ISO 27001:2022 Implementation Guide: Where to Start

Getting ISO 27001 certified is one of the most impactful decisions a mid-market organisation can make. But where do you actually begin?

This guide walks you through the first 90 days of an ISO 27001 implementation — from gap analysis to your first internal audit.

Step 1: Understand the Scope

Before anything else, define what you're protecting. Your ISMS scope determines which assets, processes, and locations fall under the standard. A common mistake is scoping too broadly at the start — focus on your core business processes first.

Step 2: Conduct a Gap Analysis

Compare your current security posture against the 93 controls in Annex A of ISO 27001:2022. Don't aim for perfection — identify the critical gaps that pose the highest risk to your business.

Step 3: Build Your Risk Register

ISO 27001 is fundamentally risk-driven. Every control you implement should trace back to a documented risk. Start with your top 20 risks and build from there.

Step 4: Assign Ownership

Every control needs an owner. Without clear accountability, implementation stalls. Map controls to real people in your organisation — not just "IT" or "Security".

Step 5: Choose the Right Tools

Manual spreadsheets work for small scopes, but they break down quickly. A purpose-built ISMS platform like Complify automates control tracking, evidence collection, and audit readiness — cutting implementation time by up to 60%.

Ready to accelerate your ISO 27001 journey? Request a demo to see Complify in action.