|ISO 27001 (formerly BS7799) desribes a 6 stage process
1) Define an information security policy
2) Define scope of the information security management system
3) Perform a security risk assessment
4) Manage the identified risk
5) Select controls to be implemented and applied
6) Prepare an SoA (a "statement of applicability").