How to Implement ISO 27001:2022 from Scratch

Why ISO 27001:2022 Matters

ISO 27001:2022 is the internationally recognised standard for Information Security Management Systems (ISMS). Achieving certification demonstrates to customers, regulators, and partners that your organisation manages information security risks systematically. The 2022 revision restructured Annex A controls from 114 to 93, grouped into four themes: Organisational, People, Physical, and Technological.

Step 1: Secure Leadership Commitment

Before any technical work begins, obtain formal support from senior management. ISO 27001 Clause 5 requires top management to demonstrate leadership by establishing an information security policy, assigning roles and responsibilities, and allocating resources. Without executive sponsorship, implementation efforts stall.

Step 2: Define the Scope

Determine which parts of the organisation, which locations, and which information assets fall within the ISMS boundary. Consider:

• Business units and functions included
• Physical locations and remote work arrangements
• Third-party services that process your data
• Applicable legal, regulatory, and contractual requirements

Document the scope in a formal statement that will be reviewed during your certification audit.

Step 3: Conduct a Risk Assessment

Risk assessment is the backbone of ISO 27001. Follow a structured approach:

• Identify information assets and their owners
• Identify threats and vulnerabilities for each asset
• Evaluate the likelihood and impact of each risk scenario
• Assign a risk rating and determine whether to treat, accept, transfer, or avoid each risk

Use a risk register to track findings. The methodology must be documented and repeatable, as auditors will verify consistency.

Step 4: Develop the Statement of Applicability

The Statement of Applicability (SoA) maps each of the 93 Annex A controls to your risk treatment decisions. For every control, document whether it is applicable, whether it is implemented, and the justification for inclusion or exclusion. The SoA is one of the most scrutinised documents during a certification audit.

Step 5: Implement Controls and Policies

Based on the SoA, develop and implement the necessary policies, procedures, and technical controls. Common priorities include:

• Access control and identity management
• Incident management procedures
• Business continuity and disaster recovery plans
• Supplier security management
• Awareness training for all personnel

Align documentation with your existing processes to avoid creating a parallel system that no one follows.

Step 6: Monitor, Measure, and Improve

Clause 9 requires organisations to evaluate ISMS performance through internal audits, management reviews, and monitoring of security objectives. Establish key performance indicators (KPIs) such as incident response times, training completion rates, and vulnerability remediation timelines.

Step 7: Prepare for the Certification Audit

Certification involves two stages. Stage 1 is a documentation review where the auditor confirms your ISMS design meets the standard. Stage 2 is an on-site (or remote) audit assessing the effectiveness of your implementation. Before the audit:

• Conduct at least one full internal audit cycle
• Complete a management review
• Close any identified nonconformities
• Ensure all mandatory documents and records are available

Common Pitfalls to Avoid

• Treating ISO 27001 as a one-time project rather than an ongoing management system
• Overcomplicating documentation instead of integrating it into daily operations
• Ignoring the risk assessment methodology and relying on generic templates
• Failing to involve business stakeholders beyond the IT department

With disciplined planning, cross-functional collaboration, and genuine leadership support, achieving ISO 27001:2022 certification is entirely attainable, even for organisations starting from scratch.