Implementing ISO 27001:2013 from scratch in 35 simple

steps

Plan

Plan
Do
Check
Act

1. Obtain top management approval for implementation of ISO

27001:2013 based ISMS in the organization
2. Gather information about the organization and its industry
3. Understand the organization industry
4. Gather background information about the organization products
5.
6.
7.
8.
9.

and services
Understand the organization external and internal issues
Identify the organization competitors
Identify the organizations interested parties
Understand needs and expectations of interested parties
Understand the organizations legal, regulatory and contractual

requirements
10. Understand interfaces and interdependencies between
activities performed by the organization
11. Understand the organization ISMS requirements
12. Understand the requirements of interested parties relevant to
the ISMS
13. Determine scope for ISMS implementation (locations, sites
and/or functions ready to implement ISMS)
14. Define overall IS Policy, including IS Objectives, applicable
business requirements and top management commitment for
continual improvement

15.

Define risk assessment process (risk assessment criteria and

risk acceptance criteria)

16. Define risk treatment process
17. Develop project plan for ISO 27001:2013 based ISMS
implementation
18. Present project plan to the top management for approval and
secure top management assurance for the project and necessary
support and resources

Do

Plan
Check
Act
Do

19.
20.

21.

22.
23.

Define IS objectives at all relevant functions and levels

Perform risk assessment
a. Identify IS risks
b. Identify Risk Owners
c. Analyze IS risks (assess consequences, likelihood and risk
level)
d. Evaluate IS Risks (compare with risk criteria and prioritizing)
Perform risk treatment
a. Select appropriate controls
b. Compare controls with Annex A of ISO 27001:2013 Standard
c. Develop SoA
d. Develop Risk Treatment Plans
Obtain Risk Owners approval
Implement risk treatment plans (Staff, Infrastructure, technical

controls, managerial controls such as Employment/Contract

agreements, NDA etc.)
24. Define ISMS performance measurements and metrics
25. Develop ISMS Audit program plan
26. Define and assign ISMS roles and responsibilities

27.
28.

Develop necessary IS documentation

Develop ISMS Communication Plan considering all ISMS

interested parties
29. Conduct necessary IS training to employees and contractors
30. Carry necessary IS awareness initiatives
31. Operate ISMS (record IS events, activities, communications,
changes, incidents, accidents and NCs)

Check

Plan
Act
Do
Check

32.

33.

Check ISMS performance periodically

a. Various ISMS performance measurements and metrics
b. Conduct periodic risk assessments
c. Perform periodic internal and regulatory audits
d. Collect feedback from interested parties
e. Carry periodic Management Reviews for reviewing ISMS
performance
Report to appropriate management in defined time intervals

Act

Act
Check
Plan
Do

34.
35.

Decide on corrective actions to be taken

Develop plans for implementing ISMS improvements