Skip to content Skip to sidebar Skip to footer
Close
ISMS Implementation

ISMS Implementation

Achieving ISO 27001 certification requires a structured, transparent, and repeatable approach. The ISO 27001 ISMS implementation process guides organisations from initial scoping to audit readiness with full clarity over responsibilities, deliverables, and improvement priorities.

Throughout the project, the in-house AI ISMS Implementation Assistant supports documentation drafting, evidence collection, and consistency checks. This ensures efficient progress, audit-ready outputs, and reduced administrative effort while maintaining full human oversight and control.

PHASE 1: Project Initiation & Scoping

Company Responsibilities

  • Appoint an internal ISMS lead and project team
  • Define business objectives (customer requirements, compliance, resilience)
  • Allocate time, resources, and decision-making authority

Consultant Responsibilities

  • Conduct a kickoff workshop to outline ISO 27001 principles and the roadmap
  • Support the definition of the ISMS scope (services, locations, data, processes)
  • Identify key stakeholders and decision-makers
  • Draft the project plan, timeline, and milestones

Deliverables

  • ISMS project plan
  • Defined ISMS scope statement

PHASE 2: Gap Analysis & Risk Context Definition

Company Responsibilities

  • Provide existing documentation and security controls
  • Make process owners available for interviews

Consultant Responsibilities

  • Perform a structured Gap Analysis based on ISO 27001 requirements
  • Conduct a Context and Interested Parties assessment
  • Facilitate interviews to understand processes and identify risks
  • Define a tailored risk assessment methodology
  • Use the AI ISMS Implementation Assistant to map gaps and pre-fill documentation sections

Deliverables

  • Gap analysis report
  • Risk assessment methodology
  • Context and Interested Parties analysis

PHASE 3: Risk Assessment & Risk Treatment

Company Responsibilities

  • Approve the risk methodology
  • Participate in risk workshops

Consultant Responsibilities

  • Facilitate risk assessment workshops
  • Determine required Annex A controls and identify existing controls
  • Draft the Statement of Applicability
  • Develop the Risk Treatment Plan with actions, owners, and deadlines
  • Use the AI ISMS Implementation Assistant to maintain a consistent control catalogue

Deliverables

  • Risk assessment report
  • Statement of Applicability
  • Risk Treatment Plan

PHASE 4: ISMS Design & Documentation

Company Responsibilities

  • Review and approve documentation
  • Assign process owners

Consultant Responsibilities

  • Develop the overarching ISMS framework and documentation structure
  • Produce tailored policies and procedures, such as:
    • ISMS Policy
    • Access Control Policy
    • Acceptable Use Policy
    • Backup Policy
    • Incident Management Policy
    • and others required for certification
  • Provide guidance on document control and governance
  • Support decisions on tooling (GRC, DMS, risk management platforms)
  • Use the AI ISMS Implementation Assistant to generate first drafts and ensure alignment across documents

Deliverables

  • Complete ISMS documentation set
  • Document control and versioning guidance

PHASE 5: Implementation of Controls

Company Responsibilities

  • Implement organizational and technical controls
  • Involve IT, HR, Legal, and relevant departments

Consultant Responsibilities

  • Provide guidance on technical and organisational controls
  • Deliver templates (asset registers, access logs, incident logs, etc.)
  • Train staff on control execution and daily ISMS operation
  • Support security awareness initiatives
  • Use the AI ISMS Implementation Assistant to prepare templates and maintain control consistency

Deliverables

  • Security training materials
  • Control implementation templates
  • Implementation support

PHASE 6: Monitoring, Internal Audit & Management Review

Company Responsibilities

  • Nominate internal audit resources
  • Conduct management reviews

Consultant Responsibilities

  • Perform the internal ISMS audit (Clause 9.2) or guide internal auditors
  • Provide audit checklists and templates
  • Assist with the Management Review report (Clause 9.3)
  • Identify nonconformities and advise on corrective actions
  • Use the AI ISMS Implementation Assistant to track evidence and audit findings

Deliverables

  • Internal audit report
  • Management review documentation
  • Corrective action plan

PHASE 7: Preparation for Certification Audit

Company Responsibilities

  • Select and contract a certification body
  • Participate in interviews and documentation reviews

Consultant Responsibilities

  • Conduct a readiness assessment or mock audit
  • Review documentation, controls, logs, and evidence for completeness
  • Prepare teams for audit interviews
  • Support during the external audit when needed
  • Use the AI ISMS Implementation Assistant to verify documentation completeness

Deliverables

  • Pre-certification readiness report
  • On-site or remote audit support

PHASE 8: Continuous Improvement & Maintenance

Company Responsibilities

  • Continue running ISMS processes (risk reviews, audits, awareness, documentation updates)
  • Maintain evidence and records

Consultant Responsibilities

  • Provide ongoing ISMS support through periodic checks or internal audits
  • Update documentation and controls as business needs evolve
  • Assist with surveillance audits
  • Use the AI ISMS Implementation Assistant for continuous documentation alignment

Deliverables (optional based on SLA)

  • Updated documentation
  • Annual ISMS review reports
  • Internal audit and surveillance support packages

    contact@feldmanncyber.com