ISO 27001 implementation: turn security into audited trust.
We build your ISMS with a technical, operational approach: gap analysis, risk assessment, SoA, internal audit, and certification support—leaving you “audit-ready” with clear evidence and ownership.
Approach
Control + evidence + technical execution
Deliverables
SoA, risks, internal audit, backlog
Outcome
Audit-ready ISMS for certification
ISO 27001 isn’t “documentation”—it’s security operations.
Certification requires a living system: risk decisions, implemented controls and repeatable evidence. We combine consulting with technical delivery so your ISMS doesn’t stay on paper.
Certification without friction
A phased delivery with auditable outputs. We reduce iteration cycles and the typical ISMS bottlenecks.
Technical + governance approach
Not just “paper”: we implement controls in IAM, logging, hardening, M365, backups, suppliers and SDLC.
Alignment with NIS2 / DORA / ENS
We map ISMS evidence to regulatory obligations to reduce duplication and accelerate audits.
ISO 27001 implementation process
Clear phases to reach certification with evidence, ownership, and closure.
Scope, context & objectives
Define perimeter, processes, sites, critical suppliers and audit criteria.
Gap analysis (ISO 27001:2022)
Clause and Annex A gaps, quick wins and a prioritized backlog.
Risks + SoA
Risk model, treatment, and SoA with evidence and accountable owners.
Technical & operational implementation
Real controls: IAM/MFA, hardening, logging, backups, DR, SDLC, suppliers.
Internal audit & closure
Execution, nonconformities and corrective actions with re-evidence.
Certification
Support in Stage 1/Stage 2 and stabilization of the continuous improvement cycle.
Annex A (ISO 27001:2022): 4 domains
We structure delivery by domains so the ISMS is implementable and auditable.
37 controls
Organizational
Policies, third parties, asset management, cloud security and governance.
8 controls
People
Lifecycle, awareness, roles, confidentiality and access.
14 controls
Physical
Perimeters, facilities, equipment and media protection.
34 controls
Technological
Identity, crypto, hardening, vulnerabilities, logging and secure development.
Deliverables that close audits
ISO 27001 is won with evidence: risks, SoA, operational control and internal audit. We leave you with a maintainable ISMS, backlog and owners to sustain continual improvement.
Gap analysis + project plan
Baseline assessment, risks, control gaps and a phased roadmap.
Complete ISMS set (policies + procedures)
Minimum viable documentation that is operational and tailored to your business.
Risk assessment & treatment
Method, risk register, treatment plans and acceptance.
SoA (Statement of Applicability)
Applicability, justifications, evidence and audit traceability.
Internal audit + corrective action plan
Nonconformities, observations and closure plan with owners.
Certification support
Preparation, evidence review and support through the external certification audit.
Frequently asked questions
How long does ISO 27001 certification usually take?
It depends on maturity and scope. A typical project runs 3–6 months for implementation, plus internal audit and then certification. We tailor the plan based on scope, number of sites, and criticality.
What’s the difference between ISO 27001:2013 and ISO 27001:2022?
The 2022 revision updates the control set and reorganizes Annex A to reflect modern practices (e.g., cloud security and configuration management) and clearer operational language.
What is the SoA (Statement of Applicability)?
It’s the document that states which Annex A controls apply, how they are implemented, and why any are excluded. It is central to audit traceability.
Do you include an ISO 27001 internal audit?
Yes. We run a full internal audit (checklists, evidence review, nonconformities and corrective action plan) and leave the ISMS in an audit-ready state.
Can ISO 27001 be certified for cloud environments (AWS/Azure/GCP)?
Yes—this is common. We define the ISMS scope and translate controls into cloud practices (IAM, logging, hardening, configuration, encryption, resilience, third parties) with verifiable evidence.
Can you support tenders and supplier due diligence?
Yes. We prepare reusable evidence packs and response templates for security questionnaires, due diligence, and third-party requirements, and we support the certification audit itself.
Ready to certify ISO 27001?
Get a phased plan, auditable evidence and support through certification.