ISO 27001

ISO 27001 is the international standard for information security management. It provides a framework for protecting your organisation’s information assets systematically.

What ISO 27001 actually involves

At its core, ISO 27001 requires you to:

• Identify your information assets and understand their value
• Assess the risks to those assets
• Implement appropriate controls to manage those risks
• Monitor and improve your security posture over time

The standard doesn’t prescribe specific technologies or solutions. Instead, it asks you to think systematically about security and make informed decisions appropriate to your context.

Who needs ISO 27001

ISO 27001 certification is increasingly expected by:

• Enterprise customers who need assurance about your security practices
• Public sector bodies as a tender prerequisite
• Investors and acquirers during due diligence
• Regulators in certain sectors
• Cyber insurers as a condition of coverage

Even without external pressure, the framework provides a sensible structure for managing information security.

How I can help

Gap analysis

If you’re unsure where you stand, I’ll assess your current controls against ISO 27001 requirements and give you a clear picture of what’s needed.

Implementation support

I’ll work with you to build an Information Security Management System (ISMS) that makes sense for your organisation. This includes:

• Scope definition
• Risk assessment methodology
• Policy and procedure development
• Control implementation guidance
• Staff awareness support

Certification preparation

When you’re ready for certification, I’ll help ensure you’re properly prepared:

• Internal audit support
• Management review facilitation
• Audit readiness assessment
• Auditor liaison if needed

Ongoing maintenance

After certification, I can provide surveillance audit preparation and continuous improvement support.

What to expect

Most first-time implementations take 6-12 months, depending on your starting point and available resources. I’ll give you a realistic timeline based on your specific situation.

The investment depends on your organisation’s size and complexity. I’ll provide a clear proposal after understanding your requirements.

Common questions

Do we need to implement all 93 controls? No. You implement the controls that are relevant to your identified risks. The Statement of Applicability documents which controls you’ve selected and why.

Can we do this ourselves? Yes, many organisations do. Consultancy support is particularly valuable if you’re time-constrained, want to avoid common pitfalls, or need external perspective.

How long does certification last? Three years, with annual surveillance audits. You’ll need to demonstrate ongoing compliance throughout.

Which certification body should we use? Any UKAS-accredited (or equivalent) certification body. I can discuss the options, but the choice is yours—I have no affiliations.