Get in touch
ISO 27001 implementation

An ISO 27001 certificate your buyers actually trust.

We build the Information Security Management System the way your engineering team can run it — a real risk register, a defensible Statement of Applicability, and Annex A controls embedded in the tools you already use.

  • Risk methodology that reflects what your business actually does.
  • Annex A controls implemented — not photocopied from a template.
  • Internal audit, management review, certification body intro — covered.
  • ISO 27001:2022
  • Annex A 93 controls
  • EU accredited bodies
  • Stage 1 + Stage 2 support
When this is for you

Four signals you need ISO 27001 now.

  • Your EU pipeline keeps asking "ISO 27001 — yes or no?"

    Public-sector procurement, large EU enterprises, regulated buyers in pharma, finance and energy will not advance past security review without it. Each deal stalls; the answer is "yes" or "we lose the slot".

  • You hold a SOC 2 report and EU buyers want a certificate, not an attestation.

    SOC 2 lands in the US; ISO 27001 lands in the EU. We extend the existing programme rather than rebuild it — most of the underlying controls already overlap.

  • An RFP just landed with "ISO 27001 certified or in implementation".

    "In implementation" only works if you can show the artefacts: risk register, SoA, control owners, internal audit plan. We get you to a defensible posture in weeks, not quarters.

  • You inherited a paper-only ISMS from a previous certification attempt.

    Policies in a folder, controls nobody operates, an internal audit that never happened. We re-baseline against the 2022 revision and rebuild what is actually used.

The engagement

Four phases. Mapped to the audit, not to a brochure.

Every phase has a defined output an auditor recognises by name. No vague workstreams, no rolling scope.

  1. 01

    ISMS scoping & risk methodology 2–3 weeks

    We define the ISMS boundary, the risk methodology, and the asset model. Outputs: scope statement, risk methodology document, initial risk register populated against your actual systems — not a generic template.

  2. 02

    Statement of Applicability & control design 4–6 weeks

    Each of the 93 Annex A controls assessed: applicable / not applicable, justification, implementation owner, evidence source. Policies written against the SoA, not the other way round. Technical controls implemented in your stack.

  3. 03

    Operate, internal audit, management review 6–10 weeks

    The ISMS runs for a full operating cycle. We deliver the internal audit, the management review meeting and the corrective-action register the certification body needs to see.

  4. 04

    Stage 1 + Stage 2 audit handover 4–8 weeks

    We introduce two or three accredited certification bodies (UKAS, RvA, ANAB), support the kickoff, sit in the walkthroughs, and stay engaged through the audit window so findings are answered the same day.

Outcomes

What you'll have at certification.

01

A risk register that reflects reality

Not a top-10 generic-threats list. A live register tied to your assets, your customers and your roadmap — usable as a board document, not a compliance artefact.

02

A Statement of Applicability auditors recognise

Every control with a justified inclusion or exclusion, an owner and an evidence source. The artefact the certification body opens first and the one most implementations get wrong.

03

An ISMS your team actually operates

Access reviews, supplier reviews, internal audit, management review — running on a documented cadence in the tools you already use. No parallel paper trail.

04

A defensible certification path

A clean Stage 1 / Stage 2 with no surprise non-conformities — and a programme designed to extend into SOC 2, NIS2 and GDPR without a rebuild.

From the practice
"ISO 27001 fails when the team treats the Statement of Applicability as paperwork. Treat it as the load-bearing document — the one document everything else hangs from — and the rest of the implementation has somewhere to go."

— Adam Gresh, Purple Dragon Cybersecurity

Frequently asked

Common questions, direct answers.

Why ISO 27001 instead of (or alongside) SOC 2?

European procurement still treats ISO 27001 as the default. Public-sector tenders and most large EU enterprises require it; some sectors (pharma, finance, telco) will not accept SOC 2 alone. If you sell in the EU, ISO 27001 is the answer to "which certification do you have?"

How long does ISO 27001 implementation take?

4–6 months for the implementation work — risk methodology, Statement of Applicability, controls, internal audit. The Stage 1 audit can follow immediately; Stage 2 is typically 4–8 weeks after that. Plan on 6–9 months from kickoff to certificate for a clean run.

Will this conflict with our SOC 2 work?

No. ISO 27001 and SOC 2 share roughly 80% of the underlying controls. We design the program once with both attestations in mind, then map the same evidence into both report shapes. The marginal cost of the second one is small if the first is built right.

Do you handle the certification audit?

No — the certification body must be independent. We introduce you to UKAS / RvA / ANAB-accredited bodies that work at your scale, sit in the kickoff, and stay engaged through Stage 1 and Stage 2 so questions get answered the same day.

What is the Statement of Applicability and why is everyone afraid of it?

The SoA is the document that says "for each of the 93 Annex A controls, here is whether we apply it, why, and how." Done badly it becomes a 60-page liability. Done well it is the load-bearing document of the whole ISMS — and the artefact your auditor reads first.

Get a 30-min scoping call

No deck. A working session on the path to certification and what the first 90 days look like.

Talk to a security operator.

Tell us what you're trying to ship, what's stalled, or which buyer security review is up next. We work with companies across the EU, EEA and US — and we reply within one business day.

Get in touch

By submitting you agree to our privacy policy.