do security objectives need modification |
| ISMS changes | Does scope, policy need adjustment |
Meeting Minutes Key Points
Management review records are documents auditors must review.
Records must include:
- Meeting time, location
- Attendees (including senior management)
- Data reviewed
- Discussion content
- Decisions made
- Responsible persons and deadlines
Common deficiencies:
- Senior management didn't attend
- Only sign-in sheet, no substantial discussion records
- Decisions not followed up
Continual Improvement
Corrective Actions
Process when issues are found:
| Step | Description |
|---|---|
| 1. Immediate response | Control problem, reduce impact |
| 2. Cause analysis | Find root cause (not just surface cause) |
| 3. Take corrective action | Prevent issue from recurring |
| 4. Verify effectiveness | Confirm corrective action worked |
| 5. Update documents | Update procedures, risk assessment if needed |
Cause analysis techniques:
- 5 Why analysis: Keep asking "why" 5 times
- Fishbone diagram: Analyze from people, machine, material, method, environment
Preventive Actions
Don't wait for problems to occur before addressing them.
Sources of preventive actions:
- Potential risks found in risk assessment
- Observations from audits
- New threats shown in security intelligence
- Employee improvement suggestions
Identifying Improvement Opportunities
ISMS isn't just "maintaining status quo"—it should "continuously improve."
Methods to identify improvement opportunities:
| Method | Description |
|---|---|
| Benchmarking | See how others do it |
| Technology updates | Introduce new security tools |
| Process optimization | Simplify cumbersome procedures |
| Feedback analysis | Collect employee, customer opinions |
FAQ: Common ISMS Questions
Q1: How long does ISMS implementation take?
By company size:
- Small enterprise: 4-6 months
- Medium enterprise: 6-12 months
- Large enterprise: 12-18 months
This is time until "ready to apply for certification," not "finished." ISMS operates continuously.
Q2: Can we do it without dedicated security staff?
Yes, but recommended:
- Assign one project lead
- Get consultant assistance
- Have each department provide support
It can't be done with absolutely no one invested.
Q3: Must internal audit be done internally?
Not necessarily. Options:
- Train internal auditors yourself
- Commission external consultants
- Mix of both (do it yourself + external guidance)
Key point is independence—auditors cannot audit their own work.
Q4: Can ISMS documents use existing ones?
Yes. ISO 27001 doesn't require specific formats.
If existing documents already cover required content, use them directly or modify slightly.
Q5: How much effort does ISMS maintenance require?
Approximately per year:
- Risk assessment update: 1-2 weeks
- Internal audit: 1-2 weeks
- Management review: 1-2 days
- Daily maintenance: Ongoing
- Surveillance audit cooperation: 2-3 days
Next Steps
Building ISMS from scratch isn't easy, but with professional consultant assistance, the entire process goes much smoother.
Book a free consultation, from planning to execution, CloudSwap accompanies you through the entire journey.
We provide:
- Gap analysis
- Document templates
- Guidance services
- Internal audit assistance
- Certification support
Further Reading
- For complete standard introduction, see ISO 27001 Complete Guide
- For detailed clause interpretation, see ISO 27001 Clause Guide
- For 27002 implementation guidance, see ISO 27001 vs 27002 Comparison
- For implementation cost assessment, see ISO 27001 Implementation Cost Guide
References
Need Professional Cloud Advice?
Whether you're evaluating cloud platforms, optimizing existing architecture, or looking for cost-saving solutions, we can help