ISO 27001 Readiness

ISO 27001:2022 certification tells your customers you take information security seriously, and gives you an independent attestation to credibly differentiate your business.

When does ISO 27001 become necessary?

ISO 27001 certification typically becomes a business requirement rather than a nice-to-have at one of these inflection points:

1. An enterprise customer requires it as a condition of contract renewal or a new agreement
2. A government tender includes it as a mandatory supplier requirement
3. A significant customer security questionnaire asks for it and you cannot provide evidence
4. Your organisation is pursuing Series B funding or an acquisition and security posture is part of due diligence
5. You operate in a regulated industry (healthcare, financial services, legal) and are benchmarking against peer organisations that hold the certification

What does ISO 27001 readiness include?

We take organisations from their current state through to certification. Clients who implement what we design achieve ISO 27001 certification. We stand behind that through to your external audit and certification.

1. Gap analysis and scope definition: Assessment of your current posture against all clauses of ISO 27001:2022 (clauses 4 through 10) and the 93 controls in Annex A. Clear identification of what is in place, what is partial, and what is missing — rated by implementation status and certification risk.
2. ISMS design and documentation: We design your information security management system and produce the documentation required for certification: policies, procedures, risk assessment methodology, asset inventory, and risk register. Written for your organisation’s context, not copied from a template.
3. Statement of Applicability: A complete SoA documenting which Annex A controls apply to your scope, justification for any exclusions, and the implementation status of each control. Finalised with your team before your Stage 1 audit.
4. Implementation support: Prioritised remediation roadmap with realistic timelines. We work with your team through the implementation phase — not just hand over a list of findings.
5. Internal audit: A formal internal audit before your certification audit. Identifies any remaining nonconformities so you can address them before the certifying body arrives.
6. External audit support: We support you through both stages of the certification audit. If nonconformities are raised during the audit, we help you prepare your response and corrective actions.

What you receive

Fully implemented Information Security Management System (ISMS) along with all necessary artefacts, including internal audit report, to ensure certification.

Timeline

The gap analysis and ISMS design phase typically runs 4 to 8 weeks.

Full implementation support through to certification audit runs 6 to 12 months depending on organisation size, existing documentation maturity, and how much of the implementation work your team handles internally.

Pricing

Contact us with your organisation size, industry, and target certification timeline. We will scope the engagement and respond within one business day.