UnixTime

Research Note

ISMS Implementation Roadmap

- Start with the business and risk context, not Annex A. - Treat Annex A as a control library, not a mandatory checklist. - Keep evidence close to the process that creates it. -...

On this page

Practical sequence

Phase Implementer objective Key outputs Related notes
1. Scope and context Define what the ISMS covers and why ISMS scope, interested parties, internal/external issues Information Security Management System, Field of Application, Usage, and Compliance
2. Leadership and policy Establish direction and accountability Top-level policy, roles, responsibilities, management commitment Information Security Policy, Roles and Responsibilities, Management Responsibilities
3. Risk method Define how risk will be assessed and treated Risk criteria, assessment method, acceptance criteria Risk Assessment, ISO 27005 Risk Process Notes
4. Risk assessment Identify and evaluate information security risks Risk register, asset/context inputs, risk owners Risk Assessment, Information and Associated Asset Inventory
5. Risk treatment Select controls and justify decisions Risk treatment plan, selected Annex A controls, additional controls Statement of Applicability, Control Attributes and Risk Treatment Effects
6. Control implementation Put selected controls into operation Policies, procedures, registers, technical/organizational controls A.5 Organizational Controls Implementation Guide, A.8 Technological Controls Implementation Guide, Templates MOC
7. Evidence model Decide what evidence proves operation Evidence request list, control evidence locations Audit Evidence Index, Evidence Request List
8. Internal audit Test whether the ISMS works Audit plan, findings, evidence, corrective actions ISO 27001 Auditor Guide MOC, Internal Audit
9. Management review Review performance and decisions Management review inputs, outputs, actions Management Review, Management Review Input Checklist
10. Improvement Fix issues and improve controls Corrective actions, updated risks, updated SoA Corrective Action Tracker, Statement of Applicability

Implementation principles

  • Start with the business and risk context, not Annex A.
  • Treat Annex A as a control library, not a mandatory checklist.
  • Keep evidence close to the process that creates it.
  • Assign owners for risks, controls, suppliers, assets, and evidence.
  • Build review cycles into the process from the start.
  • Use ISO/IEC 27005 concepts to make risk decisions defensible.

Common implementation failures

Failure Practical correction
Copying policies before defining scope Define scope, context, interested parties, and risk criteria first
Treating every Annex A control as automatically mandatory Select controls through risk treatment and justify applicability in the Statement of Applicability
Creating controls with no owner Use Control Owner Register and RACI Matrix
Collecting evidence only before audit Define evidence during implementation
Risk register disconnected from controls Use Risk and Control Mapping Table
Supplier, access, and asset processes run in separate silos Link them through owners, risks, controls, and evidence

Implementation checklist

  • ISMS scope defined.
  • Interested parties and requirements identified.
  • Top-level Information Security Policy approved.
  • Roles, responsibilities, and control owners assigned.
  • Risk assessment method defined.
  • Risk criteria and acceptance criteria approved.
  • Risk assessment performed.
  • Risk treatment decisions documented.
  • Statement of Applicability created.
  • Selected controls implemented with owners.
  • Evidence model defined.
  • Internal audit plan created.
  • Management review cycle defined.
  • Corrective action process operating.