ISO 27001:2022 Implementation Guide: From Zero to Certified

ISO 27001:2022 is the world's leading information security management standard, trusted by over 70,000 certified organisations globally. The 2022 revision brought the most significant changes in a decade — 11 new controls, reorganised Annex A, and stronger focus on threat intelligence and cloud security. This guide walks you through implementation from first gap assessment to certification audit.

Phase 1: Initiation and Planning (Weeks 1–4)

Define the ISMS Scope

Scope definition is the most important decision in any ISO 27001 implementation. A poorly defined scope creates audit findings and wasted effort. Your scope should cover the information assets, business processes, locations, and technology that are relevant to the information security risks you face.

Consider: which systems handle sensitive customer data? Which processes are revenue-critical? Which locations will the certification cover? Document your scope statement clearly — auditors will test everything within it.

Conduct a Gap Assessment

Before building anything, understand where you stand. Map your existing controls against ISO 27001:2022 Annex A and identify gaps. This assessment should cover all 93 controls and produce a prioritised remediation backlog. Most organisations find they have 60–70% of required controls in some form — the challenge is documentation and consistency.

Get Board Buy-In

ISO 27001 clause 5.1 requires demonstrated leadership commitment. This isn't box-ticking — you need an executive sponsor, a defined information security policy approved at board level, and resources allocated to the implementation. Without genuine leadership support, ISMS programmes stall.

Phase 2: Risk Assessment and Treatment (Weeks 4–10)

The information security risk assessment is the heart of ISO 27001. Clause 6.1.2 requires you to define a risk assessment methodology, identify risks to information confidentiality, integrity, and availability, analyse and evaluate those risks, and select appropriate treatment options.

Phase 3: Controls Implementation (Weeks 8–20)

Based on your risk treatment decisions, implement the required Annex A controls. The four themes in ISO 27001:2022 organise controls as follows:

Phase 4: Statement of Applicability

The Statement of Applicability (SoA) is a mandatory document that lists all 93 Annex A controls, states whether each is applicable to your ISMS, justifies inclusions and exclusions, and references the implementation status. The SoA is one of the first documents an auditor reviews — it needs to be thorough, accurate, and linked to your risk treatment decisions.

A common mistake: excluding controls without documented justification. Every exclusion must reference why the control is not applicable — typically because the associated risk doesn't exist in your context (e.g. physical media controls excluded because you're fully cloud-based and handle no physical media).

Phase 5: Internal Audit and Management Review

Before your certification audit, you must complete at least one full internal audit cycle (clause 9.2) and a management review (clause 9.3). The internal audit must be conducted by someone independent of the areas being audited — this can be internal staff not responsible for those areas, or an external consultant.

The management review must cover: audit results, risk assessment outcomes, ISMS performance metrics, nonconformities and corrective actions, and opportunities for improvement. Minutes must be retained as evidence.

Phase 6: Certification Audit

Certification audits are conducted by accredited certification bodies (CBs) in two stages:

Realistic Timeline and Cost