top of page


Step 1: Initiating the ISMS Project
• Purchase a copy of the ISO 27001 standard
• Obtain Senior Management commitment for the project
• Identify the project team and other required resources
• One-day workshop to understand the end-to-end process

Step 2: Defining the ISMS Project
• Executive workshop – define the ISMS scope, information security goals and objectives
• Understand any dependencies on other systems, define any exclusions
• Relationship to other regulatory, legislative or contractual requirements

Step 3: Documentation Preparation  
• Implement top-level information security policy, and specific supporting policies
• Implement other documentation and records required by the ISO 27001 standard
• Define approach, documentation and records for undertaking risk management (steps 4 & 5)
• Define approach, documentation and records for data protection (GDPR compliance)
• Agree documentation and records for ensuring supply chain security compliance

Step 4: Risk Assessment Activities
• Implementation of risk assessment and risk treatment activities to meet ISO 27001 standard
• Options for manual or cloud-based SaaS solution for undertaking risk assessments
• Provision of detailed training to asset owners and risk owners on chosen approach
• Workshop to identify information and supporting assets (and their relationships)

Step 5: Risk Treatment Activities
• Identification of unacceptable risks which are required to be treated
• Progression of unacceptable risks:
     Risk reduction (e.g. change of approach, application of new security controls)
     Risk transfer (e.g. pass the activity to an outsourced provider, insurance company)
     Risk avoidance (cessation of the activity to remove the identified risks)
     Risk acceptance (senior management acceptance of risks that cannot be treated)

Step 6: Training, Education and Culture Initiatives
• Preparation of information security and data protection training material
• Delivery of educational initiatives – e.g. workshops, webinars, surveys
• Training for contractors, third parties and any other personnel in scope of the ISMS
• Workplace assessment to identify security opportunities/weaknesses
• Optional: educational plan for GDPR/data protection activities

Step 7: Preparation for External Certification Assessment
• Introduction to UKAS audit organisation with preferential rates/scheduling
• Produce and validate Statement of Applicability (manually or automated)
• Conduct of audit readiness assessment, and remediation of any identified shortcomings
• Conduct of initial internal audits / internal audit training for own personnel

Step 8: External Certification Audit
• Stage 1 assessment – management elements and ISO 27001 standard compliance
• (progress to Stage 2 if no major non-conformities, otherwise repeat of Stage 1)
• Stage 2 assessment – delivery of information security in operational activities
• (progress to certification award if no major non-conformities)
• Certification awarded!

... and then:
• Review, assessment and remediation of any non-conformities identified
• Workshop to progress from certification preparation to “business as usual” maintenance
• Optional ongoing risk assessment, supplier management and internal audit support, etc.

Contact us to find out more.

Eight Steps to ISO 27001 Certification 

bottom of page