Starting ISO 27001 can feel overwhelming.
Not because the standard is unclear, but because most organisations don’t know where to start, what actually matters, and what can wait. So they do what most people do under pressure:
It rarely does.
The first 90 days of ISO 27001 are critical. This is not because you need to finish everything, but because you need to set the foundations properly. Get the foundations right, and the rest becomes manageable. Get it wrong, and you’ll spend months fixing it.
Here’s what actually needs to happen.
You are not “implementing ISO 27001”.
You are building a management system. That means:
If your goal is just to “get certified”, you’ll end up with bloated policies, disconnected controls and a system no one uses. That’s where most implementations go wrong.
This is the most important phase. Not the most exciting, but definitely the most important.
What is in scope?
A vague scope creates confusion later. A clear scope makes everything easier, including risk assessment, control selection and audits. Don’t rush this step.
ISO 27001 is built around protecting what matters. So you need to identify:
Not in a perfect, exhaustive way, but enough to understand what you’re protecting and where it lives.
Who owns:
If ownership is unclear now, it won’t magically fix itself later. This is where many implementations quietly fail.
At this point, you’re making a decision: Will you manage this across documents, spreadsheets and shared drives? Or will you use an integrated, holistic system?
Because this choice determines whether your ISMS becomes manageable or a constant source of friction.
Now you start putting structure around the system.
This is the engine of ISO 27001. You don’t need perfection. You need:
Focus on: real risks your business actually faces, not theoretical ones.
Based on your risks, determine:
This becomes your Statement of Applicability (SoA).
Don’t treat this as a tick-box exercise. This is where your system becomes real.
This is where most teams go off track. They try to write everything, cover every scenario and create “perfect” documentation.
Instead:
Policies should support the system. Not become the system.
Your people are part of the system. So:
If no one reads or understands your policies, they don’t exist.
This is where the shift happens. From building… to running.
This is where many teams fall behind. Evidence should not be collected at the end. It should be captured as work happens. This applies to activities like:
If you wait until audit time, you’ve already lost time.
ISO 27001 is not static. You need:
This is your compliance calendar. Without it, things drift.
Don’t wait for the audit. Start testing:
This is how you avoid surprises later.
What most people get wrong
Let’s be blunt. Most ISO 27001 implementations fail because they:
The result? A system that might pass an audit (just)…but doesn’t hold up in practice.
You don’t need to be finished. But you should have:
In other words: a system that exists and is starting to operate.
The first 90 days of ISO 27001 are not about speed. They’re about direction. If you build something that is structured, connected and aligned to how your business actually works, everything that follows becomes easier.
If you don’t, you’ll spend the rest of the project fixing it.
de.iterate helps organisations build and run ISO 27001 as a practical, connected system. From policies and risks through to evidence, audits and continuous assurance, everything sits in one place. So you’re not guessing what needs to happen next. You’re already doing it.
Book a demo to see how it works.