Login 
Most SMEs complete the process in 3–6 months. Larger organisations or complex environments may take up to 12 months. Citation ISO Certification can support businesses to achieve certification in as little as 45 days.
ISO 27001 Implementation
Learn more on how to implement ISO 27001
Introduction
Starting ISO 27001 from scratch can feel daunting—especially when you’re juggling data protection, client demands, and GDPR compliance.
This guide is written for UK businesses that want to implement ISO 27001 from scratch and do it the right way. Whether you’re preparing for your first audit, responding to supply chain pressures, or just want to tighten up your data protection, this page walks you through every step with practical tips, relatable examples, and expert insight.
Implementing ISO 27001 means building an Information Security Management System (ISMS) that protects your business from data breaches, reputational harm, and compliance risks. It’s a phased approach to improving how your organisation manages information risk over time.
At a glance:
- Purpose: Implement an Information Security Management System (ISMS)
- Key stages: Preparation, design, implementation, audit readiness
- Typical duration: 3–6 months depending on complexity
- Team: ISMS lead, IT, HR, senior management
- Estimated costs: £4,000–£15,000+ depending on scope and support
ISO 27001 implementation roadmap
Every ISO 27001 journey is different, but they all share the same building blocks. Here’s a high-level look at how most successful implementations unfold. The process isn’t always perfectly linear (sometimes you’ll move back and forth between stages), but having a clear structure helps avoid missed steps, wasted effort, and audit pain.
The four main phases:
Phase 1: Preparation
This is all about getting your foundations right. You’ll define the scope of your ISMS, get leadership buy-in, allocate budget, and start mapping out your legal, regulatory and contractual obligations—like GDPR and NIS2. A gap analysis or readiness assessment is often done here to see where you stand today.
Phase 2: Design
Once the groundwork is done, you’ll design how your ISMS will work. That means conducting a detailed risk assessment, choosing the right ISO 27001 controls, and documenting everything from access policies to incident response procedures. This phase also includes creating your Statement of Applicability and planning your audit timeline.
Phase 3: Implementation
Now it’s time to put your plans into action. This phase is about embedding controls into daily operations, rolling out training, and making sure the right tools and documentation are in place. The focus shifts from planning to execution—and ensuring you can demonstrate that your controls actually work.
Phase 4: Audit readiness
Once your ISMS is up and running, you’ll prepare for your certification audit. This includes performing a full internal audit, holding a formal management review, and addressing any issues that come up. The aim is to be confident that everything is in place before your external auditor arrives.
Why planning matters
ISO 27001 certification runs on a three-year cycle, with annual surveillance audits and a recertification audit in year three. Cutting corners during implementation can lead to non-conformities, failed audits, and unexpected costs. A well-planned, phased approach makes life easier in the long run—both for your team and your auditors.
Step-by-step ISO 27001 implementation process
Below is a step-by-step walkthrough of how to go from zero to certified. Every step
includes what to do, who’s involved, and what good looks like. This will help set you up for
a smoother certification process and long term success.
-
Define your ISMS scope
Start by clarifying which parts of your business the ISMS will cover. This could be your
entire organisation or a specific department, location, or function. Scoping decisions
should align with your business goals and information risks. Keep it manageable—it’s
better to start with a focused scope and expand later than to take on too much too soon.Who’s involved: Senior leadership, project lead.
Outputs: Scope statement, aligned with business goals
-
Secure leadership commitment
ISO 27001 requires evidence of top-level support. Senior leaders need to actively endorse
the project, allocate budget, and champion information security as a business priority. This
step often involves preparing a business case that links ISO 27001 to risk reduction,
customer assurance, and compliance benefits.For example, a construction firm preparing for government tenders might secure board level support by linking ISO 27001 to new public sector contract requirements under NIS2.
Who’s involved: Managing director, operations director, board.
Outputs: Formal commitment, business case, project brief.
-
Appoint an ISMS lead or project team
Choose someone to lead the implementation. This person doesn’t need to be a full-time
ISO expert, but they do need strong project management skills, good communication
abilities, and support from leadership. Larger organisations might also form an
implementation steering group to share the load.As an example, an SME might appoint its operations manager as ISMS lead, supported by
an external consultant and an internal working group including IT and HR.Who’s involved: Operations director, compliance manager, key stakeholders. Internal
appointee or external consultant.Outputs: Named ISMS lead, responsibilities documented.
-
Identify legal, regulatory and contractual obligations
You’ll need to document all external obligations related to information security, including
GDPR, NIS2, industry regulations, client contracts, and data protection laws. This helps
ensure your ISMS isn’t just operationally sound—it’s legally watertight too.For example, a software provider with NHS clients must comply with DSPT and GDPR, so
legal and compliance teams work together to build a comprehensive register.Who’s involved: Legal, IT, HR, compliance, DPO.
Outputs: Legal register, data map
-
Carry out an information security risk assessment
This is a cornerstone of ISO 27001. You’ll need to identify potential threats and
vulnerabilities, assess their likelihood and impact, and decide how to treat each risk
(accept, avoid, transfer, or mitigate). Use a structured method—this part will shape your
policies and controls.As an example, for a UK tech firm handling GDPR data, assess risks like phishing on
remote workers – scoring high likelihood/impact due to potential £17.5m fines and
mitigate with multi-factor authentication.Who’s involved: ISMS lead, IT, department heads.
Outputs: Risk register, risk assessment, risk treatment plan
-
Create your Statement of Applicability
Based on your risk assessment, document which of the 93 Annex A controls apply to your
business, and why. The SoA is a required document and a key link between your risk
landscape and the controls you implement. It should be clear, justified, and regularly
reviewed.Who’s involved: ISMS lead, possibly an ISO consultant.
Outputs: Completed Statement of Applicability (SoA), linked to risks and controls.
-
Define and document information security controls
Once you know which controls apply, you’ll need to describe how they’re implemented.
These controls can include technical solutions (like multi-factor authentication), physical
safeguards (like access restrictions), and organisational measures (like security awareness
training). Each should be backed by a documented policy or procedure.Who’s involved: IT, HR, management, marketing (depending on scope).
Outputs: Suite of policies and procedures (e.g., access policy, backup procedure, incident
response). -
Train staff and assign responsibilities
ISO 27001 isn’t just about IT—it’s about people too. Every employee who handles
information needs to understand their role in keeping it secure. This might involve formal
training, onboarding updates, internal campaigns, or phishing simulations. Record
everything—you’ll need the evidence for your audit.For example, a recruitment agency rolls out quarterly awareness training via an LMS,
logging completions for audit readiness.Who’s involved: HR, ISMS lead, line managers, training provider.
Outputs: Training records, staff responsibilities, onboarding materials.
-
Run an internal audit
Before your external audit, you’ll need to check whether your ISMS is doing what it’s
supposed to. An internal audit identifies weaknesses and confirms that policies,
procedures, and controls are properly embedded. This needs to be objective—ideally
done by someone independent from the team who implemented the ISMS.Who’s involved: Trained internal auditor or external support.
Outputs: Internal audit report, non-conformance register
-
Conduct a management review
Senior leadership should review how the ISMS is performing—looking at audit results,
incidents, objectives, and areas for improvement. This meeting should be documented
and demonstrate that leadership is actively engaged in maintaining and improving the
system.Who’s involved: Senior management, ISMS lead.
Outputs: Minutes, actions for improvement
-
Address any non-conformities or gaps
If your internal audit or management review uncovers issues, now’s the time to fix them.
This could mean updating a policy, retraining staff, or improving access controls. Keep
records of all corrective actions—you’ll need to show these to your certification body.
For example, a manufacturer revises its physical security controls after an internal audit
flags unlogged visitor access.Who’s involved: ISMS lead, relevant departments.
Outputs: Corrective action log, updated documents, evidence of fixes.
-
Book and complete certification audit
Finally, you’re ready for the external certification audit. Choose an accredited body and
prepare for a two-stage process: stage one checks your documentation, and stage two
assesses how well your ISMS is working in practice. If successful, you’ll receive your ISO
27001 certificate—typically valid for three years, with annual surveillance audits.Who’s involved: ISMS lead, certification body, stakeholders, audit team.
Outputs: ISO 27001 certification!
Roles and responsibilities during implementation
| Role | Responsibility |
|---|---|
| ISMS lead | Drives the project and ensures deadlines are met |
| IT manager | Installs and monitors technical controls |
| HR | Delivers training and supports culture change |
| Compliance/legal | Tracks laws and contract obligations |
| Department heads | Help embed ISMS into daily operations |
| Senior management | Provides resources and strategic direction |
Scroll
ISO 27001 implementation costs
One of the first questions businesses ask is: how much will ISO 27001 cost us? The answer
depends on your business’s size, scope, complexity, and appetite for DIY. Here’s a general
idea of what to expect.
Common cost drivers include:
• Internal staff time and project management
• External consultant support
• Tools, templates, and software platforms
• Training and awareness programmes
• Certification audit fees
Typical UK cost ranges:
• DIY approach: £4,000–£8,000 for small businesses
• Blended support: £8,000–£12,000 with toolkits and light consultancy
• Full consultancy: £12,000–£20,000+ for larger/more complex businesses
Cost breakdown by business type
| Business type | Typical investment | What this might include |
|---|---|---|
| Micro/Small (1–20 employees) | £4,000–£8,000 | DIY with templates, parttime internal lead |
| Small to medium (20–100 employees) | £8,000–£12,000 | Mix of internal resource and external consultancy |
| Medium to large (100–250+ employees) | £15,000–£25,000+ | Full consultancy, multi-site support, custom documentation |
| Complex/regulated (250+ or high risk) | £25,000+ | Bespoke implementation, multiple departments & locations |
These figures include implementation and certification audit. Ongoing costs (surveillance audits, updates, recertification) are usually annual and lower.
Scroll
Cost-saving tips:
• Start with a focused ISMS scope (you can expand later)
• Reuse what you already have. For example, existing policies, security tools.
• Use ISO 27001 toolkits and templates to save time on documentation
• Train someone in-house to run your internal audit
• Choose a certification body that’s the right fit for your size and sector
Getting ISO 27001 certified is an investment—but it’s also a competitive differentiator, a
sales enabler, and a long-term risk reducer.
Timeline – how long does implementation take?
Most UK SMEs complete ISO 27001 implementation in 3 to 6 months, but this depends on
several factors like business complexity, resource availability, and existing policies.
Complex operations or low-resourced teams may take up to 12 months.
Here’s a sample month-by-month outline for a typical SME:
Month 1 – Plan and prepare
• Define ISMS scope and objectives
• Get leadership buy-in
• Assign a project lead or ISMS manager
• Conduct a gap analysis
Month 2 – Design and document
• Perform your risk assessment
• Select applicable Annex A controls
• Create your Statement of Applicability (SoA)
• Start drafting your policies and procedures
Month 3 – Implement and train
• Deliver staff training and awareness
• Roll out controls and new processes
• Begin collecting evidence of control operation
Month 4 – Audit and review
• Conduct your internal audit
• Hold management review
• Address any non-conformities or gaps
Month 5-6 – Certify
• Finalise documentation and evidence
• Book and complete your external certification audit
Some businesses move faster, while others take longer. We’ve listed some of the factors
that impact this below.
What can speed things up?
• Clear internal project ownership with dedicated time
• Using pre-built ISO 27001 templates and toolkits
• Existing alignment with data protection or Cyber Essentials
• Leadership support with quick decision-making
• Having a simple business model or small ISMS scope
What can slow things down?
• Lack of internal resource or project delays
• Waiting on leadership decisions or budget approvals
• Complex IT environments or multi-site operations
• Poor documentation or evidence collection
• High staff turnover during the project
The key takeaway is that ISO 27001 implementation can be planned around your
business, so with the right support and approach, it can move faster than you think.
Tools and templates to support implementation
ISO 27001 has a strong focus on documentation, evidence, and continual improvement,
so having the right tools in place can make a big difference in how smoothly your
implementation runs. Not to mention, less frustrating.
For example, risk assessment templates might include pre-filled asset inventories and
NIS2-tailored threat libraries to help you hit the ground running. Many platforms also
support GDPR mapping, version control, and audit trail automation—making it easier to
maintain and demonstrate compliance as your ISMS matures.
Useful tools include:
• Document toolkits – These include ready-made templates for ISO 27001 policies,
procedures, registers, and plans. They can save hours of drafting and help ensure
you meet mandatory documentation requirements.
• Risk assessment templates – Excel-based or online risk tools help you identify
assets, assess threats and vulnerabilities, and build a risk treatment plan.
• Training trackers – Whether you use an LMS or a simple spreadsheet, you’ll need
to record staff training and awareness activities as audit evidence.
• Project planners – Gantt charts, project planning spreadsheets, or even simple
task lists are useful for tracking progress, assigning responsibilities, and managing
needs.
• ISMS management platforms – These digital systems support policy version
control, evidence uploads, audit trail management, and automated reminders.
They’re particularly useful if your team is distributed or your ISMS scope is
complex
What to consider when choosing tools
• Does it help manage both documentation and evidence collection?
• Can multiple users collaborate securely?
• Will it scale as your business grows or your ISMS expands?
• Does it support GDPR, NIS2 or other frameworks you need to comply with?
Some businesses implement ISO 27001 using spreadsheets and shared folders. Others
invest in full-featured ISMS software. There’s no single right answer—just what works best
for your team, your budget, and your goals.
Some providers may include this in their consultancy package. For example, when you
partner with us for your ISO 27001 certification, you’ll get instant access to Atlas—our
online management system. It includes a library of ISO 27001 templates, task tracking
features, and secure document storage to help you manage your implementation from
one central place.
Internal audit as part of implementation
Internal audits are a critical step before you go for certification. Essentially, it’s a dry run,
helping you uncover blind spots, test your ISMS, and build confidence before your official
certification audit. The internal audit is your opportunity to spot issues before they
become problems. Done well, it sets you up for a smoother external audit—and shows
your team and stakeholders that the ISMS is genuinely embedded.
What your internal audit should check:
1. Are all mandatory ISO 27001 documents in place and up to date?
2. Are the selected Annex A controls implemented and working effectively?
3. Is staff awareness and training recorded and aligned to policy requirements?
4. Are incidents, risks, and corrective actions being tracked properly?
5. Are there any non-conformities that need to be addressed before certification?
When to run it: Ideally after all controls are in place, but before your management review.
You can use internal staff or bring in an external auditor if needed.
Benefits of successful ISO 27001 implementation
Getting ISO certified puts the right controls, culture and systems in place to protect your
business. For UK SMEs, ISO 27001 can reduce breach risks, unlock access to public sector
tenders under NIS2, and streamline the sales process with GDPR-conscious clients.
More buyers are demanding proof of robust data handling and security governance, and
ISO 27001 is the gold standard that opens doors. In fact, many UK councils and NHS
procurement frameworks list ISO 27001 as a minimum requirement for suppliers.
Here’s what you can gain from successful implementation:
• Better control over sensitive data and systems
• Stronger defence against cyber threats
• Fewer incidents, faster recovery, less downtime
• Easier compliance with GDPR, NIS2, and client contracts
• Greater trust from customers, partners and stakeholders
• Competitive advantage in tenders and public sector work
• Structured approach to information governance
• Streamlined audits and less time spent chasing paperwork