ISO compliance designed to produce defensible evidence.

ISO 27001 is increasingly expected rather than optional for organisations operating in B2B markets. Customer procurement processes, tender requirements, regulated sector expectations, and cyber insurance underwriting all treat ISO 27001 certification as a baseline indicator of security maturity. Organisations that cannot demonstrate certification or a credible path to it are losing commercial opportunities they may not always be aware of.

The standard requires organisations to identify the information security risks they face, implement controls proportionate to those risks, and demonstrate through an independent audit that the management system works. It is not a technical standard: it is a governance standard that touches policy, risk management, access control, incident handling, supplier security, and business continuity.

ISO 27701 and 22301 are extensions that build on an existing 27001 management system. ISO 27701 adds privacy-specific controls, mapping directly onto GDPR obligations and providing a certifiable framework for privacy governance. ISO 22301 adds business continuity management, requiring tested recovery capability rather than just documented plans. Both can be pursued alongside a 27001 programme or added to an existing certified system.

ISO 42001 is independent of 27001 and covers AI management specifically: risk assessment, transparency, accountability, and human oversight of AI systems. It can be pursued standalone or integrated with an existing management system. Of the four, 42001 is the most recently adopted and the one where demand is growing fastest as boards and regulators focus on AI governance.

Certification follows a defined process. The organisation implements a management system that meets the requirements of the standard: policies, risk assessments, controls, evidence records, and internal audits. A certification body then conducts a two-stage external audit. Stage 1 reviews the documentation and management system design. Stage 2 assesses whether the system is operational and effective. Certification is awarded if the audit finds no major non-conformities.

Certification is not permanent. Surveillance audits take place annually, and a full recertification audit occurs every three years. The management system must continue to operate and improve; certification lapses if the ongoing requirements are not met.

A realistic timeframe from a gap assessment to a successful Stage 2 audit is six to eighteen months, depending on the organisation's starting position, size, and the scope of the management system. Organisations with mature existing security practices and good documentation will be at the shorter end. Organisations building a security management system from scratch will typically need twelve months or more.

The gap assessment establishes the starting position and is the critical input to a realistic programme plan. Organisations that attempt to estimate timelines without a gap assessment typically underestimate the work involved.

ISO certification requires the management system to be independently audited. A certification body auditor will scrutinise the evidence base, challenge the risk assessment methodology, and test whether the controls are operational. Internal teams building towards certification without external challenge often find gaps at the audit stage that could have been identified and addressed earlier.

External support provides the independent perspective that internal familiarity cannot. It also brings direct experience of what certification bodies look for and where management systems commonly fall short, which shapes both the design decisions made early in the programme and the evidence approach that supports the audit.

Yes. The ISO Readiness Verification is designed for organisations that have done substantial work and want an independent view of whether the management system is audit-ready: whether the documentation is complete, the controls are operational, and the evidence base would withstand scrutiny from a certification body. It identifies gaps before the auditor does.

Where the work underway needs better structure or governance rather than a readiness check, the Programme Design engagement provides that without displacing what has already been built. The starting point is a conversation about where things currently stand.

Yes. ISO 27001 applies across sectors and organisation sizes, and the scope of the management system can be defined to fit the organisation's starting point. A management system scoped to a single product line or business unit is a legitimate starting point; it does not need to cover the entire organisation from day one.

Sector experience includes financial services, professional services, technology and software, manufacturing, healthcare, and public sector organisations. Where sector-specific regulatory requirements interact with the ISO standard, such as NIS2 requirements for business continuity testing that align with ISO 22301, those interactions are accounted for in the programme design.

The starting point is a 20-minute advisory call to understand the organisation's current position, the standard or standards being considered, and which engagement makes sense. There is no obligation following that call.

If a gap assessment is the right next step, the pre-work is straightforward: existing policy documentation, any current risk register or security controls inventory, and a description of the systems and information in scope. The assessment itself requires time from the information security lead, the risk or compliance function, and relevant operational leads, in targeted sessions rather than continuous commitment.