Practical sequence
| Phase | Implementer objective | Key outputs | Related notes |
|---|---|---|---|
| 1. Scope and context | Define what the ISMS covers and why | ISMS scope, interested parties, internal/external issues | Information Security Management System, Field of Application, Usage, and Compliance |
| 2. Leadership and policy | Establish direction and accountability | Top-level policy, roles, responsibilities, management commitment | Information Security Policy, Roles and Responsibilities, Management Responsibilities |
| 3. Risk method | Define how risk will be assessed and treated | Risk criteria, assessment method, acceptance criteria | Risk Assessment, ISO 27005 Risk Process Notes |
| 4. Risk assessment | Identify and evaluate information security risks | Risk register, asset/context inputs, risk owners | Risk Assessment, Information and Associated Asset Inventory |
| 5. Risk treatment | Select controls and justify decisions | Risk treatment plan, selected Annex A controls, additional controls | Statement of Applicability, Control Attributes and Risk Treatment Effects |
| 6. Control implementation | Put selected controls into operation | Policies, procedures, registers, technical/organizational controls | A.5 Organizational Controls Implementation Guide, A.8 Technological Controls Implementation Guide, Templates MOC |
| 7. Evidence model | Decide what evidence proves operation | Evidence request list, control evidence locations | Audit Evidence Index, Evidence Request List |
| 8. Internal audit | Test whether the ISMS works | Audit plan, findings, evidence, corrective actions | ISO 27001 Auditor Guide MOC, Internal Audit |
| 9. Management review | Review performance and decisions | Management review inputs, outputs, actions | Management Review, Management Review Input Checklist |
| 10. Improvement | Fix issues and improve controls | Corrective actions, updated risks, updated SoA | Corrective Action Tracker, Statement of Applicability |
Implementation principles
- Start with the business and risk context, not Annex A.
- Treat Annex A as a control library, not a mandatory checklist.
- Keep evidence close to the process that creates it.
- Assign owners for risks, controls, suppliers, assets, and evidence.
- Build review cycles into the process from the start.
- Use ISO/IEC 27005 concepts to make risk decisions defensible.
Common implementation failures
| Failure | Practical correction |
|---|---|
| Copying policies before defining scope | Define scope, context, interested parties, and risk criteria first |
| Treating every Annex A control as automatically mandatory | Select controls through risk treatment and justify applicability in the Statement of Applicability |
| Creating controls with no owner | Use Control Owner Register and RACI Matrix |
| Collecting evidence only before audit | Define evidence during implementation |
| Risk register disconnected from controls | Use Risk and Control Mapping Table |
| Supplier, access, and asset processes run in separate silos | Link them through owners, risks, controls, and evidence |
Implementation checklist
- ISMS scope defined.
- Interested parties and requirements identified.
- Top-level Information Security Policy approved.
- Roles, responsibilities, and control owners assigned.
- Risk assessment method defined.
- Risk criteria and acceptance criteria approved.
- Risk assessment performed.
- Risk treatment decisions documented.
- Statement of Applicability created.
- Selected controls implemented with owners.
- Evidence model defined.
- Internal audit plan created.
- Management review cycle defined.
- Corrective action process operating.
Related notes
- Iso27001
- Implementer guide
- Isms
- Roadmap
Note Metadata
Aliases: ISO 27001 Implementation Roadmap
Source: 05 Implementer Guide/ISMS Implementation Roadmap.md
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO27001 ISMS KB - Start Here
- Control Attributes and Risk Treatment Effects
- Field of Application, Usage, and Compliance
- Information Security Management System
- Internal Audit
- Management Review
- Risk Assessment
- Roles and Responsibilities
- Statement of Applicability
- ISO 27001 A.5.1 - Policies for Information Security
- ISO 27001 A.5.4 - Management Responsibilities
- A.5 Organizational Controls Implementation Guide
- A.8 Technological Controls Implementation Guide
- ISO 27001 Implementer Guide
- ISO 27001 Auditor Guide
- ISO 27005 Risk Management Guide
- ISO 27005 Risk Process Notes
- ISO 27001 Implementer Auditor ISO 27005 Mapping
- Template - Control Owner Register
- Template - Corrective Action Tracker
- Template - Evidence Request List
- Information and Associated Asset Inventory
- Template - Management Review Input Checklist
- Template - RACI Matrix
- Template - Risk and Control Mapping Table
- Audit Evidence Index
- ISO 27001 Overview
- Templates MOC