ISO 27001

Planning your ISO 27001 journey

title: Planning your ISO 27001 journey description: Concrete planning, timelines and roles for your ISO 27001 implementation sidebar_position: 2

Planning your ISO 27001 journey

You've decided that ISO 27001 certification is valuable for your organization. This article gives you a concrete roadmap from start to certificate.

The journey in 6 phases

Phase 1: Preparation (Week 1-2)

What you'll do:

  • Determine scope and objectives
  • Assemble project team
  • Set up Tidal platform
  • Stakeholder communication

How Tidal helps:

  • Getting Started guides you through initial setup
  • Team invitations invite your project team right away
  • Project dashboard for progress tracking

Deliverables:

  • Project plan with timeline
  • ISMS scope document
  • Tidal account and integrations set up

Time investment:

  • Small business (10-49 FTE): 8-10 hours project leader, 2-3 hours management
  • Medium business (50-249 FTE): 12-16 hours project leader, 4-6 hours management

Phase 2: Setting up your ISMS (Week 3-5)

What you'll do:

  • Organizational context and stakeholder analysis
  • Risk inventory and assessment
  • Asset mapping and information classification
  • Gap analysis against ISO 27001

How Tidal helps:

  • Risk assessment with predefined scenarios for IT risks
  • 100+ Tests through integrations with cloud providers (Microsoft, Google, AWS)
  • Automatic gap analysis against ISO 27001 Annex A
  • Risk heat maps and prioritization dashboards

Deliverables:

  • Risk assessment report
  • Asset inventory with classifications
  • Gap analysis with action list
  • Statement of Applicability (SoA)

Time investment:

  • Small business: 12-16 hours project leader, 4-6 hours stakeholders
  • Medium business: 20-24 hours project leader, 8-12 hours stakeholders

Phase 3: Implementation (Week 6-10)

What you'll do:

  • Select and implement controls
  • Establish policies and procedures
  • Configure technical measures
  • Training and awareness program
  • Approach and schedule external ISO auditor

How Tidal helps:

  • 93 predefined controls from ISO 27001 Annex A
  • 30+ policy templates adapted to local legislation
  • Automatic compliance tests for cloud environments
  • Assign and monitor tasks where manual activities are still needed
  • Send out quotes to ISO auditors

Deliverables:

  • Implemented controls with evidence
  • Approved policy documents
  • Trained employees
  • Scheduled certification audit

Time investment:

  • Small business: 16-20 hours project leader, 8-10 hours team
  • Medium business: 24-32 hours project leader, 16-20 hours team

Phase 4: Monitor and measure (Week 11-12)

What you'll do:

  • Review control implementation
  • Conduct internal audit
  • Hold management review
  • Address action items from audit

How Tidal helps:

  • Automated monitoring of technical controls
  • Internal audit checklist with evidence
  • Management review templates and dashboards
  • Corrective actions with action plan and deadlines

Deliverables:

  • Internal audit report
  • Management review minutes
  • Corrective action plan (if needed)

Time investment:

  • Small business: 8-12 hours project leader, 4-6 hours auditors/management
  • Medium business: 12-16 hours project leader, 6-8 hours auditors/management

Phase 5: Certification (Week 13-14)

What you'll do:

  • Phase 1 audit (documentation review)
  • Phase 2 audit (on-site assessment)
  • Resolve non-conformities (if needed)
  • Certificate issuance: Within 2-4 weeks after audit

How Tidal helps:

  • Real-time evidence access during audit
  • Non-conformity tracking and resolution workflow
  • Operational planning for continued monitoring of measures

Deliverables:

  • ISO 27001 certificate
  • Audit report with findings
  • Surveillance audit scheduled (after certificate issuance)

Time investment:

  • Small business: 4-6 hours project leader + audit days
  • Medium business: 6-8 hours project leader + audit days
Tip

Total project duration:

  • Small business: 10-14 weeks
  • Medium business: 16-18 weeks

Accelerating factors: Compliance experience, dedicated project leader, management commitment Delaying factors: Complex IT landscape, multiple locations, limited team availability

Assembling your team

Roles and responsibilities

ISMS Manager / Project Leader (required)

  • Who: Compliance manager, IT manager, or operations manager
  • Time investment: 6-8 hours per week
  • Responsibilities:
    • Daily project coordination
    • Stakeholder communication
    • Tidal platform management
    • Progress monitoring

Management Sponsor (required)

  • Who: CEO, CTO, or senior manager
  • Time investment: 1-2 hours per week, 4 hours for management review
  • Responsibilities:
    • Budget approval and escalations
    • Policy approval
    • Management review chairmanship

Implementation Team (2-4 people)

  • Who: IT, HR, Operations, Legal (depending on scope)
  • Time investment: 0-4 hours per week per person (depending on scope)
  • Responsibilities:
    • Control implementation in their domain
    • Risk assessment input
    • Policy review and feedback

Internal Auditor (can be external)

  • Who: Independent from implementation team
  • Time investment: 1-2 days for audit
  • Responsibilities:
    • Internal audit planning and execution
    • Identify non-conformities
    • Reporting and discussion with management
Info

Small organization: One person can combine multiple roles, but the internal auditor must always be independent.

Skills requirements

Must have:

  • Project management - Planning, coordinating, communicating
  • Organizational knowledge - Understanding processes, systems, stakeholders
  • Willingness to learn - ISO 27001 can be learned during the project

Nice to have:

  • Compliance experience - ISO 27001, GDPR, or other standards
  • IT security knowledge - Understanding technical measures
  • Audit experience - Knowing how auditors think

Tidal compensates:

  • ISO 27001 expertise - Built-in best practices
  • Control library - Predefined measures
  • Project templates - Proven implementation approach

Frequently asked planning questions

"Can we accelerate the journey?"

Yes, but not everything:

  • Acceleratable: Control implementation, documentation, team training
  • Not acceleratable: Internal audit (must come after implementation), management review cycle, external audit scheduling

Fastest realistic timeline: 10-12 weeks for small business with:

  • Dedicated project leader (part-time available)
  • Management directly available for decisions
  • Experience with compliance projects
  • Tidal expert support

"What if we need to change scope along the way?"

Within the project:

  • Small changes (adding/removing assets) usually possible
  • Large changes (new locations, business units) cost 2-4 weeks extra
  • Tidal flexibility makes scope adjustments technically simple

After certification:

  • Scope changes require extra audit days
  • Better to err on completeness during scope determination

"How do we know if we're on track?"

Tidal progress indicators:

  • Completion percentage per phase and overall
  • Risk coverage - percentage of risks with adequate controls
  • Document approval status
  • Team engagement - task progress

Key milestones checklist:

  • Week 2: Tidal in use and 'getting started' completed
  • Week 5: Risk assessment 100% complete
  • Week 8: All necessary controls implemented
  • Week 11: Internal audit without major findings
  • Week 13: Execution of management review

Ready to take the next step?

Most effective start:

  1. Set up Tidal account and invite team
  2. Plan stakeholder interviews for next week
  3. Block time in calendar for next 3 months
  4. Communicate project to organization
Tip

Project momentum: Start within 2 weeks of decision. The longer you wait, the more other priorities intervene.

Next
Avoiding common pitfalls