ISO/IEC 27001:2013

What does implementing a typical ISO27001:2013 project entail?


Although no two projects are the same, the following steps are usually followed when implementing ISO27001 and working towards certification.

  • A gap analysis, defining the scope of the ISMS, and determines how your processes shortfall.
  • Determination of the organisational context and interested parties to define the exact scope and the objectives.
  • A risk assessment, which identifies the relevant risks and/ or assets and assesses and evaluates these risks.
  • The identification and selection of appropriate controls in order to develop an appropriate risk response plan.
  • Preparation of a Risk Treatment Plan and a Statement of Applicability.
  • Development of Management System documentation, including relevant policies and procedures.
  • Assessment of staff competence, staff training and awareness.
  • Performance evaluation and internal audit, which determines the extent to which your new procedures are successful.
  • Development of procedures for monitoring, measurement and analysis of the ISMS.
  • The implementation of a management review process.
  • Certification audit.  
  • Surveillance, continual improvement and maintenance of your ISMS.

Join our growing ISO 27001:2013 community.