Governance & Compliance · ISO 27001
Information Security
You Can Prove.
ISO 27001 is the international standard for Information Security Management. It gives your organisation a systematic, risk-based approach to protecting information — and a certificate that proves you mean it to the people who need to know.
Get StartedWhat Is It
A system for managing
information security risk.
ISO 27001 is the international standard for Information Security Management Systems (ISMS). It provides a framework for identifying information security risks and putting controls in place to manage them — systematically, proportionately, and with evidence.
Unlike a technical checklist, ISO 27001 is risk-led. You start by understanding what information assets you hold, what could go wrong, and how bad that would be — then build controls that address the risks that actually matter to your organisation.
Certification demonstrates to clients, partners, regulators, and procurement teams that your information security isn't just claimed — it's independently verified.
Certified Organisations
The most widely recognised information security management standard globally.
Latest Version
ISO 27001:2022 updated the Annex A controls — now 93 controls across 4 themes.
Annex A Controls
Organised across Organisational, People, Physical, and Technological themes.
Certification Cycle
Initial cert, annual surveillance audits, and full recertification every three years.
Risk-Based Thinking
Not every risk needs
the same response.
At the heart of ISO 27001 is a risk assessment. You identify what could go wrong, estimate the likelihood and impact, and decide how to respond — using four treatment options:
Treat — put controls in place to reduce the risk to an acceptable level. Tolerate — accept it if it falls within appetite. Transfer — shift it via insurance or contract. Terminate — stop the activity that creates the risk.
This means your ISMS is proportionate to your actual risk profile — not a one-size-fits-all set of controls applied regardless of relevance.
Annex A Controls
93 controls across 4 themes
ISO 27001:2022 organises its controls into four themes. You don't have to implement all of them — your Statement of Applicability documents which apply to your organisation and why. Click a theme to explore.
Setting the Record Straight
ISO 27001 misconceptions
Heard these before? Here's what's actually true.
"We're too small to need ISO 27001"
Size is irrelevant — risk isn't. Small organisations can hold highly sensitive data. And increasingly, clients and procurement processes require it regardless of company size.
"We just need to implement all 93 controls"
No — the standard is risk-based, not prescriptive. Your Statement of Applicability documents which controls apply and why. Some may not be relevant to your organisation at all.
"ISO 27001 will make us secure"
Certification demonstrates a management system, not perfect security. Done well, it significantly reduces risk and improves your security posture — but no standard eliminates risk entirely.
"It takes years and costs a fortune"
Most SMEs achieve certification within 6–12 months. Timeline and cost depend heavily on your starting point and the scope you define — proportionate support makes a significant difference.
What We Do
How we support your ISO 27001 journey
End-to-end support — from initial gap analysis through to certification and ongoing compliance.
Gap Analysis
We assess your current security controls, policies, and practices against the ISO 27001 requirements — producing a clear picture of where you stand and what needs to change.
Risk Assessment & Treatment
We help you build a risk assessment methodology, identify and score your information security risks, and develop a risk treatment plan that's proportionate and defensible.
ISMS Design & Build
We design an Information Security Management System that fits your organisation — scope, policies, procedures, and controls built around your actual risk profile.
Statement of Applicability
We produce your SoA — documenting which Annex A controls apply, why, and how they're implemented. A core certification requirement, done properly.
Internal Audit & Review
We conduct internal audits against all applicable clauses and controls — identifying non-conformances and improvement opportunities before your certification audit.
Ongoing Compliance Support
Post-certification support including surveillance audit preparation, continual improvement, and keeping your ISMS aligned as your organisation and threat landscape evolve.
Our Approach
From gap analysis to certified ISMS
A structured remote engagement — at a pace that fits your organisation, not a generic consultancy schedule.
Gap Analysis & Scoping
We start by understanding your organisation, your information assets, and your current security posture — then assess where you stand against ISO 27001's requirements.
- Review of existing policies, controls, and security practices
- Clause-by-clause and Annex A gap assessment with findings report
- ISMS scope definition — what's in, what's out, and why
Risk Assessment & Treatment
We build your risk assessment methodology and work through your information security risks — producing a risk register and treatment plan that forms the foundation of your ISMS.
- Risk assessment methodology and criteria
- Asset-based risk identification, scoring, and prioritisation
- Risk treatment plan and Statement of Applicability (SoA)
ISMS Build & Documentation
We design and build the ISMS — policies, procedures, controls, and records — proportionate to your scope and risk profile, and structured for practical use rather than audit theatre.
- Information security policies and supporting procedures
- Control implementation across applicable Annex A domains
- Awareness, roles, responsibilities, and management review structure
Internal Audit & Certification
We run a full internal audit against all applicable clauses and controls, resolve any non-conformances, and prepare you for the certification body's Stage 1 and Stage 2 audits.
- Internal audit against ISO 27001:2022 requirements
- Corrective action support and pre-audit readiness review
- Support during certification body Stage 1 and Stage 2 audits
Ongoing Compliance & Improvement
Certification is the beginning. We continue to support you through surveillance audits, continual improvement, and keeping your ISMS effective as your organisation evolves.
- Surveillance audit preparation and management review support
- Continual improvement tracking and ISMS updates
- Threat landscape monitoring and control relevance reviews
What You Get
Beyond the certification audit
The real value of ISO 27001 isn't the certificate — it's what the process builds inside your organisation.
Independently Verified Security
A certificate that demonstrates your security posture has been assessed by an accredited third party — not just self-declared.
Procurement & Tender Access
Required by many public sector bodies and enterprise procurement processes — certification removes a blocker that's costing you business.
Reduced Breach Risk
Systematic risk assessment and treatment means known risks are addressed before they become incidents — not discovered afterwards.
Faster Customer Due Diligence
Security questionnaires become faster to answer. Clients trust the certificate rather than requiring bespoke assurance on every engagement.
Clear Roles & Accountability
Information security responsibilities are defined, documented, and owned — not informally assumed by whoever happens to care most.
A Foundation to Build On
ISO 27001 shares structure with ISO 9001, NIS2, and DORA — achieving it makes subsequent compliance requirements significantly easier.
Ready to make security provable?
Whether you're working towards your first certification or bringing an existing ISMS up to the 2022 standard, we'll help you build something that works — not just something that passes an audit.