ISO 27001 checklist: A 10 step guide for effective implementation

When it comes to ISO 27001 implementation, one of the most important things we tell our clients is that it is not a tick box exercise, a one-and-done. Instead, it requires ongoing commitment from your organisation to maintain your controls, policies and processes. Another thing we tell our clients is that achieving ISO 27001 accreditation doesn’t need to be scary. It’s not an insurmountable challenge.

With that in mind, we’ve put together a simple 10 step ISO 27001 implementation guide. Our straightforward checklist will give you an idea of where to start, and what is involved.  

How to implement ISO 27001

ISO 27001 implementation guide

The key benefits of ISO 27001 certification

Apart from the main benefit of being better positioned to deal with cyber threats and mitigate risk, ISO 27001 is a clear way to demonstrate to your customers, suppliers, and other stakeholders that you have the right controls in place to protect both your business and their data. The accreditation builds trust with both your stakeholders and the market, giving you a significant competitive advantage over companies in your sector that don’t have the standard. It also goes a long way towards achieving other legislative or compliance requirements, depending on your type of business, the data you hold and the industries you operate in.  

How to implement ISO 27001 – your ISO 27001 toolkit

Step 1: Know what you’re working with – identify your cyber security gaps
The key to developing and implementing your plan to achieve certification is understanding what you have to work with in terms of existing tools and controls, where the gaps are in your cybersecurity and how best to close those gaps. Working with an ISO 27001 consultancy in the early stages of your journey will boost your chances of success. This detailed gap assessment will form your foundation and help you develop a realistic action plan detailing tasks at granular level.

Step 2: Get support from the top down – implement a management framework
Achieving and maintaining ISO 27001 accreditation is an ongoing commitment that needs buy-in from all levels of the business. That said, it begins with top management as they play a crucial and active role in information security management. The best way to get this support, is to establish the right tone from the top down and from the outset. In addition to starting off on the right footing, this helps promote wider acceptance of the standard. Remember that ISO is a management framework and the learnings can be incorporated across other governance processes, whether it is HR, finance or operations.

ISO 27001 toolkit
ISO 27001 certification

Step 3: Put security on all your meeting agendas

While cybersecurity is a board issue, it also needs to feature across the business so that every department, team and individual understands what you are doing and why you’re doing it. Add discussion topics on security risks in all your meetings (not just senior leadership or board meetings), from projects, scrum, team and department meetings. More than that, ensure there is a clear and relevant flow of information and outcomes across your organisation so that all topics can inform higher level discussions.

Step 4: Focus on your people – educate and train
When it comes to transformation of any kind, people play a significant role. Spend time on change management – communicate clearly and establish channels for active participation and engagement. Use positive communication and language to create a culture of acceptance and understanding, to negate a panic or blame mentality that often accompanies change. Ultimately, this helps when embedding the new controls and processes, not just for the initial certification but for annual maintenance of your security program.

Step 5: Take advantage of ISO 27001 experts
You won’t necessarily have all the skills you need in-house so bring in outside experts to supplement your organisation’s expertise. Dedicated organisations, such as RightCue, offer ISO 27001 consultancy services and can add value to the process. This could take the form of areas such as application security, network architecture, risk assessment, business continuity, creation of security KPIs, data protection, or auditing. Having the right skills in the right places will ensure your processes are set up correctly and actually improve security rather than ISO 27001 being merely a tick box exercise.

In addition, choosing the right partners – those that understand your business – is important. This ensures that the documentation they prepare meets your unique requirements and your controls can be adapted to the way your company works. The benefit here is that your team will spend less time on admin tasks and information security activities get embedded in your ways of working rather than being an afterthought.

ISO 27001 consultants
ISO 27001 consultant

Step 6: Be clear on who is doing what – assign security roles and responsibilities
Once you have your plan, or as part of its development process, assign roles to all involved. Be clear about what is needed, what is expected, timeframes, deadlines, documentation needed, etc. Work with a trusted ISO 27001 consultant, such as RightCue, to help streamline roles and responsibilities and identify areas for improvement in terms of skills and training.

Step 7: Dedicate time and budget to training
Training will play a key role in the ongoing success of your ISO 27001 accreditation. Dedicate enough resource, in terms of time and money to training for both employees and external stakeholders that have a role to play. This should cover all employees – those involved in the accreditation process, as well as those in the operations. More than that, ensure the training is engaging, simple and is offered in multiple modes to appeal to different learning styles.

Step 8: Optimise your technology
As part of your initial gap analysis, you will identity the tools and technologies your organisation already uses. Once the plan is in place, use this technology to make the accreditation process (and ongoing maintenance) a lot smoother and effective, in terms of automating controls, documentation, monitoring and reporting. In this way, your people will be spending more time focusing on their roles, i.e. managing security risks, than performing admin tasks.

Step 9: Perform a mock ISO 27001 audit
Work with your internal team and expert ISO 27001 consultant to simulate the actual audit. The benefit is that it enables you to understand the process better and sets expectations for the real ISO 27001 audit. The team at RightCue assigns a consultant who hasn’t worked with the client to act independently and carry out the audit to make it more realistic and ensure a successful outcome of the real thing.

Step 10: Look ahead
The ISO 27001 accreditation lasts three years and must be redone – all organisations currently on ISO 27001:2013 need to recertify to ISO 27001:2022 by 31st October 2025. Be sure to keep that in mind and continuously measure, monitor and review your controls and processes. This way when it is time for recertification, your team isn’t starting from scratch and it will be a more streamlined process.

ISO 27001 consultancy
What our clients think

“We began looking at how to get ISO 27001 certification and CSA Star Level 2. After an extensive search it became clear that while many companies stated they could deliver both, RightCue was the only business that met our requirements.

“The RightCue team were instrumental in the process – to be blunt, if there was no RightCue, we wouldn’t have been able to do this. Their knowledge of controls was outstanding, and they really understood our business.”


“We were keen to develop our IT security to the next level so we could expand our client base as well as giving existing clients further peace of mind. Working with RightCue has been a total pleasure. They are just lovely people and to us they are not only trusted advisors but they feel like part of our extended team.

"Working with RightCue has supported our growth as a business and given us the reassurance we need, knowing that our security and data protection is well developed and managed - that's thanks to RightCue.”


“In early 2021, the ATI established the FlyZero project, with ambitious targets and timeframes. RightCue were involved from the start, contributing ideas and sustainable solutions to keep the project data secure.

“RightCue are so supportive and helpful. They operate almost as a virtual CIO and worked with me on a long-term strategy for IT and security to ensure it remains fit for purpose as the business continues to grow.”


“Beyond the accreditations, RightCue have caused us to think harder. To develop a maturity for our cyber security – processes and ideas for the future, and to think beyond IT to the business implications. Would I work with RightCue again? Absolutely, without hesitation…’


“RightCue helped us to achieve our cyber security accreditations including Cyber Essentials and IASME. But it’s more than that - the protection and management of data is now very much at the centre of our business.

“The RightCue team are absolute stars. Nothing is too much trouble. if you need help with cyber security, you can’t go wrong with RightCue.”


"The team at Rightcue worked very closely with our internal team on our ISO27001 accreditation. They were extremely thorough and rigorous throughout the process, they acted professionally at all times and guided us through each step of the way to attain ISO27001. I would recommend Rightcue to help you achieve your security accreditations.”


"They don’t just do the job and leave. They are at the end of the phone and happy to advise and engage at any time if you need them. If you’re considering Cyber Essentials accreditation, I’d definitely recommend RightCue.”


"Whilst going for a computer security accreditation is never easy, the team at RightCue made it as painless as possible. They were clearly very knowledgeable and as helpful as they could be, given their role as a certification body…”


“There is no doubt working with RightCue saved me a hell of a lot of time. I didn’t have to spend ages researching solutions. I would say RightCue are a very dependable resource, and are reassuringly competent. A good choice if you’re looking to acquire security accreditations…’


“We have been hugely impressed with the team at RightCue. They are very approachable and incredibly knowledgeable...Achieving those accreditations was so much easier, by working with an experienced and accomplished team of professionals, such as RightCue…’


“Having confidence in recommending them to our clients has allowed us to concentrate on playing to our strengths.

All of the RightCue team are very helpful and very willing to go the extra mile. They are very committed to delivering a good service, and that’s why we are always happy to refer them.”


Get in touch with us

If you’d like to talk about how our ISO 27001 consultancy services can help you with any of the above steps, get in touch with our experienced team today.

+44 (0)1256 260 780