ISO 27001 Consultancy
The certificate is a by-product. A working management system is the point. We build them with you, or we audit the one you have. Never both.
The standard your biggest customer will eventually ask for.
ISO 27001 is the international standard for information security management, and it usually arrives as a deadline: a tender that requires it, a customer questionnaire that assumes it, a market you cannot enter without it. Where Cyber Essentials certifies five technical controls, ISO 27001 certifies how your organisation runs security as a discipline: how you identify risk, decide what to do about it, do it, and prove it keeps happening year after year.
The consultancy industry has responded to that demand with template packs and portals: a hundred policies with your logo inserted, none of which describe how your business actually works. Those systems pass a stage one audit and then rot, because nobody inside the business understands them well enough to run them. We do the opposite. Fewer documents, written around your real operations, owned by your people. The audit becomes a description of what you already do, which is the only version of ISO 27001 worth paying for.
Where we come in.
Gap analysis and scoping
Every engagement starts with the truth. We assess where you stand against ISO 27001:2022: what you already have, what is missing, what can be reused, and what the certification scope should sensibly be. You get a ranked findings report and a realistic effort estimate, then you make the decision with real numbers. If ISO 27001 is the wrong move for your business right now, that goes in the report too.
Implementation support
Building the information security management system with you: a risk assessment method your team can actually repeat, a Statement of Applicability that reflects decisions rather than defaults, and controls and documentation shaped around how the business already operates. Your people run the system from day one, with us alongside. By the time an auditor arrives, they are describing their own work, not reciting ours.
Certification readiness
Before an accredited certification body will certify you, your system must have completed an internal audit and a management review, with evidence it genuinely operates. We deliver both, brief your team on exactly what the stage one and stage two audits involve, and stay with you through them, including turning findings into fixes rather than panic.
Independent internal audit
The standard requires internal audits by someone independent of the work being audited. In a thirty-person business, nobody qualifies. We become your internal audit function: a planned programme across the certification cycle, audits delivered against it, findings reported in a form your certification body will respect, and no more surveillance-week scrambles. Your management review gets something real to review.
Three lines we will not blur.
We do not certify ISO 27001
Nobody you hire as a consultant can. Certification is issued by accredited certification bodies after their own independent audit. We get you ready and stand beside you through it. A consultant who implies otherwise has told you everything you need to know about their other claims.
We build or we audit. Never both.
An internal audit of a system we implemented is not an audit, it is marking our own homework. If we build your management system, your internal audits come from someone else. If we audit, we did not build. The independence is the product.
No system that needs us forever
A management system only your consultant understands is a liability with a certificate attached. We build for handover: your people own the documents, run the reviews, and answer the auditor. If you want ongoing support afterwards, that is a choice, not a dependency.
When to consider ISO 27001.
ISO 27001 rarely arrives as a choice. It arrives as a condition: of a contract, a market, a partnership. The businesses that handle it well are the ones that size the job before the deadline does it for them. If you already hold Cyber Essentials, you have a genuine head start: several technical controls map straight across, and the discipline of certification is already familiar.
Related capabilities
Penetration Testing
A penetration test answers one question: could a determined attacker do real harm to this business? Everything else (checklists, …
Read moreVulnerability Management
Penetration testing tells you what an attacker could do today. Vulnerability management tells you what’s changing, every …
Read moreFractional CISO & Information Security Manager
In most growing businesses, the person who answers for security is whoever is nearest. The managing director signs the Cyber …
Read more