From scope to audit-ready ISMS—without paperwork overload
ISO 27001 can feel “big” because it’s not just a set of technical controls—it’s a management system. The good news is you don’t need 12 months of paperwork to get moving. If you focus on scope, risk, ownership, and evidence, you can build a working ISMS in 90 days that’s audit-ready and genuinely useful day-to-day.
This roadmap is designed for small and medium organisations that want a lean ISO 27001 foundation: enough structure to satisfy customers and auditors, while keeping the workload realistic.
What “done well” looks like in 90 days
By day 90, you should have:
- A clear ISMS scope and boundaries
- A simple risk method leadership understands
- A Statement of Applicability (SoA) with justified controls
- A risk treatment plan with owners and dates
- Core policies + procedures people can follow
- A living evidence pack (tickets, logs, reviews, approvals)
- Completed internal audit and management review
- A realistic plan for Stage 1 / Stage 2 certification (if pursuing)
World Computing Ltd helps SMEs implement ISO 27001 in a practical, risk-based way—building the policies, controls, and evidence you need for real security and audit confidence.
- ISO 27001 requires
- Define scope and boundaries
- Identify information security risks
- Select controls and justify gaps
- Assign ownership and accountability
- Prove operation with evidence
- Review, audit, and improve
- Your 90-day focus
- Build inventory and ownership list
- Run risk workshop with leaders
- Create SoA and treatment plan
- Implement core policies and processes
- Collect evidence in one place
- Audit internally, fix, then certify
90-day implementation roadmap
Week-by-week plan you can follow
Days 1–15: Kick-off and scope
Goal: Decide what you’re certifying and who owns it.
- Appoint an ISMS owner and backups
- Define scope (sites, systems, services)
- Identify interested parties (customers, regulators)
- Set ISMS objectives (measurable, realistic)
- Create ISMS folder structure (policies/evidence)
Deliverables
- Scope statement
- Roles and responsibilities
- ISMS objectives + measures
Days 16–30: Inventory and risk method
Goal: Build visibility and a repeatable risk approach.
- Create asset inventory (systems, apps, data)
- Assign asset owners and basic classification
- Define risk methodology (likelihood/impact)
- Run risk workshop and capture outcomes
- Create risk register v1
Deliverables
- Asset inventory with owners
- Risk assessment method
- Risk register v1
Days 31–45: Controls selection and SoA
Goal: Select controls based on risk.
- Map key risks to controls
- Create Statement of Applicability (SoA)
- Create risk treatment plan (owners/dates)
- Set document control (versions/approvals)
- Start evidence capture process
Deliverables
- SoA v1 with justifications
- Risk treatment plan v1
- Document control process
Days 46–60: Implement core ISMS processes
Goal: Put the essentials into daily operations.
- Access control (JML, MFA, admin)
- Vulnerability and patching cadence
- Backup and recovery testing schedule
- Incident response workflow and roles
- Supplier onboarding and review checks
- Logging and weekly review process
Deliverables
- Core policies and procedures live
- Owners assigned per control area
Evidence collection running
Days 61–75: Train, test, and build evidence
Goal: Prove controls work in practice.
- Run short staff security briefing
- Run incident tabletop exercise
- Perform one restore test (evidence)
- Run privileged access review
- Review top suppliers and contracts
Deliverables
- Training records
- Exercise report + actions
- Restore test evidence
- Access review evidence
- Supplier review evidence
Days 76–90: Internal audit and management review
Goal: Close gaps and become audit-ready.
- Perform internal audit (clauses + SoA)
- Log nonconformities and actions
- Hold management review (KPIs/risks)
- Update SoA, risks, treatment plan
- Prepare Stage 1 readiness pack
Deliverables
- Internal audit report + action plan
- Management review minutes
- Updated SoA / risk register / RTP
- Audit-ready evidence pack
Common SME mistakes to avoid
- Scoping too wide too early
- Writing policies nobody uses
- Risk register not driving actions
- No evidence trail (only statements)
- Supplier risk treated as “outsourced”
- Patching without emergency process
Conclusion
In 90 days, you won’t perfect everything—but you can build a working ISO 27001 system: clear scope, leadership ownership, risk-driven controls, and evidence that proves the ISMS runs continuously. That foundation reduces surprises, improves resilience, and builds trust with customers.