Your First 90 Days of ISO 27001: What Actually Needs to Happen

Starting ISO 27001 can feel overwhelming.

Not because the standard is unclear, but because most organisations don’t know where to start, what actually matters, and what can wait. So they do what most people do under pressure:

• download templates
• start writing policies
• open a spreadsheet
• hope it comes together

It rarely does.

The first 90 days of ISO 27001 are critical. This is not because you need to finish everything, but because you need to set the foundations properly. Get the foundations right, and the rest becomes manageable. Get it wrong, and you’ll spend months fixing it.

Here’s what actually needs to happen.

First, reset the expectation

You are not “implementing ISO 27001”.

You are building a management system. That means:

• it needs to reflect how your business operates
• it needs to be maintainable
• it needs to produce evidence
• it needs to work beyond the audit

If your goal is just to “get certified”, you’ll end up with bloated policies, disconnected controls and a system no one uses. That’s where most implementations go wrong.

Days 1–30: Define the shape of the system

This is the most important phase. Not the most exciting, but definitely the most important.

1. Set the scope (properly)

What is in scope?

• which parts of the business
• which systems
• which data
• which locations

A vague scope creates confusion later. A clear scope makes everything easier, including risk assessment, control selection and audits. Don’t rush this step.

2. Identify your key assets

ISO 27001 is built around protecting what matters. So you need to identify:

• information assets
• systems and platforms
• suppliers and third parties

Not in a perfect, exhaustive way, but enough to understand what you’re protecting and where it lives.

3. Establish ownership

Who owns:

• the ISMS
• risk management
• policies
• assets

If ownership is unclear now, it won’t magically fix itself later. This is where many implementations quietly fail.

4. Choose your approach (this matters more than people think)

At this point, you’re making a decision: Will you manage this across documents, spreadsheets and shared drives? Or will you use an integrated, holistic system?

Because this choice determines whether your ISMS becomes manageable or a constant source of friction.

Days 30–60: Build the core

Now you start putting structure around the system.

5. Run your initial risk assessment

This is the engine of ISO 27001. You don’t need perfection. You need:

• a clear method
• defined risk criteria
• documented risks
• assigned owners

Focus on: real risks your business actually faces, not theoretical ones.

6. Define your controls

Based on your risks, determine:

• which controls apply
• how they will operate
• who is responsible

This becomes your Statement of Applicability (SoA).

Don’t treat this as a tick-box exercise. This is where your system becomes real.

7. Start building policies (but don’t overdo it)

This is where most teams go off track. They try to write everything, cover every scenario and create “perfect” documentation.

Instead:

• keep policies practical
• align them to how the business works
• focus on clarity, not length

Policies should support the system. Not become the system.

8. Introduce awareness and training

Your people are part of the system. So:

• start onboarding staff
• communicate expectations
• make policies accessible and understandable

If no one reads or understands your policies, they don’t exist.

Days 60–90: Make it operational

This is where the shift happens. From building… to running.

9. Start capturing evidence

This is where many teams fall behind. Evidence should not be collected at the end. It should be captured as work happens. This applies to activities like:

• access reviews
• policy acknowledgements
• risk updates
• supplier checks

If you wait until audit time, you’ve already lost time.

10. Set up your compliance rhythm

ISO 27001 is not static. You need:

• recurring tasks
• review cycles
• scheduled activities

This is your compliance calendar. Without it, things drift.

11. Run internal checks early

Don’t wait for the audit. Start testing:

• are controls working?
• is evidence being captured?
• do people understand their role?

This is how you avoid surprises later.

What most people get wrong

Let’s be blunt. Most ISO 27001 implementations fail because they:

• focus on documentation over operation
• treat compliance as a project, not a system
• rely on one or two people
• leave evidence until the end

The result? A system that might pass an audit (just)…but doesn’t hold up in practice.

What success looks like after 90 days

You don’t need to be finished. But you should have:

• a clearly defined scope
• visibility of assets and risks
• a working risk assessment
• a defined control set (SoA)
• practical policies
• assigned ownership
• evidence starting to build
• a rhythm for ongoing compliance

In other words: a system that exists and is starting to operate.

The first 90 days of ISO 27001 are not about speed. They’re about direction. If you build something that is structured, connected and aligned to how your business actually works, everything that follows becomes easier.

If you don’t, you’ll spend the rest of the project fixing it.

Need help getting your ducks in a row?

de.iterate helps organisations build and run ISO 27001 as a practical, connected system. From policies and risks through to evidence, audits and continuous assurance, everything sits in one place. So you’re not guessing what needs to happen next. You’re already doing it.

Book a demo to see how it works.