Compliance · Service 07

ISO 27001 Consultancy

The certificate is a by-product. A working management system is the point. We build them with you, or we audit the one you have. Never both.

What this is

The standard your biggest customer will eventually ask for.

ISO 27001 is the international standard for information security management, and it usually arrives as a deadline: a tender that requires it, a customer questionnaire that assumes it, a market you cannot enter without it. Where Cyber Essentials certifies five technical controls, ISO 27001 certifies how your organisation runs security as a discipline: how you identify risk, decide what to do about it, do it, and prove it keeps happening year after year.

The consultancy industry has responded to that demand with template packs and portals: a hundred policies with your logo inserted, none of which describe how your business actually works. Those systems pass a stage one audit and then rot, because nobody inside the business understands them well enough to run them. We do the opposite. Fewer documents, written around your real operations, owned by your people. The audit becomes a description of what you already do, which is the only version of ISO 27001 worth paying for.

Engagements

Where we come in.

01

Gap analysis and scoping

Every engagement starts with the truth. We assess where you stand against ISO 27001:2022: what you already have, what is missing, what can be reused, and what the certification scope should sensibly be. You get a ranked findings report and a realistic effort estimate, then you make the decision with real numbers. If ISO 27001 is the wrong move for your business right now, that goes in the report too.

Ranked findings, not a sales documentRealistic effort estimateSensible scope recommendation
02

Implementation support

Building the information security management system with you: a risk assessment method your team can actually repeat, a Statement of Applicability that reflects decisions rather than defaults, and controls and documentation shaped around how the business already operates. Your people run the system from day one, with us alongside. By the time an auditor arrives, they are describing their own work, not reciting ours.

Risk method your team can repeatStatement of Applicability that means somethingRun by your people from day one
03

Certification readiness

Before an accredited certification body will certify you, your system must have completed an internal audit and a management review, with evidence it genuinely operates. We deliver both, brief your team on exactly what the stage one and stage two audits involve, and stay with you through them, including turning findings into fixes rather than panic.

Internal audit and management reviewStage one and stage two supportFindings turned into fixes
04

Independent internal audit

The standard requires internal audits by someone independent of the work being audited. In a thirty-person business, nobody qualifies. We become your internal audit function: a planned programme across the certification cycle, audits delivered against it, findings reported in a form your certification body will respect, and no more surveillance-week scrambles. Your management review gets something real to review.

Planned programme, not an annual scrambleFindings your assessor will respectSurveillance and recertification ready
The honest bit

Three lines we will not blur.

i

We do not certify ISO 27001

Nobody you hire as a consultant can. Certification is issued by accredited certification bodies after their own independent audit. We get you ready and stand beside you through it. A consultant who implies otherwise has told you everything you need to know about their other claims.

ii

We build or we audit. Never both.

An internal audit of a system we implemented is not an audit, it is marking our own homework. If we build your management system, your internal audits come from someone else. If we audit, we did not build. The independence is the product.

iii

No system that needs us forever

A management system only your consultant understands is a liability with a certificate attached. We build for handover: your people own the documents, run the reviews, and answer the auditor. If you want ongoing support afterwards, that is a choice, not a dependency.

Is this right for you?

When to consider ISO 27001.

ISO 27001 rarely arrives as a choice. It arrives as a condition: of a contract, a market, a partnership. The businesses that handle it well are the ones that size the job before the deadline does it for them. If you already hold Cyber Essentials, you have a genuine head start: several technical controls map straight across, and the discipline of certification is already familiar.

Common triggers

  • A tender or major customer requires ISO 27001, and there is a date attached
  • You hold Cyber Essentials and your market now expects the next level
  • You are certified but nobody independent is running your internal audits
  • The system has drifted since certification and surveillance is approaching
  • You want the real size of the job before committing budget to anyone, including us