ISO 27001:2022 ISMS Development and Implementation at BacBon Limited

Project Summary

ISO 27001:2022 implementation was the core focus of my role in 2024, where I served as an ISMS Implementor at BacBon Limited, driving the complete development and deployment of a fully aligned Information Security Management System. I executed the full lifecycle — from gap analysis and risk assessment to drafting 20+ security policies, deploying Annex A controls, supporting internal/external audits, conducting management reviews, and delivering employee awareness training. The project resulted in a fully operational, audit‑ready ISMS framework that strengthened governance, risk management, and organizational security maturity.

Project Overview:

Organization	BacBon Limited
Location	Dhaka, Bangladesh
Year	2024
Role	ISMS Implementor
Standard	ISO/IEC 27001:2022
Scope	Organization-wide Information Security Management System
Key Activities	Policy Development, Gap Analysis, IT Security Controls, Audit Support, Training

Scope of Work

The project covered five major workstreams across the organization’s information security posture:

Development of ~20 information security policies and procedures
Conducting a formal Gap Analysis against ISO 27001:2022 requirements
Implementing IT Security Controls mapped to Annex A
Assisting in Internal and External Audits
Supporting Management Reviews
Delivering 3 Internal Training sessions for employees

Phase 1 — Gap Analysis

The engagement began with a structured Gap Analysis to benchmark BacBon Limited’s existing security posture against all clauses of ISO 27001:2022 (Clauses 4–10) and the 93 controls of Annex A. Key activities included:

Reviewing existing documentation, processes, and IT infrastructure
Interviewing department heads and CXO.
Mapping current practices to ISO 27001:2022 requirements
Identifying non-conformities, partial conformities, and compliant areas
Producing a Gap Analysis Report with prioritized remediation recommendations

Gap Analysis Classification Framework used:

ISO 27001:2022 Gap Analysis — Conformity Rating Scale

C  = Conformant       (control fully implemented and evidenced)
PC = Partially Conformant  (control exists but incomplete or undocumented)
NC = Non-Conformant   (control absent or significantly deficient)
NA = Not Applicable   (control excluded with documented justification)

Sample Findings (anonymized):

Clause 6.1.2 — Information Security Risk Assessment   : PC
Clause 7.5   — Documented Information (Policies)      : NC
Clause 8.2   — Information Security Risk Treatment    : NC
Annex A 5.1  — Policies for Information Security      : NC
Annex A 8.8  — Management of Technical Vulnerabilities: PC
Annex A 6.3  — Information Security Awareness         : PC

Phase 2 — Policy & Procedure Development

Following the Gap Analysis, approximately 20 information security policies and supporting procedures were drafted, reviewed, and approved through the management review process. Policies were structured to align with ISO 27001:2022 clause requirements and Annex A controls.

Policy Register — Sample:

Information Security Policy Register — BacBon Limited (2024)

#   Policy / Procedure Title                          Mapped To
-----------------------------------------------------------------
01  Information Security Policy (Master)              Clause 5.2
02  Acceptable Use Policy (AUP)                       A-5.10
03  Access Control Policy                             A-5.15, A-5.18
04  Password Management Policy                        A-5.17
05  Clear Desk & Clear Screen Policy                  A-7.7
06  Data Classification Policy                        A-5.12, A-5.13
07  Asset Management Policy                           A-5.9, A-5.10
08  Incident Management Policy & Procedure            A-5.24, A-5.26
09  Business Continuity & Disaster Recovery Policy    A-5.29, A-5.30
10  Change Management Policy                          A-8.32
11  Backup Policy                                     A-8.13
12  Network Security Policy                           A-8.20, A-8.21
13  Remote Work & Teleworking Policy                  A-6.7
14  Third-Party & Supplier Security Policy            A-5.19, A-5.20
15  Human Resources Security Policy                   A-6.1 – A-6.5
16  Physical & Environmental Security Policy          A-7.1 – A-7.14
17  Cryptography Policy                               A-8.24
18  Vulnerability Management Procedure                A-8.8
19  Risk Assessment & Treatment Procedure             Clause 6.1.2
20  Internal Audit Procedure                          Clause 9.2

Reference for Annex: https://www.isms.online/iso-27001/annex-a-2022/

Phase 3 — IT Security Controls Implementation

With policies approved, IT security controls were implemented across people, process, and technology dimensions, mapped directly to ISO 27001:2022 Annex A control categories:

5 — Organizational Controls:

Defined roles and responsibilities for information security (IT Security, asset owners, users)
Established a formal risk assessment and treatment process
Created an Information Security Risk Register

6 — People Controls:

Enforced background verification requirements for new hires
Implemented security clauses in employment contracts and NDAs
Conducted 4 rounds of employee security awareness training

7 — Physical Controls:

Reviewed and documented physical access controls for server room and sensitive areas
Clear desk/clear screen policy enforcement

8 — Technological Controls:

Reviewed user access rights and implemented least-privilege access
Enabled audit logging on critical systems
Established a vulnerability management process
Reviewed backup procedures and tested recovery

Phase 4 — Internal Training

Four internal training sessions were delivered to employees across departments to build a security-aware culture — a mandatory requirement under ISO 27001:2022 Clause 7.3 (Awareness).

Training Log:

Internal ISMS Training Sessions — BacBon Limited (2024)

Session  Topic                                     Audience           Format
---------------------------------------------------------------------------
#1       Introduction to ISO 27001 & ISMS          All Staff          Presentation
#2       Information Security Policies & AUP        All Staff          Workshop
#3       Phishing Awareness & Social Engineering    All Staff          Simulation + Debrief
#4       Incident Reporting & Response Procedure    IT & Dept. Heads   Tabletop Exercise

Phase 5 — Internal & External Audit Support

A key responsibility was facilitating both the internal audit and supporting the external certification audit process.

Internal Audit:

Developed the Internal Audit Plan and Schedule per Clause 9.2
Prepared audit checklists mapped to all ISO 27001:2022 clauses
Coordinated interviews and evidence collection across departments
Compiled Non-Conformity Reports (NCRs) and Observations
Tracked corrective actions through to closure

Management Review:

Prepared Management Review inputs as required by Clause 9.3 (audit results, risk status, KPIs, incidents)
Documented Management Review minutes and outputs including resource decisions and improvement actions

External Audit Support:

Organized and presented evidence packages for Stage 1 (Documentation Review) and Stage 2 (Compliance Audit)
Acted as point of contact for auditor queries
Coordinated real-time evidence retrieval during audit sessions

Challenges & Solutions

Challenge	Solution
Employee resistance to new security policies	Tailored awareness sessions with real-world examples; management endorsement communicated top-down
Lack of documented processes across departments	Conducted process discovery interviews; drafted SOPs collaboratively with department owners
Incomplete asset inventory	Led asset discovery exercise; created and maintained a formal Asset Register
Evidence gaps identified pre-audit	Implemented a 4-week evidence remediation sprint before Stage 2 audit
Multiple stakeholders with conflicting priorities	Established a weekly ISMS Steering Committee update to align stakeholders

Outcome & Impact

✅ ~20 information security policies and procedures developed and approved
✅ Full Gap Analysis completed with prioritized remediation roadmap
✅ IT Security Controls implemented across Annex A domains
✅ 4 employee training sessions conducted organization-wide
✅ Internal Audit completed with NCRs tracked and closed
✅ Management Review meetings facilitated and documented
✅ External audit support delivered — organization progressed toward ISO 27001:2022 certification
✅ Established a repeatable, sustainable ISMS framework for ongoing compliance

Key Takeaways

This project reinforced that ISO 27001 implementation is fundamentally a people and process challenge as much as a technical one. Sustainable ISMS adoption requires visible management commitment, clear ownership of controls, and continuous awareness — not just documentation. Building the Risk Register and conducting the Gap Analysis from scratch provided deep hands-on exposure to the full clause structure of ISO 27001:2022 and the practical realities of translating a standard into an operational framework.

Interested in ISO 27001 Implementation
or Compliance Consulting?

Network Security Design · Firewall Engineering · Multi-Site WAN · VPN & Tunneling · ISO 27001 Implementation

I bring hands-on experience building ISMS frameworks from the ground up — gap analysis, policy development, control implementation, and audit readiness. Reach out to discuss your compliance journey.

Firewall Design & Policy Hardening (Sophos, Fortinet, pfSense)

Site-to-Site VPN & GRE Tunnel Deployment

WAN Redundancy & Failover Architecture

Network Segmentation & VLAN Design

Security Audit & Traffic Analysis (Wireshark, tcpdump)

Network Documentation & Handover

ISO 27001 Implementation & Compliance Consulting

Have a project in mind? Reach out and let’s discuss your network security needs.

Contact Me View All Projects

Tags: annex-a audit bacbon compliance gap-analysis information-security internal-audit isms iso27001 policies risk-assessment security-awareness