Skip to main content

Cyber security is one of the most important parts of running an organisation, as it protects you from cyber-attacks that aim to steal your private data and distribute it. When the data in question belongs to your customers, your reputation and credibility are also at risk. It can be nearly impossible to rebuild trust when lax security allows their information to be publicised. Fortunately, implementing various cyber security measures, such as an ISO 27001-compliant information security management system or ISMS, can help you mitigate these risks.

Our previous article tackled the first five steps needed to implement the ISMS. This article will discuss the last four steps. Here’s what you need to know:

Step 6: Institute a Risk Management Process

The core competency of an ISMS is risk management since nearly every component of your security system revolves around the threats you’ve identified. The Standard enables organisations to create their own risk management process, which typically includes methods that review risks to specific assets or risks in certain scenarios.

Regardless of the process you choose, your decisions must be the result of assessing your organisation’s risks. This process includes instituting a risk assessment framework, identifying, studying, evaluating them, and choosing suitable risk management options. You’ll then have to determine your risk acceptance criteria or the harm that the threats will cause and the probability of them happening. 

Take note that the ISO 27001 requires organisations to fill out a Statement of Applicability, noting which of the Standard’s controls you’ve chosen and omitted and the rationale behind this.

Step 7: Enact Your Risk Treatment Plan

The next step is to implement your risk treatment plan, which involves constructing the security controls to safeguard your organisation’s data and other information assets from unauthorised access. To certify that the controls you have in place are adequate, ensure that the staff can efficiently operate or interact with the controls. They must also be aware of their responsibilities in information security.

In this step, you will also have to lay out a process to identify, monitor, and maintain the competencies you need to attain your ISMS goals, often involving a needs analysis and determining your desired level of competence.

Step 8: Measure, Track, and Review Your ISMS

The only way to determine that your ISMS is working is to review it at least once a year. This frequency allows you to focus on your day-to-day activities while observing the ever-changing risk landscape, enabling you to make sweeping changes when necessary. The review process will have you pointing out criteria that align with the objectives you established in the project mandate. 

You’ll also want to conduct regular internal audits of your system, which will help you stay on top of any gaps caused by new developments in cyber security. The results will constitute the inputs for the management review, which will be factored into the improvement process to ensure your ISMS is robust and airtight.

Step 9: Seek ISO 27001 Certification

Once your ISMS is firmly in place, you can now seek ISO 27001 certification, which means you’ll be subjected to an external audit. The audit happens in two stages, with the initial audit aiming to find out if your organisation’s ISMS was developed according to ISO 27001’s requirements. If the auditor is satisfied with the results, they’ll proceed with a more comprehensive investigation. 

Ensure that you are confident and optimistic in your ability to certify before proceeding with it, as the process is lengthy and tedious. If you fail immediately, you will still be charged, which is why it is crucial to ensure everything is done correctly.


Implementing an ISO 27001-compliant ISMS can be tricky, but working with cyber security consulting firms can make the process much smoother and more straightforward. By using our guide, you’ll know what you need to do for a successful implementation.

Rabbon is a Cybersecurity company based in Sydney and Melbourne specialising in helping organisations become cyber resilient and streamlining operations by identifying and mitigating key cyber risks. Our services include cloud security services, GRC consulting, enterprise security, and many more. Contact us today to find out more about how we can help you with your cyber security needs.