Implementation of ISO 27001

How to implement ISO 27001

ISO 27001 checklist

The ISO 27001 certification includes clear and strict guidelines for planning, implementing and monitoring with regard to information security. No matter which type or which size, the ISO 27001 guidelines apply to every company.

In order to be awarded with the ISO 27001 certificate by an impartial and reliable certification body, such as TÜV UK Ltd., your business needs to meet or exceed the ISO 27001 requirements.

Please find below a checklist which includes all the important steps for implementing an Information Security Management System.


  1. Become familiar with the requirements of ISO 27001
    Preparation is the key to a business success. In order to reap the benefits of ISO 27001 you need to
    understand the contents of the standard in order to comply with it.

  2. ISO 27001 risk assessment 
    The next step for your project team is to undertake a risk assessment in order to frame your Information Security Management System. Core elements of the risk assessment process include the following: develop a risk management framework, diagnose, analyse and assess the risks and the potential risk treatment. The outcome is an overview of the realistic threats that could face your business. Use this overview as a starting point for considerations to target based solutions.

  3. Controls and Annex A 
    After a successful risk assessment has taken place you can apply appropriate controls in order to limit the risks and threats. Within ISO 27001 it is a mandatory step to identify the controls that apply to your company.

  4. Documentation
    The ISO 27001 documentation requires two mandatory documents:

    1) The risk treatment plan (RTP) and

    2) the Statement of Applicability (SoA).

    The RTP contains all the necessary steps to encounter all threats that are identified during the risk assessment. The SoA is a list of controls defined in ISO 27001. The SoA identifies each control and explains in detail whether it has been applied or not and the reason why.

  5. Train your staff
    To err is human and human beings are an information security risk. That is why it is important to provide frequent training to your employees in order to raise their awareness of information security issues.

  6. Internal audit
    ISO 27001 prescribes frequently internal audits to check conformity against the controls.

  7. ISO 27001 certification 
    The last step is to choose a Certification Body that checks if your documentation and controls comply with ISO 27001 and are deployed in practice. Choice of Certification Body is very important. It is recommended that a UKAS accredited Certification Body is chosen to provide stakeholder confidence. 


Congratulations, now you are ready for ISO 27001 Certification!

ISO 27001 FAQs

  • What are the benefits of obtaining the ISO 27001 certificate?
  • How do I ensure that I meet all certification requirements? 


We are looking forward to your enquiry


AMP House
Suites 27 - 29, Fifth Floor, Dingwall Road
Croydon, CR0 2LX

+44 20 8680-7711
Fax : +44 20 8680-4035