# ISMS Implementation Project Guidance Checklist These bullet points offer practical advice on how to go about implementing an ISMS. This is a direct lift of a resource from the ISO27001security forum and I must again say that this is here because I use it as a conversational aide and resource, and so it sits in my notes frequently! It's a component of the [ISO 27001 Free Toolkit](https://www.iso27001security.com/html/toolkit.html) that they offer. **Project definition, justification, scoping and planning** - [ ] Study the standards, in depth: complete lead implementer training if possible. - [ ] Study the business, in depth, to understand its objectives, strategies, culture, governance arrangements, existing information risk and security management etc. - [ ] If the organisation has a defined, structured approach for this phase, use it! - [ ] Build a business case that identifies and promotes the business benefits of the ISMS. - [ ] Look beyond ‘security’ and ‘compliance’ e.g. helping management to manage business risks, supporting/enabling other business initiatives and strategies. - [ ] Identify, explore and elaborate on a broad set of business objectives relating to: information risk and security management; information, cyber, manual and automated security controls; compliance and assurance; resilience; good practice, maturity; efficiency, cost-effectiveness etc. - [ ] Clarify relative priorities for the objectives e.g. by ranking them all or grouping them into categories such as ‘essential’, ‘important’, ‘nice-to-have’ and perhaps ‘to be avoided’. - [ ] Be honest about the organisational/governance changes ahead, including the potential disruption, costs and timescales. - [ ] Be realistic about resourcing, priorities and capabilities. - [ ] Build-in more than enough slack/contingency to allow for unforeseen difficulties. - [ ] Offer a do-nothing straw man plus other options as appropriate e.g. distinguish essential from important from optional objectives, compare costs and benefits of differing ISMS scopes. **Project approval** - [ ] Don’t expect the business case to sell itself, no matter how exciting and positive it seems. - [ ] Hawk it around management, informing them, gathering feedback and amending the proposal. - [ ] Identify, explore and address genuine concerns, especially blockers. - [ ] Look for opportunities to align with corporate strategies and other initiatives. - [ ] Refine the objectives and project proposal, adding explicit details where clarity is needed or helps e.g. metrics. - [ ] While awaiting approval, continue working on the planning and ideally progressing the essential aspects such as information risk assessment. - [ ] Be crystal clear about those essentials and only compromise in other areas, even if that means the project is refused or deferred. **Implementation activities** - [ ] Aim low, strike high: focus intensely on those essentials, progressing other objectives at lower priority/urgency if resources allow. - [ ] Where possible, re-use existing content, policies, procedures, controls etc., adapting as necessary. - [ ] Collaborate closely with related teams/functions/organisations/individuals. - [ ] Work to up-skill the core team through training, mentoring and experience on the job. - [ ] Start operating elements of the ISMS as soon as practicable, practising and refining them and ideally accounting for the benefits gained (financial or otherwise). - [ ] Look for early wins and promote them: positive feedback is invaluable for motivation and energy. **Project management, oversight, progress reporting and project risk management** - [ ] If the organisation has a project management method/approach, use it! - [ ] Work with experienced programme and project managers. - [ ] Establish suitable governance arrangements (e.g. structure, reporting, metrics, approvals) for the project as that will evolve into the ISMS governance in due course. - [ ] Play snakes-and-ladders: identify and address risks/issues/setbacks, seizing and promoting opportunities to advance. - [ ] Watch the critical path and anything that does or might consume your contingencies, like a hawk. - [ ] Beware stress and burnout: don’t exceed reasonable workloads for long periods, including yours. - [ ] Work hard on clear communications and effective relationships: these will outlast the implementation phase. **Certification and other assurance activities** - [ ] Treat certification as an opportunity to improve, more than a hurdle to clear. - [ ] Take time to clarify objectives, identify suppliers and contract with certification bodies. - [ ] Specify experienced and competent certification auditors, anticipating less aggravation and more value-add. - [ ] Line up certification prerequisites such as completed ISMS documentation, records of activities, ISMS internal audits etc. - [ ] Line up management to see the purpose and value of assurance regarding the ISMS, information risk and security management, compliance etc. - [ ] Line up marketing to promote the certification, enhancing corporate brands, opening new business opportunities etc. - [ ] Liaise between the team, management and the certification body closely in the run-up to certification, maintaining alignment and expectations. - [ ] Look beyond the award itself: there is always more to be done, more planning required e.g. integrating other management systems. **Transition to business-as-usual** - [ ] Plan for a gradual, sequential/piecemeal ISMS build-and-implementation, rather than a big bang. - [ ] Start using those policies, procedures, metrics, reports etc. as soon as they are available: it inevitably takes time to discover and smooth-off the rough edges, and integrate them all into a coherent, self-sustaining management system, so they constitute ‘improvement opportunities’. - [ ] Keep up the communications within and without the team, squeezing more value from metrics through motivational feedback, direction and reprioritisation. - [ ] Become ever more business- and externally-focused as the ISMS settles into a routine, without neglecting the team and individual needs.