Implementing ISO/IEC 27001:2022 can feel overwhelming at first glance. The standard covers everything from defining the scope of your Information Security Management System (ISMS) to managing risks, documenting controls, training employees, and proving continuous improvement. For many organizations, the challenge isn’t whether certification is worth it—it’s knowing where to start and how to move forward without losing momentum.
This is where a clear, time-bound action plan makes all the difference. Instead of approaching the standard as a massive project with no structure, breaking the implementation into a 90-day roadmap gives you direction, focus, and achievable milestones. By the end of three months, you won’t have every detail perfected—but you will have a functioning ISMS, evidence of progress, and readiness for your certification audit.
In this guide, you’ll find a step-by-step plan organized into three phases:
Days 1–30: laying the foundation through scoping, planning, and gap analysis.
Days 31–60: building the ISMS with risk management, documentation, and awareness.
Days 61–90: validating progress with internal audits, management reviews, and audit preparation.
The goal is to provide a structured framework you can adapt to your organization’s size and resources. Whether you’re a growing SME or part of a larger enterprise, this plan will help you move from intention to implementation—fast, focused, and audit-ready.
ISO/IEC 27001:2022 isn’t difficult because the standard itself is vague—it’s challenging because it asks organizations to address information security in a structured, evidence-based way. The requirements touch policies, technology, people, and culture. For teams approaching implementation, the sheer volume of clauses and Annex A controls can feel like trying to solve a puzzle without knowing where the edges are.
Another reason implementation feels heavy is that many organizations expect perfection from day one. They delay action until every policy is polished and every control is mapped, which slows down progress and frustrates staff. In practice, certification bodies aren’t looking for a flawless system—they want to see a functioning ISMS with clear scope, documented risk management, and evidence that processes are running.
The real challenge, then, isn’t technical. It’s organizational:
Aligning leadership and securing commitment.
Coordinating multiple departments around shared responsibilities.
Managing timelines without letting implementation drag for a year or more.
That’s why a 90-day plan is so effective. Instead of chasing a perfect end state, you break the project into time-bound steps. Each phase delivers something tangible: a scoped ISMS, a working set of policies, or a completed internal audit. By focusing on steady progress rather than flawless execution, you build momentum—and momentum is what gets you to certification.
Pro Tip: Don’t think of the ISMS as a one-time project. Think of it as a system that matures over time. The 90-day plan gets you audit-ready, but the real value comes from improving and refining after certification.
Pre-Implementation Preparation (Before Day 1)
A successful ISO/IEC 27001 implementation doesn’t begin with drafting policies—it begins with preparation. The groundwork you lay before Day 1 determines how smooth the next 90 days will be. Skipping these steps often leads to delays, unclear scope, and a lack of management support when you need it most.
Key Preparation Steps
Preparation Area
What to Do
Why It Matters
Management Buy-In
Secure leadership approval and formal commitment.
Certification depends on visible leadership support.
Define Scope
Decide which business units, systems, and locations are covered.
Prevents wasted effort and ensures clear ISMS boundaries.
Appoint ISMS Lead
Assign a project manager or ISMS coordinator.
Central ownership keeps the project on track.
Assemble Team
Include IT, HR, Legal, and Ops stakeholders.
Avoids treating ISO/IEC 27001 as an “IT-only” project.
Pro Tip: Keep the preparation light but formal. A short kick-off meeting with leadership, an email announcing the project, and a simple project charter can go a long way in signaling commitment to staff.
By the time Day 1 arrives, you should have:
A clear ISMS scope.
An ISMS lead with defined authority.
A cross-functional team in place.
Access to existing documentation that can feed into the gap analysis.
This preparation ensures that the 90-day plan doesn’t stall before it starts.
Pre-Implementation Preparation (Before Day 1)
Jumping straight into ISO/IEC 27001 without proper preparation is one of the fastest ways to stall a project. Many organizations underestimate the groundwork, focusing immediately on drafting policies or buying tools. The reality is that the success of your 90-day action plan depends on what you do before the clock even starts. This preparation phase creates the structure, alignment, and clarity needed to make every day count once you begin.
1. Secure Leadership Commitment
Top management involvement isn’t optional—it’s a requirement under Clause 5 of ISO/IEC 27001:2022. Leadership sets the tone, provides resources, and ensures the project is not just an IT initiative but a business priority. Without this, projects often fizzle when budgets tighten or workloads increase.
What to do: Present a short business case highlighting risks of non-compliance (data breaches, lost contracts) and benefits of certification (trust, contracts, compliance).
Why it matters: Auditors will expect evidence that leadership is actively involved, not just signing off on policies.
2. Define the Scope of Your ISMS
Scope is one of the most critical early decisions. Define what parts of your organization the ISMS will cover—this could be a single department, a product line, or the entire company. A scope that is too broad can overwhelm SMEs; too narrow, and it might not satisfy client or regulatory demands.
What to do: Document the scope in terms of locations, assets, systems, and processes.
Why it matters: The scope statement is one of the first documents auditors review, and it guides every risk assessment and control decision.
3. Appoint an ISMS Lead and Team
An ISO/IEC 27001 project needs clear ownership. Assign a competent ISMS lead (sometimes called a project manager or ISMS coordinator) and a cross-functional team. Avoid leaving the project solely with IT—HR, Legal, Operations, and even Marketing may all have roles in protecting information.
What to do: Create a RACI matrix (Responsible, Accountable, Consulted, Informed) for key activities.
Most organizations already have some security, quality, or compliance documentation. Instead of starting from zero, gather what exists: policies, risk registers, incident logs, HR onboarding materials, supplier agreements, etc. Many of these can be aligned or repurposed.
What to do: Create an inventory of current documents and processes.
Why it matters: Identifies quick wins and reduces duplication of effort.
5. Plan Resources and Budget
Even on an SME budget, planning resources early avoids delays later. Identify whether you’ll need consultants, which staff need training, and what certification body to approach. Decide whether to use templates, free tools, or dedicated ISMS software.
What to do: Create a simple resource plan with estimated hours, training needs, and external costs.
Why it matters: A lack of resource clarity is one of the main reasons ISO projects stall midway.
Only once these are in place should you move forward. This preparation ensures your 90-day action plan doesn’t stall in week two because someone says, “We don’t have management approval,” or “We never defined our scope.”
The First 30 Days – Foundation Phase
The first month is all about setting direction and building a solid baseline. Rushing ahead without clarity on scope, gaps, and objectives almost guarantees wasted time later. By the end of this phase, your organization should know where it stands, what’s missing, and how to move forward.
Week 1: Kick-Off and Scope Definition
Hold a formal kick-off meeting with leadership and your ISMS team.
Reconfirm management’s commitment and authority for the ISMS lead.
Document the ISMS scope (locations, departments, systems, exclusions).
Draft a simple project charter with objectives, timeline, and responsibilities.
Key Deliverable: Approved ISMS scope statement.
Week 2: Gap Analysis
Compare existing practices and documents against ISO/IEC 27001:2022 requirements.
Use a structured checklist to identify what’s missing (e.g., risk assessment procedure, Statement of Applicability, internal audit process).
Prioritize findings into high, medium, and low gaps.
Key Deliverable: Completed gap analysis report with priority actions.
Staff awareness, ISMS team training, create documentation repository
Awareness training records, ISMS folder set up
Pro Tip: Keep things simple in the first 30 days. The goal isn’t to perfect every document—it’s to set up the framework so the next 60 days of implementation have a clear direction.
By the end of Day 30, you should have:
A documented scope and objectives.
A gap analysis highlighting exactly what’s missing.
A project plan with responsibilities assigned.
Staff and leadership aligned with the ISMS journey.
This foundation prevents the common trap of “drifting projects” and sets the tone for a disciplined 90-day sprint.
Days 31–60 – Implementation Phase
With the foundation in place, the next 30 days focus on building the ISMS core: risk management, policies, procedures, and evidence that the system is operating. By the end of this phase, you should have documented controls, trained employees, and early evidence ready for audit review.
Week 5: Risk Assessment Preparation
Define a risk assessment methodology (qualitative, quantitative, or hybrid).
Identify information assets: systems, data, processes, and suppliers.
Pro Tip: Don’t wait until the end to gather evidence. Start capturing logs, approvals, and attendance records now. It’s easier to build evidence gradually than scramble to find it before the audit.
By the end of Day 60, you should have:
A functioning risk management process with documented treatment.
A Statement of Applicability showing Annex A control decisions.
Core ISMS policies and procedures approved and communicated.
Training records and awareness materials for staff.
A growing library of audit-ready evidence.
This phase transforms your ISMS from a plan into a working system.
Days 61–90 – Validation & Audit Readiness
By this stage, your ISMS is built and operating. The final 30 days focus on validating its effectiveness, correcting gaps, and preparing evidence for the certification audit. The emphasis shifts from creating documents to proving implementation.
Week 10: Internal Audit
Plan and execute the first internal audit of the ISMS.
Cover scope, policies, risk treatment, and control effectiveness.
Document findings, categorize them (minor, major), and assign corrective actions.
Pro Tip: Don’t leave evidence collection to the last week. Auditors want proof that processes are running, not just documents on paper. Gathering evidence continuously makes the pre-audit phase far less stressful.
End of Day 90: Audit-Ready ISMS
At this point, you should have:
An operational ISMS tested by an internal audit.
A management review showing leadership engagement.
Closed corrective actions and updated records.
Evidence organized for submission to your certification body.
This phase turns your 90-day plan into a certification-ready system. While continuous improvement will carry on beyond Day 90, you’ll be in a strong position to book your Stage 1 and Stage 2 certification audits with confidence.
FAQs About the ISO/IEC 27001:2022 90-Day Action Plan
1. Is 90 days really enough to implement ISO/IEC 27001:2022?
For many SMEs and focused teams, yes. The key is defining a clear scope, keeping the project tightly managed, and focusing on essential requirements: scope definition, risk management, policies, training, and evidence. Larger organizations or broader scopes may need more time, but the 90-day model works as a structured sprint that gets you to audit readiness quickly.
2. What resources do we need for a 90-day implementation?
At minimum:
An ISMS lead (project manager or coordinator).
Cross-functional support from IT, HR, Legal, and Operations.
Templates and tools for documentation and risk management.
Management commitment to provide resources and unblock issues.
Optional resources like consultants or dedicated ISMS software can speed things up, but they aren’t mandatory if the team is disciplined and organized.
3. What evidence do auditors expect at the end of 90 days?
Auditors don’t expect perfection. They expect to see:
A documented ISMS scope and policy.
A risk assessment with a Statement of Applicability.
Core policies and procedures communicated to staff.
Evidence of training and awareness.
An internal audit and management review.
Records showing that corrective actions are tracked and implemented.
If these are in place, you’ll demonstrate a functioning ISMS that meets ISO/IEC 27001:2022 requirements.
Conclusion: Turning 90 Days Into Certification Readiness
Implementing ISO/IEC 27001:2022 doesn’t need to be an open-ended project that drags on for months. With a structured 90-day action plan, you can move from planning to an operational ISMS in three focused phases:
Days 1–30: Build the foundation with scope, gap analysis, and planning.
Days 31–60: Implement the core through risk management, controls, and staff training.
Days 61–90: Validate the system with internal audits, management reviews, and audit preparation.
This approach ensures steady progress, keeps costs predictable, and delivers a system that is not only compliant but also practical for your business. The goal isn’t perfection in 90 days—it’s to establish a functioning ISMS that demonstrates readiness for certification and sets the stage for continuous improvement.
Final Thought: Whether you’re a growing SME or part of a larger organization, the real advantage of this 90-day plan is clarity. Instead of chasing scattered tasks, you follow a roadmap with clear deliverables every step of the way.
Next step: Download our ISO/IEC 27001:2022 90-Day Action Plan Template and start moving from intention to certification readiness—faster, smoother, and with confidence.
Melissa Lavaro is a seasoned ISO consultant and an enthusiastic advocate for quality management standards. With a rich experience in conducting audits and providing consultancy services, Melissa specializes in helping organizations implement and adapt to ISO standards. Her passion for quality management is evident in her hands-on approach and deep understanding of the regulatory frameworks. Melissa’s expertise and energetic commitment make her a sought-after consultant, dedicated to elevating organizational compliance and performance through practical, insightful guidance.
