Login 
Most SMEs complete the process in 3–6 months. Larger organisations or complex environments may take up to 12 months. Citation ISO Certification can support businesses to achieve certification in as little as 45 days.
ISO 27001 Implementation
Learn more on how to implement ISO 27001
Introduction
Starting ISO 27001 from scratch can feel daunting—especially when you’re juggling data protection, client demands, and GDPR compliance.
This guide is written for UK businesses that want to implement ISO 27001 from scratch and do it the right way. Whether you’re preparing for your first audit, responding to supply chain pressures, or just want to tighten up your data protection, this page walks you through every step with practical tips, relatable examples, and expert insight.
Implementing ISO 27001 means building an Information Security Management System (ISMS) that protects your business from data breaches, reputational harm, and compliance risks. It’s a phased approach to improving how your organisation manages information risk over time.
At a glance:
- Purpose: Implement an Information Security Management System (ISMS)
- Key stages: Preparation, design, implementation, audit readiness
- Typical duration: 3–6 months depending on complexity
- Team: ISMS lead, IT, HR, senior management
- Estimated costs: £4,000–£15,000+ depending on scope and support
ISO 27001 implementation roadmap
Every ISO 27001 journey is different, but they all share the same building blocks. Here’s a high-level look at how most successful implementations unfold. The process isn’t always perfectly linear (sometimes you’ll move back and forth between stages), but having a clear structure helps avoid missed steps, wasted effort, and audit pain.
The four main phases:
Phase 1: Preparation
This is all about getting your foundations right. You’ll define the scope of your ISMS, get leadership buy-in, allocate budget, and start mapping out your legal, regulatory and contractual obligations—like GDPR and NIS2. A gap analysis or readiness assessment is often done here to see where you stand today.
Phase 2: Design
Once the groundwork is done, you’ll design how your ISMS will work. That means conducting a detailed risk assessment, choosing the right ISO 27001 controls, and documenting everything from access policies to incident response procedures. This phase also includes creating your Statement of Applicability and planning your audit timeline.
Phase 3: Implementation
Now it’s time to put your plans into action. This phase is about embedding controls into daily operations, rolling out training, and making sure the right tools and documentation are in place. The focus shifts from planning to execution—and ensuring you can demonstrate that your controls actually work.
Phase 4: Audit readiness
Once your ISMS is up and running, you’ll prepare for your certification audit. This includes performing a full internal audit, holding a formal management review, and addressing any issues that come up. The aim is to be confident that everything is in place before your external auditor arrives.
Why planning matters
ISO 27001 certification runs on a three-year cycle, with annual surveillance audits and a recertification audit in year three. Cutting corners during implementation can lead to non-conformities, failed audits, and unexpected costs. A well-planned, phased approach makes life easier in the long run—both for your team and your auditors.
Step-by-step ISO 27001 implementation process
Below is a step-by-step walkthrough of how to go from zero to certified. Every step
includes what to do, who’s involved, and what good looks like. This will help set you up for
a smoother certification process and long term success.
-
Define your ISMS scope
Start by clarifying which parts of your business the ISMS will cover. This could be your
entire organisation or a specific department, location, or function. Scoping decisions
should align with your business goals and information risks. Keep it manageable—it’s
better to start with a focused scope and expand later than to take on too much too soon.Who’s involved: Senior leadership, project lead.
Outputs: Scope statement, aligned with business goals
-
Secure leadership commitment
ISO 27001 requires evidence of top-level support. Senior leaders need to actively endorse
the project, allocate budget, and champion information security as a business priority. This
step often involves preparing a business case that links ISO 27001 to risk reduction,
customer assurance, and compliance benefits.For example, a construction firm preparing for government tenders might secure boardlevel support by linking ISO 27001 to new public sector contract requirements under
NIS2.Who’s involved: Managing director, operations director, board.
Outputs: Formal commitment, business case, project brief.
-
Appoint an ISMS lead or project team
Choose someone to lead the implementation. This person doesn’t need to be a full-time
ISO expert, but they do need strong project management skills, good communication
abilities, and support from leadership. Larger organisations might also form an
implementation steering group to share the load.As an example, an SME might appoint its operations manager as ISMS lead, supported by
an external consultant and an internal working group including IT and HR.Who’s involved: Operations director, compliance manager, key stakeholders. Internal
appointee or external consultant.Outputs: Named ISMS lead, responsibilities documented.
-
Identify legal, regulatory and contractual obligations
You’ll need to document all external obligations related to information security, including
GDPR, NIS2, industry regulations, client contracts, and data protection laws. This helps
ensure your ISMS isn’t just operationally sound—it’s legally watertight too.For example, a software provider with NHS clients must comply with DSPT and GDPR, so
legal and compliance teams work together to build a comprehensive register.Who’s involved: Legal, IT, HR, compliance, DPO.
Outputs: Legal register, data map
-
Carry out an information security risk assessment
This is a cornerstone of ISO 27001. You’ll need to identify potential threats and
vulnerabilities, assess their likelihood and impact, and decide how to treat each risk
(accept, avoid, transfer, or mitigate). Use a structured method—this part will shape your
policies and controls.As an example, for a UK tech firm handling GDPR data, assess risks like phishing on
remote workers – scoring high likelihood/impact due to potential £17.5m fines and
mitigate with multi-factor authentication.Who’s involved: ISMS lead, IT, department heads.
Outputs: Risk register, risk assessment, risk treatment plan
-
Create your Statement of Applicability
Based on your risk assessment, document which of the 93 Annex A controls apply to your
business, and why. The SoA is a required document and a key link between your risk
landscape and the controls you implement. It should be clear, justified, and regularly
reviewed.Who’s involved: ISMS lead, possibly an ISO consultant.
Outputs: Completed Statement of Applicability (SoA), linked to risks and controls.
-
Define and document information security controls
Once you know which controls apply, you’ll need to describe how they’re implemented.
These controls can include technical solutions (like multi-factor authentication), physical
safeguards (like access restrictions), and organisational measures (like security awareness
training). Each should be backed by a documented policy or procedure.Who’s involved: IT, HR, management, marketing (depending on scope).
Outputs: Suite of policies and procedures (e.g., access policy, backup procedure, incident
response). -
Train staff and assign responsibilities
ISO 27001 isn’t just about IT—it’s about people too. Every employee who handles
information needs to understand their role in keeping it secure. This might involve formal
training, onboarding updates, internal campaigns, or phishing simulations. Record
everything—you’ll need the evidence for your audit.For example, a recruitment agency rolls out quarterly awareness training via an LMS,
logging completions for audit readiness.Who’s involved: HR, ISMS lead, line managers, training provider.
Outputs: Training records, staff responsibilities, onboarding materials.
-
Run an internal audit
Before your external audit, you’ll need to check whether your ISMS is doing what it’s
supposed to. An internal audit identifies weaknesses and confirms that policies,
procedures, and controls are properly embedded. This needs to be objective—ideally
done by someone independent from the team who implemented the ISMS.Who’s involved: Trained internal auditor or external support.
Outputs: Internal audit report, non-conformance register
-
Conduct a management review
Senior leadership should review how the ISMS is performing—looking at audit results,
incidents, objectives, and areas for improvement. This meeting should be documented
and demonstrate that leadership is actively engaged in maintaining and improving the
system.Who’s involved: Senior management, ISMS lead.
Outputs: Minutes, actions for improvement
-
Address any non-conformities or gaps
If your internal audit or management review uncovers issues, now’s the time to fix them.
This could mean updating a policy, retraining staff, or improving access controls. Keep
records of all corrective actions—you’ll need to show these to your certification body.
For example, a manufacturer revises its physical security controls after an internal audit
flags unlogged visitor access.Who’s involved: ISMS lead, relevant departments.
Outputs: Corrective action log, updated documents, evidence of fixes.
-
Book and complete certification audit
Finally, you’re ready for the external certification audit. Choose an accredited body and
prepare for a two-stage process: stage one checks your documentation, and stage two
assesses how well your ISMS is working in practice. If successful, you’ll receive your ISO
27001 certificate—typically valid for three years, with annual surveillance audits.Who’s involved: ISMS lead, certification body, stakeholders, audit team.
Outputs: ISO 27001 certification!
Roles and responsibilities during implementation
| Role | Responsibility |
|---|---|
| ISMS lead | Drives the project and ensures deadlines are met |
| IT manager | Installs and monitors technical controls |
| HR | Delivers training and supports culture change |
| Compliance/legal | Tracks laws and contract obligations |
| Department heads | Help embed ISMS into daily operations |
| Senior management | Provides resources and strategic direction |
Scroll
ISO 27001 implementation costs
One of the first questions businesses ask is: how much will ISO 27001 cost us? The answer
depends on your business’s size, scope, complexity, and appetite for DIY. Here’s a general
idea of what to expect.
Common cost drivers include:
• Internal staff time and project management
• External consultant support
• Tools, templates, and software platforms
• Training and awareness programmes
• Certification audit fees
Typical UK cost ranges:
• DIY approach: £4,000–£8,000 for small businesses
• Blended support: £8,000–£12,000 with toolkits and light consultancy
• Full consultancy: £12,000–£20,000+ for larger/more complex businesses
Cost breakdown by business type
| Business type | Typical investment | What this might include |
|---|---|---|
| Micro/Small (1–20 employees) | £4,000–£8,000 | DIY with templates, parttime internal lead |
| Small to medium (20–100 employees) | £8,000–£12,000 | Mix of internal resource and external consultancy |
| Medium to large (100–250+ employees) | £15,000–£25,000+ | Full consultancy, multi-site support, custom documentation |
| Complex/regulated (250+ or high risk) | £25,000+ | Bespoke implementation, multiple departments & locations |
These figures include implementation and certification audit. Ongoing costs (surveillance audits, updates, recertification) are usually annual and lower.
Scroll
Cost-saving tips:
• Start with a focused ISMS scope (you can expand later)
• Reuse what you already have. For example, existing policies, security tools.
• Use ISO 27001 toolkits and templates to save time on documentation
• Train someone in-house to run your internal audit
• Choose a certification body that’s the right fit for your size and sector
Getting ISO 27001 certified is an investment—but it’s also a competitive differentiator, a
sales enabler, and a long-term risk reducer.
Benefits of successful ISO 27001 implementation
Getting ISO certified puts the right controls, culture and systems in place to protect your
business. For UK SMEs, ISO 27001 can reduce breach risks, unlock access to public sector
tenders under NIS2, and streamline the sales process with GDPR-conscious clients.
More buyers are demanding proof of robust data handling and security governance, and
ISO 27001 is the gold standard that opens doors. In fact, many UK councils and NHS
procurement frameworks list ISO 27001 as a minimum requirement for suppliers.
Here’s what you can gain from successful implementation:
• Better control over sensitive data and systems
• Stronger defence against cyber threats
• Fewer incidents, faster recovery, less downtime
• Easier compliance with GDPR, NIS2, and client contracts
• Greater trust from customers, partners and stakeholders
• Competitive advantage in tenders and public sector work
• Structured approach to information governance
• Streamlined audits and less time spent chasing paperwork