ISMS Accelerator
Implementation·March 23, 2026·14 min read

ISO 27001 Implementation Roadmap: 5 Phases, 12 Months

Most ISO 27001 implementations fail not because the standard is hard, but because teams work in the wrong order.

You start with Annex A controls (the "security" part), then backfill the management system (context, risks, objectives). Auditors fail you at Stage 1 because nothing ties together.

Here's the roadmap that works: 5 phases, 12 months, structured sequence. The same system I used to certify an 800-attorney law firm in under 12 months.

Why sequence matters

ISO 27001 Clauses 4-10 aren't just requirements—they're the implementation order.

  • Clause 4: Understand context (scope, stakeholders, processes)
  • Clause 5: Get leadership buy-in
  • Clause 6: Assess risks, select controls
  • Clause 7-8: Implement controls, train staff
  • Clause 9: Audit and review
  • Clause 10: Fix what breaks
Most people skip to Clause 8 (controls) because that's what looks like "security work." Then they backfill Clauses 4-6 when the auditor asks for them.

Result: Your Risk Treatment Plan doesn't link to your Risk Assessment. Your controls don't trace back to risks. Your Statement of Applicability contradicts your scope. Stage 1 failure.

The fix: Follow the clauses in order. No skipping. No backfilling.

The 5-phase implementation roadmap

Phase 1: Foundation (Months 1-3)

Goal: Define scope, get executive buy-in, establish governance.

Key deliverables:

  • Project Charter — Document executive sponsorship, budget, timeline
  • ISMS Scope Statement — Define what's in/out (departments, locations, systems)
  • Information Security Policy — Top-level policy approved by CEO/board
  • ISMS Manual — High-level description of your ISMS structure
  • Roles & Responsibilities — Assign ISMS Manager, Internal Auditor, Committee
Who's involved:
  • CISO/IT Manager (lead)
  • CEO/Board (approval)
  • Department heads (scope input)
Common mistakes:
  • Scope too broad: Don't include every department if you only need certification for client-facing systems
  • No executive sponsorship: If CEO hasn't approved budget/timeline, you'll hit roadblocks at Month 6
  • Skipping the Project Charter: This is the document you show leadership when they ask "why are we doing this?"
Exit criteria:
  • CEO has signed the Project Charter
  • Information Security Policy is approved and published
  • ISMS scope is documented and agreed upon by stakeholders
---

Phase 2: Planning (Months 4-5)

Goal: Conduct risk assessment, select controls, create Statement of Applicability.

Key deliverables:

  • Risk Assessment Methodology — Define how you'll assess risks (e.g., 5x5 matrix)
  • Asset Inventory — List critical information assets (data, systems, facilities)
  • Risk Assessment — Identify threats, vulnerabilities, likelihood, impact
  • Risk Treatment Plan — Document which risks you'll mitigate, accept, transfer, avoid
  • Statement of Applicability (SOA) — Select which of the 93 Annex A controls you'll implement (and justify exclusions)
Who's involved:
  • ISMS Manager (lead)
  • CTO/IT Manager (technical risks)
  • Department heads (business risks)
  • Legal/HR (compliance risks)
Common mistakes:
  • Generic risk assessment: Auditors can tell when you used a template. Document your threats, not generic ones like "fire, flood, earthquake."
  • No justification for exclusions: If you're excluding Annex A controls, you must document why (e.g., "A.7.4 Physical security monitoring: We're 100% cloud, no on-prem data centers")
  • Controls not linked to risks: Your SOA must show which controls address which risks. No linkage = Stage 1 failure.
Exit criteria:
  • Risk Assessment completed and approved by management
  • Statement of Applicability completed (all 93 controls addressed)
  • Risk Treatment Plan links risks → controls
---

Phase 3: Build & Operate (Months 6-8)

Goal: Implement Annex A controls, write procedures, train staff, begin operations.

Key deliverables:

  • Control Implementation Guide — Document how each selected control is implemented
  • Procedures (20-40 documents):
- Access control procedure - Change management procedure - Backup and recovery procedure - Incident response procedure - Business continuity plan - Vulnerability management procedure - Secure development lifecycle (if you develop software) - Asset management procedure - HR security procedure (onboarding/offboarding) - Physical security procedure
  • Training materials — Security awareness training for all staff
  • Evidence collection — Logs, meeting minutes, training records
Who's involved:
  • ISMS Manager (project management)
  • IT team (technical controls)
  • HR (training, onboarding/offboarding)
  • Legal (policies, compliance)
  • All employees (training)
Common mistakes:
  • Implementing controls before training: Staff won't follow procedures they don't understand
  • No evidence collection: Auditors want proof controls are operational, not just documented. Start logging access reviews, patch cycles, training completion from Day 1 of operations.
  • Operations too short: You need 3-6 months of operational history before Stage 2 audit. If you implement controls in Month 8 and schedule Stage 2 for Month 10, you'll fail. Not enough evidence.
Exit criteria:
  • All selected Annex A controls are implemented
  • Procedures are written, approved, and published
  • All staff have completed security awareness training
  • ISMS has been operational for at least 1 month (need 3-6 months before Stage 2)
---

Phase 4: Monitor & Improve (Months 9-10)

Goal: Run internal audit, conduct management review, fix nonconformities.

Key deliverables:

  • Internal Audit Plan — Schedule of what will be audited (all ISMS clauses + selected controls)
  • Internal Audit Report — Findings, nonconformities, recommendations
  • Corrective Actions — Document how nonconformities were fixed
  • Management Review Minutes — Evidence that leadership reviewed ISMS performance, audit results, and improvement opportunities
  • Updated Risk Assessment (if risks changed)
  • Updated SOA (if controls changed)
Who's involved:
  • Internal Auditor (lead) — must be independent of area being audited
  • ISMS Manager (coordinate)
  • Department heads (auditees)
  • CEO/Board (management review)
Common mistakes:
  • Internal audit too close to Stage 2: Run internal audit 3-6 months before Stage 2. If you find nonconformities, you need time to fix them and collect evidence of corrective actions.
  • No corrective actions: Finding nonconformities is good (shows your ISMS is improving). Not fixing them is bad. Auditors will re-check your internal audit findings during Stage 2.
  • Management review is a checkbox: This isn't a formality. Leadership must review ISMS objectives, metrics, audit results, and incidents. If your management review minutes say "no issues, everything is fine," auditors will ask deeper questions.
Exit criteria:
  • Internal audit completed (at least 1 full cycle before Stage 2)
  • All nonconformities from internal audit are closed with evidence
  • Management review completed (minutes documented and approved)
  • ISMS has been operational for 3-6 months
---

Phase 5: Certify (Months 11-12)

Goal: Pass Stage 1 (document review), fix findings, pass Stage 2 (on-site audit), get certified.

Key milestones:

  • Select Certification Body — Choose an accredited auditor (BSI, SGS, LRQA, etc.)
  • Submit application — Provide scope, number of employees, locations
  • Stage 1 Audit (document review, usually remote)
- Auditor reviews your ISMS documentation - Checks if Risk Assessment → Risk Treatment Plan → SOA linkage is correct - Checks if internal audit and management review are complete - Checks if ISMS has been operational for 3-6 months - Typical findings: Missing traceability, generic risk assessment, incomplete SOA justifications
  • Fix Stage 1 findings (2-4 weeks)
  • Stage 2 Audit (on-site, 2-3 days depending on company size)
- Auditor tests if controls are actually operational - Interviews staff ("How do you report security incidents?") - Checks logs, evidence, records - Samples controls (access reviews, vulnerability scans, training records) - Typical findings: Controls documented but not operational, no evidence of periodic reviews, training not completed
  • Fix Stage 2 findings (2-4 weeks)
  • Certificate issued (valid for 3 years)
Who's involved:
  • Certification Body auditor
  • ISMS Manager (coordinate)
  • IT team (technical interviews)
  • Department heads (process interviews)
  • All staff (may be interviewed)
Common mistakes:
  • Scheduling Stage 2 too early: You need 3-6 months of operational history. If you implement controls in Month 8 and audit in Month 10, you'll have 2 months of evidence. Not enough.
  • No mock audit: Run a mock internal audit 1-2 months before Stage 2. Simulate what auditors will ask. Find gaps before they do.
  • Staff don't know the procedures: Auditors interview random employees. If your Help Desk doesn't know how to report a security incident, you'll get a finding.
Exit criteria:
  • Stage 1 passed (or findings closed)
  • Stage 2 passed (or findings closed)
  • Certificate issued ✅
---

Month-by-month breakdown

| Month | Phase | Key Activities | |-------|-------|----------------| | 1 | Foundation | Scope definition, executive buy-in, Project Charter | | 2 | Foundation | ISMS Manual, Information Security Policy, governance structure | | 3 | Foundation | Roles assigned, ISMS Committee formed, awareness begins | | 4 | Planning | Risk Assessment Methodology, Asset Inventory | | 5 | Planning | Risk Assessment, Risk Treatment Plan, Statement of Applicability | | 6 | Build & Operate | Implement Annex A controls (Phase 1: foundational controls) | | 7 | Build & Operate | Implement Annex A controls (Phase 2: operational controls) | | 8 | Build & Operate | Staff training, begin operations, evidence collection starts | | 9 | Monitor & Improve | Internal audit, corrective actions | | 10 | Monitor & Improve | Management review, risk re-assessment (if needed) | | 11 | Certify | Select certification body, submit application, Stage 1 audit | | 12 | Certify | Fix Stage 1 findings, Stage 2 audit, certificate issued |

Note: This assumes you start building operational evidence in Month 8. If you delay, push Stage 2 to Month 13-14 to collect 3-6 months of evidence.

---

Timeline variations (when 12 months becomes 18-24)

Why implementations take longer

18-24 months (unstructured approach):

  • No clear roadmap (work in wrong order, backfill later)
  • No executive buy-in (stalls at Month 6 when you need budget/resources)
  • Controls implemented but not operational (takes 6+ months to fix)
  • Internal audit reveals major gaps (need to re-do work)
12 months (structured approach):
  • Follow Clauses 4-10 in order
  • Executive buy-in before you start (Month 1)
  • Internal audit catches issues early (Month 9, not Month 11)
  • Operational evidence collection starts early (Month 8)
6-9 months (fast-track, risky):
  • Only works if you already have strong security controls in place
  • You're just documenting what exists (not building from scratch)
  • High risk of audit failure if evidence collection is rushed
---

Critical success factors (what makes or breaks the timeline)

1. Executive sponsorship (Month 1)

If CEO/Board hasn't approved budget and timeline upfront, you'll hit roadblocks when you need:
  • Budget for certification body fees ($6K-$12K)
  • Staff time (5-8 hours/week from ISMS Manager, 2-4 hours/week from IT team)
  • Training budget (security awareness platform, optional)
Fix: Get Project Charter signed in Month 1. Include budget, timeline, and named executive sponsor.

---

2. Dedicated ISMS Manager (Months 1-12)

This can't be a side project. You need someone who can dedicate 5-8 hours/week consistently.

If you don't have 5-8 hours/week: Hire a consultant. Seriously. DIY only works if you have bandwidth.

---

3. Operational evidence (Months 8-12)

Auditors want proof your ISMS is operational, not just documented.

Evidence examples:

  • Access review logs (show you reviewed user access quarterly)
  • Vulnerability scan reports (show you scan weekly)
  • Patch logs (show you patch critical vulnerabilities within 30 days)
  • Training completion records (show 100% of staff completed awareness training)
  • Incident response records (show you handled incidents per procedure)
  • Management review minutes (show leadership reviewed ISMS quarterly)
Start collecting evidence from Day 1 of operations. If you implement controls in Month 8 and audit in Month 12, you have 4 months of evidence. That's borderline. 6 months is safer.

---

4. Internal audit timing (Month 9, not Month 11)

Run internal audit 3-6 months before Stage 2, not 1 month before.

Why: You need time to fix nonconformities and collect evidence of corrective actions. If internal audit finds "access reviews not completed," you need 3 months to: 1. Complete access reviews 2. Document the process 3. Show evidence of completion

If you run internal audit in Month 11 and Stage 2 in Month 12: You won't have time to fix issues. You'll fail.

---

5. Mock audit (Month 10-11)

Run a mock Stage 2 audit 1-2 months before the real thing.

How:

  • Have your Internal Auditor simulate Stage 2
  • Interview random staff ("How do you report security incidents?")
  • Check logs, evidence, records
  • Find gaps before the certification body does
This single step prevents 50% of Stage 2 failures.

---

What about Year 2 and Year 3? (Surveillance audits)

ISO 27001 certificates are valid for 3 years, but you have surveillance audits in Years 2 and 3.

Surveillance audit scope:

  • Lighter than Stage 2 (1 day instead of 2-3 days)
  • Focus on: Have you maintained the ISMS? Any major changes?
  • Check: Internal audits, management reviews, incident response, corrective actions
Maintenance tasks (ongoing):
  • Internal audits: At least once per year
  • Management reviews: At least once per year (recommend twice)
  • Risk assessments: Re-run when significant changes occur (new systems, new threats, major incidents)
  • Access reviews: Quarterly or annually (depending on your policy)
  • Vulnerability scans: Weekly or monthly
  • Patch management: Critical patches within 30 days
  • Staff training: Annual security awareness training for all employees
Year 3 (Recertification):
  • Full Stage 1 + Stage 2 audit cycle repeats
  • Essentially re-certification (not just renewal)
  • If you've maintained the ISMS, this is straightforward
---

Common roadblocks (and how to avoid them)

Roadblock 1: "We don't have time"

Reality check: 5-8 hours/week for 12 months = 240-400 hours total.

If you don't have this: Hire a consultant or don't start. Halfway implementations waste more time than not starting at all.

---

Roadblock 2: "Leadership won't approve budget"

Cost breakdown:
  • Certification body fees: $6K-$12K (Stage 1 + Stage 2)
  • Internal effort: 240-400 hours (cost = salary of ISMS Manager)
  • Optional: Templates/course ($1,497-$12,000), consultant ($60K+), or automation platform ($15K-$30K/year)
Business case:
  • Lost deals (what's the value of contracts you lost because you don't have ISO 27001?)
  • Cyber insurance discount (10-25% premium reduction)
  • Reduced security questionnaires (80% of questions answered by showing certificate)
If leadership won't approve $20K for certification: You're not ready. Focus on selling the business case first.

---

Roadblock 3: "We're too small for ISO 27001"

Myth: ISO 27001 is for enterprises only.

Reality: The standard works for companies of any size. I've certified:

  • 800-attorney law firm (large)
  • 50-employee SaaS company (medium)
  • 10-person consulting firm (small)
The scope scales. Small companies exclude controls that don't apply (e.g., physical data centers if you're 100% cloud). Large companies implement everything.

---

Roadblock 4: "Our auditor failed us and we don't know why"

Common Stage 1 failures:
  • Risk Assessment → Risk Treatment Plan → SOA linkage missing
  • Generic risk assessment (used a template, not customized)
  • No justification for excluded controls
  • No internal audit or management review
Common Stage 2 failures:
  • Controls documented but not operational (no evidence)
  • Staff don't know procedures (auditor interviews reveal this)
  • Not enough operational history (only 2 months of logs)
  • Corrective actions from internal audit not closed
Fix: Run a mock audit 1-2 months before Stage 2. Find gaps before the auditor does.

---

The structured system vs DIY chaos

DIY with templates only:

  • Download 230 Word files
  • No guidance on order
  • Work for 6 months
  • Realize controls don't link to risks
  • Backfill
  • Fail Stage 1
  • Hire consultant anyway
  • Total time: 18-24 months
Structured system:
  • Follow 10 modules in order (maps to Clauses 4-10)
  • Use audit-tested templates with instructions
  • Build evidence from Day 1
  • Run internal audit at Month 9
  • Pass Stage 1 and Stage 2
  • Total time: 12 months
That's why ISMS Accelerator exists. It's the roadmap you need, not just the templates.

---

Next steps

If you're starting from scratch: 1. Read the [ISO 27001 Cheat Sheet](/resources#cheat-sheet) (free download) 2. Get executive buy-in (present the business case) 3. Follow the 5-phase roadmap above

If you're stuck mid-implementation: 1. Figure out which phase you're in 2. Check if you skipped steps (e.g., did you complete Risk Assessment before selecting controls?) 3. Fix gaps before scheduling Stage 1

If you want the full structured system:

  • [See the 10-module ISMS Accelerator system](/sales)
  • Includes: 40+ templates, structured roadmap, certification guarantee
  • Three tiers: DIY ($1,497), Guided ($3,997), Done-With-You ($12,000)
---

Bottom line: ISO 27001 isn't hard because the standard is complicated. It's hard because nobody tells you the sequence. Follow the 5 phases. Work in order. You'll finish in 12 months.

Working on your own ISO 27001 implementation?

ISMS Accelerator is a structured 11-module course with 40+ done-for-you templates. Built by a practicing consultant who's done this 40+ times.

See the full program →
← All posts