Informationssicherheit

ISMS Implementation: How to Build an ISO 27001 Information Security Management System Step by Step

Boris Friedrich
Boris Friedrich
16 min read
ISMS Implementation: How to Build an ISO 27001 Information Security Management System Step by Step

An Information Security Management System (ISMS) per ISO 27001 is the internationally recognized framework for systematically protecting information assets. Building an ISMS is not a one-time compliance project — it is the implementation of a continuous improvement process that embeds information security into organizational culture, business decisions, and daily operations. For organizations seeking to demonstrate security maturity to customers, partners, and regulators, ISO 27001 certification is the global gold standard.

This guide walks through the complete ISMS implementation: 8 steps from initial gap analysis to certification audit, with practical advice on timelines, costs, common pitfalls, and how ISO 27001 aligns with DORA and NIS2.

What Is an ISMS?

An ISMS is a management system that ensures information security through defined policies, processes, organizational structures, and technical controls. It follows the PDCA cycle (Plan-Do-Check-Act): Plan (establish the ISMS — risk assessment, control selection, policy definition), Do (implement controls and processes), Check (monitor, audit, and measure effectiveness), and Act (improve based on findings, incidents, and changes). The 2022 version of ISO 27001 reorganized Annex A from 114 controls in 14 categories to 93 controls in 4 categories: Organizational (37), People (8), Physical (14), and Technological (34). Eleven new controls were added, including Threat Intelligence, Cloud Security, Data Masking, and ICT Readiness for Business Continuity.

ISMS Implementation in 8 Steps

Step 1: Gap Analysis

Compare your current security posture against ISO 27001 requirements. Assess Clauses 4–10 (management system requirements) and all 93 Annex A controls. For each control, rate: fully implemented, partially implemented, or not implemented. The result is a prioritized action plan with effort estimates and a realistic timeline. Budget: EUR 10,000–30,000 with external support, 2–4 weeks elapsed time.

Step 2: Scope Definition

Define the ISMS boundary: which locations, departments, processes, and information systems are included. The scope must cover all relevant information assets without being so broad that implementation becomes unmanageable. Common approach: start with core IT operations and customer-facing services, then expand. The scope definition directly impacts certification cost and timeline.

Step 3: ISMS Policy and Document Structure

Draft the overarching information security policy — signed by top management, communicating the organization’s commitment to information security. Build the document hierarchy: Level 1 — Policies (what we commit to), Level 2 — Standards (what rules we follow), Level 3 — Procedures (how we implement the rules), Level 4 — Work Instructions and Records (evidence of implementation). Keep documentation proportionate. A 50-person company does not need 500 pages of security documentation.

Step 4: Risk Assessment

The heart of ISO 27001 — everything flows from the risk assessment. Define your risk assessment methodology (asset-based or scenario-based), identify information assets and their owners, assess threats and vulnerabilities for each asset, evaluate likelihood and impact, determine risk treatment (mitigate, transfer, avoid, or accept), and document risk treatment decisions with justification. The risk assessment drives control selection — you implement controls because the risk assessment says they are needed, not because a checklist says so.

Step 5: Statement of Applicability (SoA)

The SoA is the most important ISMS document — the first thing every auditor reviews. It lists all 93 Annex A controls and for each documents: Is it applicable? (If not, why not?) Is it implemented? How is it implemented? (Reference to specific policies, procedures, or systems). The SoA is the bridge between your risk assessment and your control implementation — it demonstrates that every control decision is risk-based.

Step 6: Control Implementation

Implement technical and organizational controls per the SoA. Typical measures include: access controls (MFA, RBAC, privilege management), encryption (data at rest and in transit), backup and recovery (3-2-1 rule, tested restores), incident management (response plan, escalation, communication), security awareness training (all staff, role-based), supplier management (security requirements in contracts), and physical security (access control, visitor management, clean desk).

Step 7: Internal Audit

Conduct a complete internal audit against ISO 27001 before the certification audit. The internal audit must: cover all clauses (4–10) and applicable Annex A controls, be performed by auditors independent of the areas being audited (internal staff from a different department or external auditors), document all findings (nonconformities, observations, opportunities for improvement), and result in corrective actions with defined timelines. This is your dress rehearsal — fix everything found before the certification body arrives.

Step 8: Certification Audit

A two-stage audit by an accredited certification body: Stage 1 (document review, typically 1–2 days): the auditor reviews your ISMS documentation, SoA, risk assessment, and policies. They verify that the ISMS is ready for Stage 2. Stage 2 (on-site audit, typically 3–5 days): interviews with staff, evidence review, and sampling to verify that controls are not just documented but operating effectively. On success: ISO 27001 certificate, valid for 3 years with annual surveillance audits.

Timeline and Costs

Typical implementation timelines:

  • SME (50–200 employees): 6–12 months to certification
  • Mid-market (200–1,000 employees): 9–15 months
  • Enterprise (1,000+ employees): 12–24 months

Typical costs:

  • External consulting: EUR 50,000–150,000 (gap analysis, risk assessment support, SoA creation, audit preparation)
  • Internal staff: 0.5–2 FTE dedicated over the implementation period
  • Certification audit: EUR 10,000–30,000 (depends on company size and scope)
  • Annual surveillance audits: EUR 5,000–15,000
  • Tools (GRC platform, vulnerability scanning): EUR 10,000–50,000/year

ISO 27001 and Regulatory Alignment

ISO 27001 provides a foundation for multiple regulatory requirements:

  • DORA: ISO 27001 covers approximately 70% of DORA ICT risk management requirements. Add DORA-specific provisions for resilience testing, incident reporting timelines, and third-party risk management.
  • NIS2: ISO 27001 covers approximately 80% of NIS2 Article 21 measures. Add 24h/72h incident reporting and BSI registration.
  • GDPR: ISO 27001 Annex A provides the technical and organizational measures required by Article 32. ISO 27701 extends it specifically for privacy.

Frequently Asked Questions

How long does ISMS implementation take?

For mid-sized companies: 9–15 months is realistic. The biggest time drivers are risk assessment (requires business input), control implementation (especially technical controls), and awareness training (requires scheduling across the organization). Accelerated 6-month implementations are possible with dedicated resources and strong management support.

What is the difference between ISO 27001:2013 and ISO 27001:2022?

The 2022 version updates Annex A from 114 to 93 controls, reorganizes them into 4 categories (instead of 14), and adds 11 new controls including Threat Intelligence, Cloud Security, Data Masking, and ICT Readiness for Business Continuity. The clause structure (4–10) is largely unchanged. All certifications must now be on the 2022 version.

Is ISO 27001 sufficient for NIS2 compliance?

ISO 27001 covers approximately 80% of NIS2 requirements and provides a strong foundation. Additionally needed: 24h/72h incident reporting process to BSI, BSI registration, documented supply chain risk assessment, management cybersecurity training, and explicit MFA requirements. ISO 27001 is an excellent starting point but not an automatic NIS2 pass.

Can we implement ISO 27001 internally?

Yes, if you have staff with ISO 27001 Lead Implementer or equivalent qualification. Most organizations use external support for: initial gap analysis, risk assessment methodology, SoA creation, and audit preparation. The ISMS officer role should be internal for long-term ownership. Many organizations combine internal ownership with external expertise for specific phases.

Hat ihnen der Beitrag gefallen? Teilen Sie es mit:

Your strategic success starts here

Our clients trust our expertise in digital transformation, compliance, and risk management

Ready for the next step?

Schedule a strategic consultation with our experts now

30 Minutes • Non-binding • Immediately available

For optimal preparation of your strategy session:

Your strategic goals and challenges
Desired business outcomes and ROI expectations
Current compliance and risk situation
Stakeholders and decision-makers in the project

Prefer direct contact?

Direct hotline for decision-makers

Strategic inquiries via email

Detailed Project Inquiry

For complex inquiries or if you want to provide specific information in advance