Your risk assessment determines the controls that have to be deployed in your ISMS, and your Statement of Applicability identifies the controls that you are deploying in the light of your approach to risk management. Every one of those controls, together with your approach to identifying and managing risk, your management structure, your decision-making processes and every other component of your information security management system has to be documented, as a point of reference, as the basis for ensuring that there is consistent application over time, and to enable continuous improvement.

Documentation will be the most time consuming part of the total project and, therefore, how you decide to tackle this aspect will be ...