How to Implement ISO 27001 in your organisation

how to implement ISO 27001

Are you a listener or are you a reader? In any case, we have got you covered. Dive into the details of how to implement ISO 27001 in your organisation, you can read all about it or listen to what Luke Desira has to say.

Hi, I am Luke Desira and in this video, I wanted to give you a bit of information about how you can go about the task of implementing ISO 27001 within your organisation.

Let’s start a little bit with an introduction about what ISO 27001 is. So as you might know, ISO 27001 talks about information security, and over the past decade I would say the threats relating to information security and cyber security have drastically increased, especially since companies are heavily investing in their digital landscape.

When it comes to the standard, we should not only be concerned about the term ‘cyber security’ but about the broader term of ‘information security’. We also have to protect other information; for example, information relating to our employees, information relating to the intellectual property being generated by the company, sensitive commercial information that might be stored on digital or paper-based formats. So ISO 27001 does not only concern cyber threats that might be available for your organisation from the online world; however, when it comes to information security we are also talking about sensitive, paper-based information that you might have within your organisation.

Once again, ISO 27001 is an information security management system and the main aim is to protect your organisation from internal and external hazards relating to information security. The goal of any management system based on an ISO standard is to create a management system that is designed for continual improvement. This is a conversation that I like to have with my clients whereby I understand that nothing will ever be perfect, no matter how much we try to improve our management system, it will still not be perfect.

Moreover, implementing ISO 27001 certification does not mean that you are protected from all possible threats that relates to information security. Having an ISO 27001 certification means that you have the systems and procedures in place to be able to mitigate information security risks and make sure that issues don’t happen. If and when they do occur, you’ll be able to quickly respond to those issues and you’ll also be able to have a plan B or plan C of how to tackle a particular situation that might occur within your organisation.

Some organisations, unfortunately, feel like they have to be perfect before actually even starting the process of implementing an ISO Management System. I am here to tell you that that is not the right approach. The right approach is to have the mindset that enables you to understand that we will never be perfect and that we should use ISO standards to help us refine and continually improve our systems. We have to ensure that all systems are complying with the international standards for information security and have all the systems in place to collect the data that we will need to take informed decisions of where our actions to improve our information security management system should be directed.

That is the first element that I wanted to discuss.

Which companies can implement ISO 27001?

ISO 27001 can be used by any organisation in any industry of any size. There are some organisations, for example, financial institutions, who have recently become subject to the Digital Operational Resilience Act, an EU regulation specifically targeting financial institutions and their element of information security. Therefore companies within the financial sector would greatly benefit from implementing ISO 27001, however, there are other companies, for instance, gaming companies who might need ISO 27001 to be able to register themselves as operators of specific jurisdictions.

Another example; might be, software houses, either companies creating tailor-made software or companies selling software as a service who might want to implement ISO 27001 to make sure that their client data and possibly the client of their clients is being adequately protected.

There are other companies who might want to implement ISO 27001, for example, a client of mine is a security company and of course, if you’re a security business installing CCTV cameras in different locations, you have to understand that your employees must have access to whatever those cameras are seeing at any given point in time. Having an ISO 27001 certification will ensure that your clients have increased peace of mind knowing that only the relevant and right employees will have certain limited access to what is visible on such cameras which will in turn improve the reputation of your organisation.

Depending on the size and complexity of the industry that you operate in, the way in which ISO 27001 will be implemented in your organisation will change. Companies that are prone to certain risks will need to focus on certain elements, while other companies might focus on other risks.

Implementing ISO 27001 as based on the high-level structure

Ultimately, ISO 27001 is also based on a high-level structure like any other ISO Management System and since 2015 we have been using the risk-based approach. In the risk-based approach, the standard asks us to consider what might be the internal and external factors and or issues that might have an impact on our organisation. Then we will need to prioritise those risks and opportunities to be able to take effective action on the elements that will have the most impact on our organization.

Now when it comes to ISO 27001, while we are talking about the risk-based approach, I have to mention that there is another element that is not included in other standards but is included in ISO 27001; that is Annex A.

Annex A for ISO 27001:2022 has 93 controls and when implementing the standard within your organisation, you will need to go through these 93 controls. You will need to prioritise them based on the needs of your organisation, and you will need to determine which ones apply to your organisation or not. Based on the prioritisation exercise that you need to do whilst going through these 93 controls within Annex A, you will eventually determine which elements you will need to focus on when improving your information security management system.

Implementing the latest version of ISO 27001

The next thing that I wanted to talk about is about the current version of the standard.

When it comes to ISO 27001, the first version was launched in 2000. As a standard, ISO 27001 gets updated roughly once every eight years. The latest version of the standard, as I have previously mentioned, is that of 2022, and the version before that was of 2013.

The major difference between the current version of the standard and the previous one is that the controls within Annex A have slightly changed. Of course over the past 10 years, the world has experienced radical changes in the way that we operate a business. We also endured a pandemic, which resulted in a huge increase in people working remotely, As a matter of fact, Annex A also has a control that aims at tackling the risks associated with remote working.


Whether you’re after ISO Certification, internal audits, or results-oriented consultancy, Luke has the plan for you. Reach out to him and start your journey today.
ISO Consultant in Malta


Luke has a plan for you whether you want ISO certification, internal audits, or results-oriented consulting. Contact him immediately to begin your adventure.

The latest version of the standard didn’t experience any drastic changes within the 10 clauses of the ISO 27001 standard. However, there have been radical changes when it comes to the controls available in Annex A of the standard. This is exactly what I have been explaining.

Moving forward, let me explain a little bit more about the process that you will need to go through when implementing an information security management system based on ISO 27001. Then I will explain the process of a certification audit and finally, I will explain what you need to do to maintain your ISO certification.

When it comes to implementing an ISO 27001 information security management system, the first thing that you want to do would be to choose the implementation team. In smaller organisation this might be the managing director, however, in larger organisations, typically there will be the IT manager and possibly a DPO (Data Protection Officer) which, as you might know, is a requirement for organisations to be given GDPR.

After choosing the implementation team; i.e. the people who will be involved in the implementation process, the second thing that must be done would be to make sure that these people are trained on the proper meaning of what ISO 27001 certification is. I believe that training is extremely important because if people do not have the required knowledge and experience of what ISO 27001 is, then, unfortunately, you will be creating overly bureaucratic procedures that will then hinder the way in which you operate as a business. Knowing which clauses and which requirements of the standard apply to your organisation is critical and, in my opinion, that is why the services of an experienced consultant are extremely useful.

An experienced consultant, such as myself, will guide you on which policies and procedures are absolutely necessary within your organisation and which other procedures you can do without to make sure that you remain with a lean management system while at the same time protecting the information security within your organisation.

When implementing an ISO 27001 information security management system within your organisation, the next thing to accomplish is to set the boundaries for a certification. When setting the boundaries for certification, we must simply set the scope for certification and this relates to identifying the key elements within your organisation that will be included within the scope of certification. Remember that you don’t need to include all the elements of your organisation within the scope of certification and that is effectively what you will need to do at this third step; identify the scope of certification and what will apply to your organisation.

Following the boundaries, you must then create the information security manual. This manual is not an actual requirement of the standard, however, from my experience, it’s better if we create this manual because it can be saved as a consolidation document to make sure that all the relevant information is actually saved in its relative place. In the information security manual we are able to add information; for example, the needs and expectations of interested parties, we are able to define the scope of certification for the management system, we are able to define the information security objectives, we are able to do the necessary analysis and have a place where to put it.

As you can see, we can either have random, sporadic documents with limited information or else collect all this information within one document, which in this case would be the information security manual. Once the manual has been created and we have a clear understanding of what the boundaries for certification are, we would have clearly understood what is being considered in our information security management system. The next thing that we will need to do is to do a risk management exercise as per Annex A of ISO 27001.

As explained earlier, there are 93 controls in Annex A. For each control, we will need to define the risks associated with that particular control, we need to prioritise that risk. If the risk is high enough that deserves our attention, then we’re going to go ahead and define the mitigation actions that are require to mitigate those risks. We will then assign a risk owner, and create a deadline by when the person will implement the relative changes that are needed for the management system and then perform again the prioritisation exercise for our risks. This will ensure that the risks associated with each of the controls have been reduced after the mitigation activities have been finished.

Once Annex A and all of its controls have been considered, then we can move on to creating the supporting system. For example, the competence of people whereby we need to have a training plan and records to make sure that everyone within the organisation is aware and has the right knowledge about what an information security system is. We need to have a plan for maintenance and we need to have maintenance records for elements or equipment that might have an impact on the management system. We need to consider the incident management processes so all of these elements are within the supporting system and are analogous and similar to other ISO management systems.

If your organisation is already certified for some other standard, say ISO 9001, it will be a good idea to integrate the supporting system that you have for ISO 9001 with the supporting system of ISO 27001. This will enable you to have a seamless integration of both standards and thus, avoid having redundant work. As you might know, if you’ve been following me for a while, you may know that I am a firm believer that ISO management systems are not there to increase bureaucracy but rather to reduce bureaucracy. Therefore, this element is extremely important whereby if we can have one system to cater for both ISO management systems, that will be the best case scenario.

The next elements that we will consider when implementing a management system is to do the system deployment. Realise that whilst we are implementing the management system, we might come up with a few other meaningful changes that will have a benefit to the organisation. Then we’ll need to implement them within the organisation. This is the step where more training is needed, this time not only to the implementation team but also to other people within your organisation.

The sequential step involves the internal audit. When it comes to ISO standards, there is a saying that states you have to say what you do and do what you say. So in the first seven steps, you will effectively be portraying how you operate as a company, and the internal auditor will be documenting these procedures to make sure that they are in line with the management system. The auditor will then advise you to make certain tweaks. This is done so as to improve efficiency but also to meet the requirements of the relevance standards that are being implemented.

The next thing following the completion of the internal audit is to do a management review meeting. In short this is referred to as MRM and defined in the standard itself. Once this is done, you will need to work with a certification body to give you the actual ISO certification. When it comes to choosing a certification body the first part that you will need to do will be to go through the commercial process of getting numerous quotes from different certification bodies. After carefully choosing a relevant and accredited certification body, the technical process for the external audit will begin.

It’s critical to make sure that you are working with an accredited certification body. If you’d like to have a list of accredited certification bodies, please feel free to get in touch. I would love to put you in touch with some certification bodies that offer a good service for a reasonable price.

The technical process basically revolves around doing a stage one audit, involving the comparison of your documentation with the requirements of the standard, and then a stage two audit, where your documentation will be compared with what you are doing in practice. After that has been done then you will be able to get your certification. Finally, once you are certified, every year each ISO-certified company will have to do an internal audit a management review and host the certification body for a surveillance audit.

I hope that you found this presentation about ISO 27001 useful and if you have any questions please let me know, I would love to help you succeed and keep in mind that information security is constantly changing and therefore it’s very important to have such a management system within your organisation!

Once again, if you need any further questions or help when it comes to implementing ISO 27001 within your organisation I would love to help you succeed, thank you and goodbye for now.


As an ISO management system consultant Luke Desira will make it his personal mission to put your company in a class above all others!

If you are on the hunt on information on how to get certified, have a look at this guide on how to get ISO certified with Luke Desira, and find out about the 10 pitfalls that you may encounter when implementing ISO in your organisation. Make sure to reach out to him to discover whether there are any funding opportunities o help you get certified for ISO 27001 Information Security Management System.

Don’t forget to follow us on our Facebook and LinkedIn profiles, and subscribe to our Youtube Channel for more great content.

Book a Free 15 minute discovery call

Select a date and time to schedule a free 15 minute discovery call with Luke Desira.

Message Luke through an email


Give Luke a call

+356 7920 6686

Related Articles

fundamental audit concepts
ISO 27001

Fundamental audit concepts and principles for ISO 27001

In this blog, we will be going over the fundamental audit concepts and principles for ISO 27001. Dive in and learn these concepts! The 4 standards that relate to auditing are: Naturally, ISO 27001 is different from the above in the sense that companies from all industries can comply with its requirements and get their

Read More »
Information Security Management System
ISO 27001

What is an Information Security Management System (ISMS)?

A management system is a set of processes to achieve certain objectives. The scope of the management system can relate to one site or more multiple sites of the organization – and it can cover all or some of the processes of the company. Now an information security management system, or in short an ISMS,

Read More »
CYBER+ALT Grant Scheme
ISO 27001

Let’s talk about the CYBER+ALT Grant Scheme!

The CYBER+ALT grant scheme is a new initiative that has been created by the Malta National Coordination Centre (NCC) and the Malta Information Technology Agency (MITA) to provide assistance to small and medium-sized enterprises (SMEs) with improving their resilience to cyber crime and focus more on securing their digital landscape. If you wish to find

Read More »
Scroll to Top