9 Steps to get a certified Information Security Management System (ISMS)

9 Steps to get an ISO 27001 certified Information Security Managment System


Information Security Management System (ISMS) according to ISO 27001. That's how it works ...

The corporate world is constantly changing and organizations need to adapt their priorities accordingly. This also includes digitization. With digitization, the secure handling of information gets increasingly important. Companies need to make protection against cyber attacks and data protection concerns a key task in order to remain competitive in their industry.

Many companies therefore decide to manage their information security risk by implementing an ISMS (Information Security Management System) according to the ISO 27001 standard.

An ISMS is a system of processes, documents, technologies and people that enables companies to manage, monitor and continuously improve their information security through that one single system. A key element is the ongoing documentation of all processes and measures.

The ISO 27001 standard is an internationally approved security standard for an ISMS. There are other procedures and systems. However, these are all based on the principles of ISO 27001.

9 Steps to an ISMS

Implementing an ISO 27001 compliant ISMS can take several months. But the benefits it offers justify the effort in any case. And don’t worry! In this article, we explain how you can implement an information security management system in nine easy steps.

At the end of this post, we also share this checklist with you as a free download file!

You don’t want to face that challenge alone? We would be pleased to explain to you in a non-binding meeting, how we can support you on your way to a certified ISMS! 

1. Create a project

Start the implementation project by designating a project manager and a team around him/her. To begin, this team should ask themselves the following questions:

  • What do we want to achieve?
  • How long will it take?
  • What costs do we expect?
  • Does the management support the project?

It can be very conducive to have a trained Information Security Officer (ISO) in your team. He is well acquainted with the ISO 27001 standard and its requirements. This makes the whole process easier and saves you time and money in the short or long run.

2. Prepare the project

In this phase you will discuss and finally conclude on

  • the information security objectives,
  • who will be part of the project team,
  • a project schedule and
  • the risk register.

3. Define the procedure for the ISMS implementation

In the next step, you agree on how to proceed with the implementation of the ISMS.

The ISO 27001 standard acknowledges that business processes cannot be introduced once and then do not undergo change with time passing. Instead, they must be adaptable to changing circumstances and data situations. Therefore, the standard does not prescribe fixed processes. On the contrary. It envisions a “process approach” as the most effective approach to information security management.

ISO 27001 does not prescribe a specific methodology. Instead, it allows you to use approaches that work best for your company. You can also continue an existing model if it has been proven successful.

4. Create a Management Framework

Now you define the scope of application of your ISMS. Define for which parts of your company the ISMS makes sense. For SMEs, it is usually the entire company and for larger companies, only certain departments or business processes may be relevant.

Make sure that every part of your company that deals with sensitive information is covered by the system.

How to scale your ISMS properly in 3 steps:

  • Identify each area and process where sensitive information is stored or processed.
  • Determine the ways in which this information can be accessed.
  • Define which parts of your company are out of scope and do not need further consideration.

5. Identify fundamental security criteria

In this phase, you identify fundamental security requirements. These are the requirements and measures or controls that are necessary to make your business operations work.

6. Develop a Risk Management Process

To a large extent, ISO 27001 allows companies to independently decide which risk management processes they want to apply. To do so, there are common methods that focus on the consideration of risks for specific values (assets) or for specific scenarios. Each method has its advantages and disadvantages. Choose the method that suits best your organization. According to ISO 27001, there are five aspects that form the center of a risk assessment:

  1. Establishment of a framework for risk assessment
  2. Identification of risks
  3. Analysing the risks
  4. Evaluation of risks
  5. Selection of risk treatments for
  • Risk minimization
  • Risk avoidance
  • Risk Outsourcing
  • Acceptance of risk

7. Create a Risk Treatment Plan

Next, define the security measures you will make use of to protect your organization’s information assets. The best way to do so is to define a process that describes what you need to do to achieve your ISMS goals. This process includes the following steps:

  • Determine the required competencies.
  • Determine any necessary steps to review and maintain competencies, such as conducting a demands assessment and defining a desired level of competency.
  • Train your employees on a regular basis. Educate them about the duties related to information security. Also, check the effectiveness of the trainings and measures by evaluating whether they can implement the measures and integrate them into their day-to-day work.

8. Measure, monitor and verify the results

For an ISMS to work, information security objectives must be met not only in the short term but in the long term. Therefore, you should regularly review and monitor your ISMS. To measure the effectiveness and implementation of controls, you should identify metrics or other methods that work for your organization.

9. Get ISO 27001 certificated

With the ISO 27001 certification, you prove that your ISMS works and that your company practices information security at a high level. Therefore, we strongly advise you to initiate certification by an accredited certification authority as soon as the ISMS is in operation.

The certification process includes a review of your ISMS documentation, as well as processes and controls. The certification authority will also conduct an audit at your company’s site to verify the procedures in practice.

Free Download File: 9 steps to implement your certified ISMS

Download these 9 helpful steps and work through the checklist one by one.

ISEGRIM X®: Your partner on the way to your ISO 27001 certification

We get you on the fast track to ISMS certification or help you implement an ISMS quickly and cost-effectively!