Skip to main content

ISO 27001

Information security management system implementation and certification support.

ISO 27001 is the international standard for information security management. It provides a framework for protecting your organisation’s information assets systematically.

What ISO 27001 actually involves

At its core, ISO 27001 requires you to:

  • Identify your information assets and understand their value
  • Assess the risks to those assets
  • Implement appropriate controls to manage those risks
  • Monitor and improve your security posture over time

The standard doesn’t prescribe specific technologies or solutions. Instead, it asks you to think systematically about security and make informed decisions appropriate to your context.

Who needs ISO 27001

ISO 27001 certification is increasingly expected by:

  • Enterprise customers who need assurance about your security practices
  • Public sector bodies as a tender prerequisite
  • Investors and acquirers during due diligence
  • Regulators in certain sectors
  • Cyber insurers as a condition of coverage

Even without external pressure, the framework provides a sensible structure for managing information security.

How we can help

Gap analysis

If you’re unsure where you stand, we’ll assess your current controls against ISO 27001 requirements and give you a clear picture of what’s needed.

Implementation support

We’ll work with you to build an Information Security Management System (ISMS) that makes sense for your organisation. This includes:

  • Scope definition
  • Risk assessment methodology
  • Policy and procedure development
  • Control implementation guidance
  • Staff awareness support

Certification preparation

When you’re ready for certification, we’ll help ensure you’re properly prepared:

  • Internal audit support
  • Management review facilitation
  • Audit readiness assessment
  • Auditor liaison if needed

Ongoing maintenance

After certification, we can provide surveillance audit preparation and continuous improvement support.

What to expect

Most first-time implementations take 6-12 months, depending on your starting point and available resources. We’ll give you a realistic timeline based on your specific situation.

The investment depends on your organisation’s size and complexity. We’ll provide a clear proposal after understanding your requirements.

Common questions

How long does ISO 27001 implementation take?
Most first-time implementations take 6-12 months, depending on your starting point, organisation size, and available resources. We'll give you a realistic timeline based on your specific situation after an initial gap assessment.
How much does ISO 27001 certification cost?
Costs fall into two buckets: implementation effort (consultancy, internal time, any required tooling) and certification body fees (the initial audits, plus surveillance audits across the three-year cycle). The total depends heavily on your organisation's size, scope, and how much of the work you do internally versus outsource. We'll provide a clear proposal once we understand your scope.
Do we need to implement all 93 controls?
No. You implement the controls that are relevant to your identified risks. The Statement of Applicability documents which controls you've selected and why. Some controls may be excluded with justification.
What's the difference between ISO 27001 and SOC 2?
ISO 27001 is an international standard focused on establishing an Information Security Management System with formal certification. SOC 2 is a US-originated attestation report based on the AICPA Trust Services Criteria. ISO 27001 is more common in Europe; SOC 2 is more common for US-based SaaS. Many organisations pursue both if they serve both markets.
Can we implement ISO 27001 without a consultant?
Yes, many organisations do. Consultancy support is particularly valuable if you're time-constrained, want to avoid common pitfalls, need external perspective on your risk assessment, or are under pressure to achieve certification quickly.
How long does certification last?
Three years, with annual surveillance audits in years two and three. You'll need to demonstrate ongoing compliance throughout, and a full recertification audit happens at the end of the three-year cycle.
Which certification body should we use?
Any UKAS-accredited (or equivalent national accreditation body) certification body. We can discuss the options based on your sector and geography, but the choice is yours—we have no affiliations.

Ready to discuss your requirements?

Let's have a conversation about how we can help your organisation.

Let's talk