Well, I'd suggest you get a copy of the standard...
You should begin with a Needs and Risk Assessment - you will have some gaps to fill between what the standard requires and what you in place currently. You don't say so, but if your organization is already ISO 9001 compliant, you will have less gaps, since many aspects of the 28001 standard can be (partially) fulfilled by those 9001 systems.
The Needs and Risk assessment results can be used to complete a time line (GANTT chart) with clear responsibilities and deliverables.
The system needs to be 'designed' - what do your management want the various processes to 'look like as a system? How should the documentation be structured etc. The risks should be addressed in considering the processes, supply chain steps etc. The necessary documentation will have to be created, gathered up (where currently existing) and, where necessary, modified, approved etc.
The Implementation phase will require new processes to be started up, existing processes to be communicated, monitored etc. and ineffective processes to be improved. The risk assessment will require risks to be prioritized, assigned an owner, actions taken etc.
Then, a phase of internal audits and reviews will be required to look at the system for action - either correction or improvement.
This is a very basic set of phases that most management system implementations will (in my experience) go through.