In This Guide
Roadmap Overview
This implementation roadmap provides a structured approach to ISO 27001 implementation, designed for organizations with existing IT infrastructure who want to achieve certification efficiently. The 90-day timeline is achievable for SMEs with dedicated resources; larger organizations typically need 4-6 months.
This roadmap assumes: dedicated implementation lead (0.5-1 FTE), management sponsorship secured, basic security controls already in place (firewalls, antivirus, access controls), and willingness to make decisions quickly. Organizations starting from minimal security may need 6-12 months.
Prerequisites & Planning
Before You Start
- Executive Sponsorship: Formal commitment from top management including budget approval
- Project Lead: Assign an ISMS manager or equivalent with authority to drive the project
- Standard Access: Purchase ISO 27001:2022 and ISO 27002:2022
- Initial Training: Key team members complete ISO 27001 awareness training
- Asset Inventory Baseline: Preliminary list of IT assets and data repositories
Resource Requirements
| Role | Time Commitment | Responsibilities |
|---|---|---|
| ISMS Manager/Project Lead | 50-100% | Day-to-day management, documentation, coordination |
| Executive Sponsor | 5-10% | Policy approval, resource allocation, oversight |
| IT/Security Lead | 30-50% | Technical controls, risk assessment support |
| HR Representative | 10-20% | People controls, training, awareness |
| Facilities/Operations | 10-20% | Physical security controls |
| Department Representatives | As needed | Process documentation, interviews |
Days 1-30: Foundation Phase
The first 30 days establish your ISMS foundation—securing sponsorship, defining scope, and creating core governance documents.
Week 1: Project Initiation
- Conduct project kick-off with executive sponsor
- Finalize project team and assign responsibilities
- Establish project governance and meeting cadence (weekly steering)
- Set up document management system/repository
- Complete ISO 27001 training for core team
Deliverables: Project charter, team RACI matrix, project schedule
Week 2: Scope & Context
- Document organizational context (internal and external issues)
- Identify interested parties and their requirements
- Define ISMS scope (boundaries, locations, assets)
- Document scope exclusions with justification
- Create initial asset inventory
Deliverables: Context analysis, stakeholder requirements, scope statement, asset register (draft)
Week 3: Gap Assessment
- Conduct clause-by-clause gap analysis against ISO 27001:2022
- Assess existing controls against Annex A
- Identify quick wins and major gaps
- Prioritize remediation activities
- Estimate effort for each gap
Deliverables: Gap assessment report, prioritized action plan
Week 4: Policy & Leadership
- Draft Information Security Policy
- Define ISMS roles, responsibilities, and authorities
- Establish Information Security Forum/Committee
- Define information security objectives
- Obtain executive approval for policy
Deliverables: Approved IS Policy, roles matrix, ISMS objectives
By Day 30: Approved IS policy, defined scope, documented context, governance structure established, gap assessment complete, and clear understanding of work ahead.
Days 31-60: Development Phase
The second 30 days focus on risk assessment, control selection, and developing operational procedures.
Week 5: Risk Assessment Framework
- Design risk assessment methodology
- Define risk criteria (likelihood, impact scales)
- Establish risk acceptance criteria
- Create risk assessment templates
- Train team on risk assessment process
Deliverables: Risk assessment procedure, risk criteria, templates
Week 6: Risk Assessment
- Complete asset inventory and classification
- Identify threats and vulnerabilities for assets
- Assess likelihood and impact of risks
- Determine risk levels against criteria
- Document risk assessment results
Deliverables: Completed risk register, risk assessment report
Week 7: Risk Treatment & SoA
- Select risk treatment options for each risk
- Map controls to identified risks
- Develop Statement of Applicability (SoA)
- Document justifications for excluded controls
- Create risk treatment plan with timelines
Deliverables: Statement of Applicability, risk treatment plan
Week 8: Operational Procedures
- Document access control procedures
- Create incident management procedure
- Develop change management process
- Document backup and recovery procedures
- Create business continuity plan
Deliverables: Core operational procedures (access, incident, change, backup, BCP)
By Day 60: Complete risk assessment, approved SoA, risk treatment plan with assigned owners, and core operational procedures documented.
Days 61-90: Implementation Phase
The final 30 days focus on implementing controls, training staff, and preparing for certification.
Week 9: Control Implementation
- Implement remaining technical controls from risk treatment plan
- Configure systems per documented procedures
- Deploy monitoring and logging solutions
- Implement supplier security requirements
- Document evidence of control implementation
Deliverables: Implemented controls, configuration records, evidence repository
Week 10: Awareness & Training
- Develop security awareness training content
- Conduct awareness training for all staff
- Train key personnel on specific procedures
- Document training records and competence
- Launch ongoing awareness program
Deliverables: Training materials, training records, awareness program
Week 11: Internal Audit
- Plan internal audit program
- Conduct internal audit against ISO 27001:2022
- Document audit findings
- Initiate corrective actions for findings
- Verify closure of critical findings
Deliverables: Internal audit report, corrective action plans
Week 12: Management Review & Certification Prep
- Prepare management review inputs
- Conduct management review meeting
- Document review outputs and actions
- Final documentation review
- Select certification body and schedule Stage 1
Deliverables: Management review minutes, certification-ready ISMS, Stage 1 scheduled
By Day 90: ISMS fully implemented and operational, internal audit complete, management review conducted, all evidence compiled, and Stage 1 audit scheduled.
12-Week Detailed Timeline
| Week | Focus Area | Key Deliverables |
|---|---|---|
| 1 | Project Initiation | Charter, team, schedule |
| 2 | Scope & Context | Scope statement, context docs, asset register |
| 3 | Gap Assessment | Gap report, action plan |
| 4 | Policy & Governance | IS Policy, roles, objectives |
| 5 | Risk Framework | Risk methodology, templates |
| 6 | Risk Assessment | Risk register, assessment report |
| 7 | Risk Treatment & SoA | SoA, risk treatment plan |
| 8 | Procedures | Operational procedures |
| 9 | Control Implementation | Implemented controls, evidence |
| 10 | Training & Awareness | Training records, awareness program |
| 11 | Internal Audit | Audit report, corrective actions |
| 12 | Management Review | Review minutes, certification prep |
Resource Requirements
Estimated Effort
- Small organization (10-50 employees): 200-400 person-hours
- Medium organization (50-250 employees): 400-800 person-hours
- Large organization (250+ employees): 800-2000+ person-hours
Budget Considerations
- ISO 27001:2022 standard purchase: ~$200
- Training (Lead Implementer course): $1,500-3,000 per person
- GRC/Documentation tool (optional): $0-10,000/year
- Consultant support (optional): $5,000-50,000+ depending on scope
- Certification audit fees: $5,000-25,000+ depending on size
How to Accelerate Implementation
Accelerators
- Dedicated Resources: Full-time ISMS manager vs. part-time
- Executive Support: Fast decisions, quick approvals
- Existing Controls: Leverage current security investments
- Templates: Use proven templates vs. creating from scratch
- Expert Support: Consultants who know shortcuts
- Tooling: GRC platform to manage documentation and evidence
Common Delays to Avoid
- Waiting for perfect documentation before starting implementation
- Scope creep - expanding scope mid-project
- Over-engineering risk assessment methodology
- Treating ISO 27001 as IT-only project (need business involvement)
- Delaying internal audit until everything is "ready"
Done is better than perfect. An implemented ISMS that works is better than a theoretically perfect system that only exists on paper. Start simple, certify, then improve.