ISO 27001 / 01 · What it is

A management system, not a one off project.

ISO 27001 does not check a fixed list of controls. It certifies that you run a working system for deciding which risks matter, choosing controls to address them, assigning ownership, and reviewing the whole thing over time. The current version is ISO 27001:2022. Done properly through a UKAS accredited certification body, the certificate carries real weight, because it shows security is governed, not just configured once.

01An ISMSA documented information security management system, run and reviewed continuously.

02Risk ledControls chosen from Annex A to address the risks that actually apply to you.

03Two stage auditAn external audit in two stages by a certification body, then ongoing surveillance.

04Months, not weeksPlan it as a programme: commonly several months to over a year to certify.

ISO 27001 / 02 · What we do

From gap analysis to a certificate that holds up.

We support the whole journey, and we run the technology underneath it, so the management system describes what is actually in place rather than an aspiration.

01Assess

Gap analysis

An honest assessment of where you stand against the standard, scoped to your business, so you start the programme knowing exactly what it will take.

Scope definitionGap analysisRisk assessment

02Build

Build the ISMS

We develop the policies, procedures, and risk treatment plan, and select the Annex A controls that fit your risks. Practical documents people will actually follow, not shelfware.

Policies and proceduresRisk treatmentAnnex A controls

03Run

Run and internally audit

We help you operate the system long enough to generate real evidence, then run the internal audit and management review that the standard requires before certification.

Operate the ISMSInternal auditManagement review

04Certify

Certification support

We prepare you for the two stage external audit and stand with you through it, then keep the system alive for the surveillance audits between recertifications.

Stage 1 and 2 prepAudit supportSurveillance

ISO 27001 / 03 · The journey

What the ISO 27001 path looks like.

It is a longer road than Cyber Essentials, and that is the point. The work is in building a system that runs, not in passing a single test. Here is the shape of it.

01

Scope and gap analysis

We define what the ISMS covers and assess the gap to the standard, so the programme is realistic from the start.

02

Build and document

We build the risk approach, policies, and controls, mapped to Annex A, designed around how your business actually works.

03

Operate and evidence

You run the system for long enough to produce evidence, with internal audits and a management review along the way.

04

Certify and maintain

You pass the two stage external audit, then keep the system live through surveillance audits and recertification.

The same rigour we hold ourselves to. The discipline behind our own UKAS accredited ISO 27001 certification is the discipline we bring to yours.

ISO 27001 / 04 · Read the clause

Certified and aligned are not the same thing.

This is where suppliers get caught out. Certified means an accredited body has audited you and issued a certificate. Aligned, or equivalent, means you work to the standard without holding the certificate. An auditor knows the difference, so the honest answer is always to the question that was actually asked. If your contract says "ISO 27001 or equivalent", it is worth a short conversation with the buyer to confirm what they will accept before you commit to the larger project. We will tell you plainly which one you need.

Plan your ISO 27001 path Compare with Cyber Essentials

CertifiedAudited and issuedAn accredited certification body has assessed you and granted a certificate.

AlignedWorking to the standardYou meet the standard without holding the certificate. Say so honestly.

EquivalentConfirm what countsAsk the buyer what they accept before committing to the full programme.

Where ISO 27001 fits

For most UK businesses, Cyber Essentials is the right first move, and ISO 27001 earns its place when a contract requires it, a regulator expects that level of governance, or the volume and sensitivity of your data means a snapshot of technical controls is no longer enough. The two are not rivals. The five Cyber Essentials controls map onto controls within ISO 27001's Annex A, so the work is rarely wasted. Our guide to Cyber Essentials or ISO 27001 sets out which your business actually needs, and whether you need one or both.

An ISMS is only as good as the controls and the systems it describes. The technical side of it, email and endpoint security, threat detection and response, and the rest of our cyber security work, runs alongside the management system, so the evidence reflects what is genuinely in place. When you need that evidence packaged for an auditor, insurer, or prime contractor, our governance and audit work assembles it the way assessors actually want it. One accountable team runs the controls and proves them.

FAQ

Common questions

What is ISO 27001?

ISO 27001 is the international standard for an information security management system, or ISMS. Rather than checking a fixed list of controls, it certifies that you run a working system for assessing risk, choosing controls to address it, assigning ownership, and reviewing the whole thing over time. The current version is ISO 27001:2022. A certificate from a UKAS accredited body carries real weight with enterprise and public sector buyers.

How long does ISO 27001 certification take?

Plan it as a programme rather than a quick project. It commonly takes several months to over a year, because you have to build the management system, run it long enough to produce evidence, and then pass a two stage external audit. The exact timeline depends on the size of your organisation, the scope of the ISMS, and how much of the groundwork is already in place. A gap analysis gives you a realistic picture up front.

What is the difference between certified and aligned to ISO 27001?

They are materially different. Certified means an accredited certification body has audited you and issued a certificate. Aligned, or equivalent, means you work to the standard without holding the certificate. Be careful not to claim you are certified when you are aligned, because an auditor will know the difference. If a contract says "or equivalent", confirm with the buyer what they will actually accept before committing.

Do I need Cyber Essentials before ISO 27001?

You do not have to, but it often helps. The five Cyber Essentials controls map onto controls within ISO 27001's Annex A, so certifying to Cyber Essentials first gives you a clean technical baseline and some early evidence, which makes the later ISO 27001 programme smoother. Many firms hold both: Cyber Essentials as the fast, public baseline, with ISO 27001 underneath as the governance layer.

Are you ISO 27001 certified yourselves?

Yes. We run an information security management system and are UKAS accredited for ISO 27001. That matters for two reasons. First, it is proof we hold ourselves to the standard we help you reach. Second, it means we know what a real assessment expects, so the system we build with you is shaped by experience, not a template. We keep our own status and the service we offer you clearly separate.

Plan your ISO 27001 path.

Tell us what you are trying to satisfy, a contract, a regulator, or a serious data risk, and we will set out the path plainly: what it takes, how long it runs, and whether you need ISO 27001, Cyber Essentials, or both. We reply within one working day, and you will speak to an engineer, not a salesperson.

Book a consultation Call 0118 359 2220

Reading, Berkshire / UKAS accredited for ISO 27001 / reply within one working day

ISO 27001 support, from a team that holds it.