Regulatory compliance
We implement your information security management system and take it all the way to the certificate: gap analysis, ISMS design, risks, statement of applicability, controls, internal audit and support through both stages with the certification body. With a promise of method: the system is designed for your reality and for the level of risk you can take on, it does not come out of a template.
ISO 27001 lead auditors on the team and our own certified ISMS.
Who it is for
ISO 27001 is the international reference standard for information security. It is voluntary, but the market asks for it: large clients, tenders and supplier questionnaires take it for granted, and it is the foundation that NIS2, the ENS, TISAX and almost any framework that reaches you later rest on. Getting certified orders your security and, on top of that, opens doors.
If you sell to large accounts, bid for tenders or your sector demands proof of security, an ISMS under ISO 27001 is the credential that opens the conversation. And if the ENS or NIS2 come later, you will already have most of the groundwork done.
The framework
The version in force is the 2022 one: 93 controls in Annex A, organized in four groups, that are selected and justified in the statement of applicability. Certificates from the previous edition are no longer valid.
Benefits
The certificate that large clients, supplier questionnaires and a growing number of bid specifications ask for.
Management decides with a risk map in front of them and keeps exposure at levels the organization can take on.
The ENS, NIS2 and TISAX rest on the ISMS. Each later framework arrives with most of the work done.
Policy, risks and controls that people understand and use, hold an acceptable level of risk and, along the way, pass the audit.
Service
Gap analysis against the standard, with a maturity snapshot that prioritizes the work.
ISMS definition: scope, policy, objectives and roles, fitted to your organization and not the other way around.
Risk analysis and treatment, with criteria that management can understand and approve.
Statement of applicability: which Annex A controls apply to your risks, which do not and why.
Control implementation and just the right documentation: the documentation the standard requires and that serves you for secure day-to-day work.
Training for the team and for management, which has its own role in the standard.
Internal audit prior to certification, a requirement of the standard itself.
Support during certification: Stage 1 (documentation) and Stage 2 (implementation and effectiveness), through to the closing of findings.
Cycle maintenance: the certificate lives in three-year cycles, with annual surveillance and recertification in the third year, and we accompany you at every appointment.
Method
Maturity against the clauses and Annex A, with a prioritized map, in two to three weeks.
Scope, policy, risks and statement of applicability approved, in three to four weeks.
Controls, documentation, training and evidence; from four to nine months depending on scope and starting point.
Full internal audit, correction of findings and support through both stages with the certification body.
In parts
Not everyone needs the whole journey. These two stretches are contracted separately, and both end in a deliverable that stands on its own.
The snapshot of where you really stand against the standard: what you already meet of the clauses and Annex A, what you are missing to get certified and how much effort it takes to close it. To decide with data before committing budget.
You walk away with: the degree of compliance, control by control, and a prioritized roadmap, in a few weeks.
The system kept alive between audits: risks and documentation up to date, indicators that can be read, the cycle's internal audit and preparation for each surveillance. For those already certified, whether they implemented it with us or with anyone else.
You walk away with: an up-to-date ISMS and the body's surveillance audits without surprises.
Synergies
Volume consultancies hand the same photocopied ISMS to all their clients, and that shows in the audit and is suffered in the day-to-day. Our approach is the opposite: we start from your reality (size, sector, technology, people) and the system is built on it.
What is more, the ISMS is the best compliance investment there is for its synergies: it covers a large part of the path toward the ENS, toward NIS2 and toward TISAX, and it integrates naturally with business continuity and with AI governance if your organization needs them. And since the system itself calls for testing security technically, that is where our infrastructure pentest fits, evidencing that the controls work.
FAQ
It depends on the scope and the starting point. As a reference, implementation usually takes between four and nine months before the certification audit; the initial gap analysis gives you a realistic estimate within a few weeks.
Annex A moved to 93 controls organized in four groups and added new controls, such as threat intelligence, cloud security and data leakage prevention. Certificates from the 2013 edition are no longer valid: today everything is implemented and audited against the 2022 version.
Legally no, commercially more and more so: it shows up in tenders, in contracts and in the security questionnaires of large clients. And it is the technical foundation of frameworks that are mandatory, such as NIS2 for the entities in scope or the ENS for those who work with public administration.
It has two stages: in the first, the body reviews your documentation and your readiness; in the second, it checks on the ground that the system works and is effective, with interviews and sampling of evidence. Afterwards, the certificate is maintained in three-year cycles: two lighter annual surveillance audits and a full recertification in the third year.
It is normal and does not prevent certification: minor nonconformities are resolved with a corrective action plan, and our prior work (internal audit included) is designed so that major ones never come up.
Yes. The gap analysis works as a standalone piece to know where you stand before deciding, and ISMS maintenance is designed for systems that are already certified, whether we implemented them or not. Each stretch ends in a deliverable that stands on its own.
With one condition we take seriously: independence. The internal audit is always carried out by an auditor on the team who did not take part in the implementation, and if the scope does not allow it, we tell you and help you resolve it with a third party. Auditing your own work is not auditing.
Shall we talk?
Tell us your scope and your starting point: the gap analysis will tell you how far you are from the certificate and where to begin.
Get in touch