Skip to main content

Every organisation must pull all stops to protect their data from unauthorised access through cyber security. Given the increased reliance on the Internet, more people are storing confidential data online. If they fall into the wrong hands, it could result in extensive damage and harm that costs millions of dollars to solve, primarily when the data was accessed from a company’s compromised IT system.

For this reason, it is crucial to implement an ISO 27001-compliant information security management system (ISMS), which can help your business protect all its data. Working with security consulting firms can help make this process easier for you and your organisation.

This article will cover the first five steps of the process; the rest of the steps needed to implement the system will be discussed in part 2. Here is what you need to know about implementing an ISO 27001-compliant ISMS:

Step 1: Gather Your Implementation Team

You should first gather a team with comprehensive knowledge of information security and the leadership capabilities they need to instruct managers whose departments they’ll have to check for compliance. You’ll then appoint a project leader who will supervise the implementation of the ISMS and ensure everything is done correctly.

The project leader will still need a few people to help them, which they can do by choosing their staff or working with senior management’s choices. Once the team is complete, they must establish the project mandate, which answers a few core questions, such as:

    1. What is the goal of this project?
    2. How long will it take?
    3. How much will the project cost?
    4. Does the project have ample support from management?

Step 2: Create the Implementation Strategy

The next step is to plan for the implementation. The assembled team will rely on its project mandate to produce a more thorough outline of its information security objectives, risk register, and plan to account for all possible details. Doing this also involves establishing high-level policies for ISMS that institute roles and responsibilities, guidelines for continued improvement, and ways to raise awareness of the project.

Step 3: Choose Your Methodology

With the plan solidified, it is now time to figure out the continual improvement methodology to ensure the implementation is successful. ISO 27001 does not mention a specific method, recommending a “process approach” instead, a plan-do-check-act tactic to guarantee the project’s success. 

However, any model should be acceptable if the team clearly understands and defines the requirements and processes, implements them correctly, and reviews and improves them frequently. Additionally, the team must create an ISMS policy, which must sketch the implementation team’s intended achievements and how they plan to make it happen. Once completed, the board must approve it.

At this stage, the team can also develop their document structure. It is best to put policies at the top, which elaborate on the organisation’s stand on issues, like acceptable use and password management. These should be followed by procedures to enforce the policies’ requirements, then work instructions that explain how employees must abide by these policies. Lastly, it should include records that monitor the procedures and document work instructions.

Step 4: Establish the ISMS’s Framework

The ISO 27001 standard explains the process of acquiring a comprehensive view of the ISMS’ framework in clauses 4 and 5, which will help you determine the scale of your organisation’s ISMS and how much reach it will have in your everyday operations. That means you must work with the project team leader to note down everything relevant to your business to ensure the ISMS meets your needs.

Part of this process is establishing the scope of your ISMS, which involves pinpointing the places you store information, whether physical or digital. These could be on systems or portable devices. It is crucial to define your scope correctly; if it is too small, some information will be vulnerable to savvier hackers. However, if the scope is too broad, the ISMS will be too complicated to manage.

Step 5: Pinpoint Your Security Baseline

Lastly, determine your organisation’s security baseline, which is the minimum level of activity needed to carry out your business safely and protected from unauthorised access. Using the information you gathered in your ISO 27001 risk assessment, you can find this baseline, helping you learn your business’s biggest security vulnerabilities and the appropriate ISO 27001 control needed to reduce the risk.


These are the first few steps of implementing an ISO 27001-compliant ISMS. Be sure to check out part 2 for the rest of the steps. Rabbon is one of the leading cyber security consultants in Sydney, helping organisations minimise their cyber risks. We offer a wide range of cloud security services, enterprise security, GRC consulting, and many more. Contact us today to get started on protecting your organisation!

Cybersecurity is what we do

Rabbon is a Cybersecurity company based with offices in Sydney and Melbourne. We lead a team of Cyber Security Consultants and GRC Consultants, who help organisations become cyber resilient by providing access to effective and affordable cybersecurity services. We believe that “Cybersecurity is for everyone

You can contact our Cyber Security Consultants for an obligation free consultation.

Phone : +61 2 80513207

Email: [email protected]