ISO 27001 Implementation and Process Definition Steps.

Project phases and Structure.

ISO 27001 and Business Continuity Management System 22301 Implementation Consulting services include.

  • Planning phase: ISO 27001 Objectives, ISO 27001 Risk Assessment and ISO 27001 SOA preparation.
  • Implementation of the selected controls as per SOA.
  • ISO 27001 Internal audit Process.
  • ISO 27001 Measurement and Metrics Process.
  • Management Review and Continual Improvement.

Steps 3, 4 and 5 are also applicable for ISO 9001:2015 Implementation. Please visit our services for ISO 9001 here.

Responsibilities for ISO 27001 Implementation.

SS Consulting will steer the entire ISO 27001 implementation Processes and will work through CISO (Chief Information System Officer). The Customer organisation will share all the necessary details during ISO 27001 implementation and support the process by strictly following the SOPs and Procedures.


SS Consulting Team configuration will be determined at the time of Project Kick Off.  Our ISO 27001 implementation team will work under the guidance of the Lead Auditor K. Sridhar who is going to be the principle ISO 27001 Consultant and Trainer.

The Customer organization will provide the Core team members to work along with the IS0 27001 implementation team of SS Consulting. The core team may include Steering Committee, System Admin, IQA team and other support teams.


The following documents will be provided by the ISO 27001 Consultant based on the ISO 27001 model requirement.

  • Procedure for Document and Record Control– procedure prescribing basic rules for writing, approving, distributing and updating documents and records.
  • Procedure for Identification of Requirements – procedure for identification of statutory, regulatory, contractual and other obligations
  • Scope of the Information Security Management System a document precisely defining assets, locations, technology, etc. thatare part of the scope.
  • Information Security Policy– this is a key document used by management to control information security management.
  • Risk Assessment and Risk Treatment Methodology– describes the methodology for managing information risks.
  • ISO 27001 Risk Assessment Table– the table is the result of assessment of asset values, threats and vulnerabilities.
  • Risk Treatment Table– a table in which appropriate security controls are selected for each unacceptable risk.
  • ISO 27001 Risk Assessment and Risk Treatment Report – a document containing all key documents made in the process of risk assessment and risk treatment.
  • ISO 27001 Statement of Applicability– a document that determines the objectives and applicability of each control according to Annex A of the ISO 27001 standard.
  • Procedure for Internal Audit– defines how auditors are selected, how audit programs are written, how audits are conducted and how audit results are reported.
  • Procedure for Corrective Action – describes the process of implementation for corrective and preventive actions.
  • Form for Management Review Minutes– a form used to create minutes from the management meeting held to review ISMS adequacy.
  • ISO 27001 Risk Treatment Plan– an implementation document specifying controls to be implemented, who is responsible for implementation, deadlines and resources.

During ISO 27001 Implementation or ISMS and BC systems, the following policies will be provided.

  • Business Continuity Management Policy– sets a basic framework for the BCMS, determines the scope and responsibilities.
  • Business Impact Analysis (BIA) questionnaires– analysis of qualitative and quantitative impacts on business, of necessary resources, etc.
  • Business Continuity Strategy– defines critical activities, inter dependencies, recovery time objectives, strategy for managing and ensuring business continuity, strategy for recovering resources, strategy for individual critical activities.
  • Business Continuity Plan– a detailed description of how to respond to disasters or other business disruptions, and how to recover all critical activities.
  • Training and Awareness Plan– a detailed overview of how employees will be trained to execute planned tasks, and how they will be made aware of the importance of business continuity.
  • Business Continuity Exercising and Testing Plan– describes how plans will be exercised and tested with the objective of identifying necessary corrective actions and improving the plan.
  • BCMS Maintenance and Review Plan– a detailed overview of how plans and other BCMS documents should be maintained to ensure their functioning in the case of business disruption.
  • Post-incident Review Form– a form used for reviewing effectiveness of plans after an incident.

PDCA Summary

At the end of the ISO 27001 implementation, the customer organization will have the capability to maintain the PDCA cycle of ISO 27001, ably supported by our 27001 Consulting experts

StageISO 27001:2013 ReferenceRemarks
PlanClause No. 4, 5, 6, 7SOA preparation
DoClause No. 8Security and BC Controls in place
CheckClause No. 9Audit and Measurements
ActClause No. 10Conclusion.

Interested in our ISO 27001 Implementation services?

Let's Talk