We design, implement and run your Information Security Management System (ISMS) so you reach certification faster — and turn it into a commercial advantage.
Clients and tenders increasingly demand certification, but internal teams lack the time and expertise to run a 93-control ISMS without disrupting the business.
You lose contracts and tenders because you cannot prove a certified ISMS.
Annex A of ISO/IEC 27001:2022 has 93 controls and nobody internally knows where to start.
Documentation (policy, SoA, risk assessment, procedures) piles up and goes out of date.
The certification audit arrives and nonconformities appear that delay the whole project.
From gap analysis to the certification audit, we cover every requirement of the standard.
We compare your current state with the requirements of ISO/IEC 27001:2022 and prioritise the action plan.
Risk-assessment methodology, asset inventory and treatment plan aligned with your risk appetite.
We implement the applicable 93 Annex A (2022) controls and produce your Statement of Applicability (SoA).
Security policy, procedures, records and evidence ready for audit, with no unnecessary paperwork.
We run the internal audit and prepare the management review ahead of certification.
We support you through stage 1 and stage 2 audits with the certification body and close out nonconformities.
Knowing the scope up front keeps your project predictable.
93
Annex A controls (2022 version)
Source: ISO/IEC 27001:2022, Annex A.
4
themes grouping the controls: organisational, people, physical and technological
Source: ISO/IEC 27001:2022, Annex A.
3 years
certificate validity, with annual surveillance audits
Source: accredited ISO/IEC 27001 certification scheme.
A staged engagement that keeps your team focused on the business.
Gap analysis and definition of the ISMS scope.
Risk assessment and treatment plan.
Roll-out of Annex A controls and documentation.
Internal audit and management review.
Support through stage 1 and stage 2 audits.
Cost depends on scope, number of sites and your current security maturity. After the free readiness assessment we give you a fixed, phased proposal that separates our consulting fees from the certification body's fee (contracted separately and independent of us).
A typical ISMS project from scratch usually takes several months up to the certification audit, depending on scope and your team's availability. In the initial diagnosis we set a realistic timeline with milestones so there are no surprises.
Not necessarily. Annex A of ISO/IEC 27001:2022 includes 93 controls, but you only apply those relevant to your organisation; the rest are justified as not applicable in the Statement of Applicability (SoA). We help you define a scope proportionate to your real risk.
No. The ISMS, documentation and procedures are yours and stay with you. We train your team to operate it independently; any ongoing maintenance is optional and with no lock-in.
Largely, yes. A certified ISMS covers a good part of the NIS2 Directive's risk-management obligations, though it does not fully replace them. We reuse the ISO 27001 work as the foundation of your NIS2 compliance.
Book a free readiness assessment and get a clear gap report and timeline — no commitment.
Request free assessmentResponse within one business day.