:: home   what we do   management systems consultancy   steps in isms implentation ›

Steps in ISMS implentation

ISO 27001:2015 certification journey    


The implementation of ISMS in an organization is guided by an International Standard called ISO 27001:2013

This requires organization to undertake the following trainings

1. Top Management Briefing

Usually a one day training targeting top management in the organization. This training aims at demonstrating top management commitment and offering leadership in the implementation of ISMS. This team is required to know and provide any resources needed for the implementation of the ISMS.

2. Process Owners Training

Usually a three day course targeting heads of departments and sections across the organization. This group is trained on how to implement and support the ISMS within their respective departments. They are the accounting officers in regard to the successful implementation of the ISMS within their departments. They are responsible for maintaining and implementation of Risk registers, risk management action plans, establishment of the assets and securing them within the departments.

3. Champions Training

Usually a three day comprehensive course. This group is nominated from all the departments within the organization. Their aim is to formulate and develop the management system for use by the organization. They are involved in conducting risk assessments, risk treatment, preparation of policies, risk treatment plans, procedures and any relevant documentation as required by ISO 27001:2013. They are also trained on how to evaluate the effectiveness of the system and improve on the ISMS. This team responsible for working on corrections, corrective actions and establishment of root causes raised during an ISMS audit.

4. Auditors Training

Usually a three day training course which targets the trained champions. The course is usually very comprehensive and the champions sit on an exam at the end of the course. Only successful auditors are allowed to audit the ISMS system within the organization. They normally schedule audits within the organization to evaluate the effectiveness and areas of improvement.

Other Phases of ISMS implementation include;

5. Documentation & Validation

This is a Seven days exercise where the champions identify the procedures per department, policies required and document them in line with ISO 27001:2013 standard. All the necessary documentation is done within the five days and two days are for validation purpose incorporating input from the process owners. Among the documents developed are ISMS scope, policies, departmental procedures, manuals, risk registers, risk treatment plans and the documentation required by ISO 27001:2013 standard

6. Conducting Internal Audit

After documents are developed, the organization starts implementation of the same and the trained internal auditors plan for the audit within departments. Areas of improvement are raised from this exercise and auditors recommend the correction and corrective actions to be implemented by the process owners. These audit days depend on the size of the organization. In most cases three days are sufficient.

7. Conducting a Management Review

This activity is done by the top management where they receive feedback on the performance of the ISMS from the ISMS manager and the ISMS champions. They give recommendations on how to improve the system and commitment for resource provision.

8. Certification Audit

The organization applies for certification of its system to a certifying body and the certifying audit conducts the audit. Gaps identified are rectified by the process owners and the organization is awarded the certificate.


Subscribe to our Mailing List