If you’ve followed my work on implementing ISO/IEC 27001, you’ll know I teach it as a 12-step project. I’ve just reworked that framework — and the changes are all about sequence. The steps themselves haven’t changed much, but the order now follows the logic of how a real implementation actually unfolds, where each step feeds the next instead of sitting as a disconnected item on a checklist.

Underneath it you’ll find a quick changelog of what moved and why.

The full 12-step approach

1. Scope of the ISMS

2. Gap Analysis

3. Management Support

4. Information Security Policy

5. Asset Inventory

6. Risk Management Methodology

7. Risk Assessment

8. Risk Treatment

9. Competence & Awareness

10. Performance Evaluation

11. Continual Improvement

12. Certification Audit

Changelog: what changed and why

🔄 Scope is now Step 1 (used to be step 2) You can't plan, assess, or resource anything until you've defined what your ISMS actually covers — and that includes the business case you'll put in front of leadership. Scope sets the boundaries; the gap analysis then measures your current state against the standard within those boundaries; and together they tell you what the project will really involve in terms of effort, cost, and resources. That's exactly what management needs to see to commit. Put scope anywhere but first, and the business case you bring to leadership in Step 3 is built on shaky ground.

🔄 Gap Analysis now comes before Management Support You shouldn’t ask leadership for commitment based on guesswork. Running the gap analysis first means you walk into that conversation with real evidence — what’s missing, what it’ll cost, what resources you’ll need. A business case built on facts is far harder to say no to.

🔄 Competence & Awareness moved to Step 9, after Risk Assessment and Risk Treatment This is the change I’m most pleased with. Once you’ve assessed your risks and defined your risk treatment plan, you finally know what your people actually need to be competent in and aware of. Training can then target the real risks and the specific controls you’ve chosen to implement — instead of being generic. You educate people on what matters, because by this point you know what that is.

The takeaway

The thread running through every one of these changes is the same: each step should produce what the next step needs. Scope defines the boundaries for the gap analysis. The gap analysis builds the business case for management support. Risk assessment and treatment tell you what to train people on. When the order reflects those dependencies, the whole project becomes easier to plan, easier to resource, and easier to explain to an auditor.

If you want the complete walkthrough, the video above covers all twelve steps in detail.

From ZERO to AUDIT-READY in 12 Steps

If you are responsible for an ISO 27001 implementation project, you are fighting a battle against the clock.

The standard tells you WHAT must be done,

but it leaves the HOW entirely to your imagination.

This leaves you staring at a blank map, forced to build an ISMS from scratch while the deadline approaches.

Our ISO 27001 Lead Implementer Framework gives you the Roadmap, Project Plan, Templates and Training to be audit-ready in months, not years.

Get access now