Risk and Response

ISO 27001 Readiness

Information Security Management Systems

What is ISO 27001?

ISO 27001:2022 is the international standard for information security management systems (ISMS). It takes a risk-based approach to managing sensitive information through 93 Annex A controls across organizational, people, physical, and technological categories.

Whether you're building an ISMS from scratch for initial certification or preparing for your surveillance audit, we get your management system audit-ready — from risk assessment through Statement of Applicability to certification body engagement.

What We Cover

Our ISO 27001 readiness program covers the full standard — ISMS core requirements plus Annex A control implementation.

  • 1ISMS Core (Clauses 4–10) — Context of the organization, leadership commitment, risk planning, support resources, operational controls, performance evaluation, and continual improvement.
  • 2Organizational Controls (37) — Policies, roles and responsibilities, asset management, access control, supplier relationships, and incident management.
  • 3People Controls (8) — Screening, awareness training, disciplinary processes, and remote working security.
  • 4Physical Controls (14) — Security perimeters, entry controls, equipment protection, and secure disposal.
  • 5Technological Controls (34) — Endpoint security, access rights, cryptography, logging, network security, and secure development lifecycle.

Our Process

Typical engagement: 6–12 weeks (initial certification) to 2–4 weeks (surveillance audit preparation)

01

Assessment & Gap Analysis

We assess your current security posture against the target framework through questionnaires, environment scans, and documentation review. The result is a clear picture of where you stand and what gaps need to be closed.

02

Remediation Planning

Based on the gap analysis, we create a prioritized remediation plan with clearly defined tasks, impact ratings, and criticality scores. Each task is scoped so your team knows exactly what to do and in what order.

03

Policy & Control Implementation

We draft and implement the security policies, procedures, and technical controls required by the framework. This includes configuring your GRC platform, mapping controls, and establishing the processes auditors expect to see.

04

Evidence Collection & Documentation

We help you collect, organize, and document the evidence that demonstrates control effectiveness. This includes screenshots, configuration exports, policy sign-offs, and access reviews — everything an auditor will ask for.

05

Readiness Review & Audit Support

We perform a pre-audit readiness review to confirm identified gaps are addressed and evidence is complete. When you engage your auditor or certification body, we support you through the process — answering questions, providing context, and supporting your team throughout.

GRC Platform Experience

We configure and manage your ISMS in Drata and Vanta — mapping Annex A controls, automating evidence collection, managing your risk register, and preparing your Statement of Applicability so your ISMS documentation and evidence are well-organized and accessible.

Already ISO 27001-ready?

Our audit practice at Internal Audit Services performs your ISO 27001 internal audit — so you go into your certification audit well-prepared.

Schedule your internal audit

Get Started

Book a 30-minute scoping call to discuss your ISO 27001 readiness goals.