6 Steps to get ISO 27000

Step 0. Decision

Senior manager(s) need to be behind the decision for ISO 27000 implementation and support it in each and every step.

Step 1. Defining Scope of Implementation

Scope of implementation should be defined as well as the operational and functional boundaries.

Step 2. Documentation

Like ISO 9000, ISO 27000 needs comprehensive documentation in order to address all applicable millstones and administrative, technical, and physical controls/safeguards. These documents will be used to check weather or not the organization meets ISO 27000 requirements.

These documents would be a policy (or set of policies), and its related documented procedures and guidelines to ensure the business is adhering to ISO requirements in an efficient and achievable way.

ISO 27002 standard would be a huge help to prepare such documentation but in is not necessary to select the controls/safeguards from ISO 27002 text.

At least 15 different documents are required for ISO/IEC 27001:2013:

  • Scope of ISMS (item 4.3, Page 1)
  • Policy (item 5.2, Page 2)
  • IS Risk Assessment process (item 6.1.2, Page 3)
  • IS Risk Treatment process (item 6.1.3, Page 4)
  • IS Objectives (item 6.2, Page 5)
  • Evidence of the competence of the people doing work on IS (item 7.2, Page 5)
  • Other documents deemed necessary by the organization for ISMS (item 7.5.1b, Page 6)
  • Operational Planning and Control Documents (item 8.1, Page 7)
  • Results of IS Risk Assessments (item 8.2, Page 7)
  • Results of IS Risk Treatment (item 8.3, Page 7)
  • Documented information as evidence of the monitoring and measurement results (item 9.1, Page 7)
  • Internal audit program plus audit results (item 9.2, Page 8)
  • Documented information as evidence of top management review (item 9.3, Page 8)
  • Evidence of nonconformities identified, actions taken and the results (item 10.1, Page 9)
  • Other documentations might be needed: A policy about rules for acceptable use of assets (use policy), access control policy, operating procedures, confidentiality and nondisclosure agreements, secure system principles, information security policy for supplier relationships or vendors, information security incident response procedures, regulations and contractual obligations, associated compliance procedures, and information security continuity plan.

Auditors will check that above-mentioned documentation are present, up-to-date and fit to ISMS scope which is defined in step 1

Step 3. Realization

By applying Gap Analysis, comparison of actual performance with desired performance and documentation, it is time to make sure that the organization is following all procedures and guidelines. We’d better conduct a pre-assessment in order to make sure that the organization is on the right track. Pre-assessment can be conducted by using pre-assessments forms, gathering of evidences and filling checklists.

Another key to have a successful realization step is to communicate with all employees about the processes in place and the need to adopt them fully and report back on all discrepancies.

Step 4. Internal Audit

An experienced (or certified) internal or external auditor is needed for this step. Some audit tools like forms and checklists are needed for such a job.

Step 5. Certification Audit

ISO (International Organization for Standardization) does not perform certification for ISO 27001. Certification companies like SGS, TÜV Rheinland or BSI can do the audit and issue the certificate for you. The certificates are usually good for 3 years.

Step 6. Maintaining the Certification

In order to maintain the ISMS working, the organization should integrate it into daily operations. Continual improvement and change management are other essential parts of this ongoing step.




Information Security Expert, Cyber Security Engineer, Blogger, Mentor, PCI SME, CISM, CISA, CRISC, RHCSA, MCSE, CCNA, MBA, PMP, CLSSGB

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Disclose Emails, phone numbers, other information For Facebook users who tried to add funds to…

Visa Processors Targeted In Hacker Attacks

How 5G Will Impact Your Cybersecurity Strategy | Wickr

iBG Finance

Try Hack Me: Jacob the Boss Walkthrough

#22:How to Get a Job in Security(w/Security Recruiter Pete Strouse)

The Lawfare Podcast: David Kris on the NSA Annex

Podcast microphone in a studio.

Sick Ape Society is a new NFT project with P2E Game, Staking and Breeding utilities.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ben Pournader

Ben Pournader

Information Security Expert, Cyber Security Engineer, Blogger, Mentor, PCI SME, CISM, CISA, CRISC, RHCSA, MCSE, CCNA, MBA, PMP, CLSSGB

More from Medium

Malware Analysis Report 05/13/2022


Embrace Making: 3D Influencer Highlight + Cloud 3D Print Tutorial

Way To Go Captain Not-So-Obvious