ISO 27001 Readiness
Information Security Management Systems
What is ISO 27001?
ISO 27001:2022 is the international standard for information security management systems (ISMS). It takes a risk-based approach to managing sensitive information through 93 Annex A controls across organizational, people, physical, and technological categories.
Whether you're building an ISMS from scratch for initial certification or preparing for your surveillance audit, we get your management system audit-ready — from risk assessment through Statement of Applicability to certification body engagement.
What We Cover
Our ISO 27001 readiness program covers the full standard — ISMS core requirements plus Annex A control implementation.
- 1ISMS Core (Clauses 4–10) — Context of the organization, leadership commitment, risk planning, support resources, operational controls, performance evaluation, and continual improvement.
- 2Organizational Controls (37) — Policies, roles and responsibilities, asset management, access control, supplier relationships, and incident management.
- 3People Controls (8) — Screening, awareness training, disciplinary processes, and remote working security.
- 4Physical Controls (14) — Security perimeters, entry controls, equipment protection, and secure disposal.
- 5Technological Controls (34) — Endpoint security, access rights, cryptography, logging, network security, and secure development lifecycle.
Our Process
Typical engagement: 6–12 weeks (initial certification) to 2–4 weeks (surveillance audit preparation)
Assessment & Gap Analysis
We assess your current security posture against the target framework through questionnaires, environment scans, and documentation review. The result is a clear picture of where you stand and what gaps need to be closed.
Remediation Planning
Based on the gap analysis, we create a prioritized remediation plan with clearly defined tasks, impact ratings, and criticality scores. Each task is scoped so your team knows exactly what to do and in what order.
Policy & Control Implementation
We draft and implement the security policies, procedures, and technical controls required by the framework. This includes configuring your GRC platform, mapping controls, and establishing the processes auditors expect to see.
Evidence Collection & Documentation
We help you collect, organize, and document the evidence that demonstrates control effectiveness. This includes screenshots, configuration exports, policy sign-offs, and access reviews — everything an auditor will ask for.
Readiness Review & Audit Support
We perform a pre-audit readiness review to confirm identified gaps are addressed and evidence is complete. When you engage your auditor or certification body, we support you through the process — answering questions, providing context, and supporting your team throughout.
GRC Platform Experience
We configure and manage your ISMS in Drata and Vanta — mapping Annex A controls, automating evidence collection, managing your risk register, and preparing your Statement of Applicability so your ISMS documentation and evidence are well-organized and accessible.
Already ISO 27001-ready?
Our audit practice at Internal Audit Services performs your ISO 27001 internal audit — so you go into your certification audit well-prepared.
Schedule your internal auditISO 27001 Frequently Asked Questions
How long does ISO 27001 certification take?
Readiness — building or maturing your ISMS to meet ISO 27001:2022 — typically takes 6–12 weeks for a first certification; surveillance audit preparation takes 2–4 weeks. The certification audit itself is separate and runs in two stages: a Stage 1 documentation review, then a Stage 2 audit of your implemented controls, usually a few weeks apart. Certificates are valid for three years, with surveillance audits in years one and two.
What is an ISMS?
An ISMS (information security management system) is the set of policies, processes, and controls an organization uses to manage information security risk systematically. ISO 27001 defines the requirements for an ISMS in Clauses 4–10 — covering organizational context, leadership, planning, support, operation, performance evaluation, and improvement — supported by the 93 Annex A controls.
What is a Statement of Applicability?
The Statement of Applicability (SoA) is a required ISO 27001 document that lists all 93 Annex A controls and states, for each one, whether it applies to your organization and why. It's one of the first documents your certification body will ask for, and it has to stay consistent with your risk assessment and implemented controls — we build and maintain it as part of readiness.
What's the difference between Stage 1 and Stage 2 audits?
Stage 1 is a readiness review by your certification body: the auditor examines your ISMS documentation — scope, risk assessment, Statement of Applicability, policies — and confirms you're prepared for the full audit. Stage 2 is the certification audit itself: the auditor tests whether your controls are actually implemented and operating. Findings from Stage 1 must usually be addressed before Stage 2 begins.
Can the same firm build our ISMS and perform our internal audit?
ISO 27001 Clause 9.2 requires internal audits to be objective and impartial — auditors can't audit work they performed themselves. That's why our internal audit practice is a separate service, Internal Audit Service: if we build your ISMS, an auditor who wasn't involved in that work performs your internal audit, keeping the independence your certification body expects.
How much does ISO 27001 certification cost?
Budget for three components: readiness consulting, certification body fees (the initial Stage 1 and Stage 2 audits plus annual surveillance audits), and GRC tooling such as Drata or Vanta if you use it. Costs scale with organization size, ISMS scope, and how much of the standard you already satisfy. We scope every engagement individually — book a 30-minute call for a fixed quote.
Do we need SOC 2 or ISO 27001?
It depends on who's asking. US enterprise customers usually request a SOC 2 report; international and European customers more often expect ISO 27001 certification. The two frameworks' controls overlap substantially, so many companies pursue both from one control set — if you're choosing, start with whichever your largest prospects are asking for.
Get Started
Book a 30-minute scoping call to discuss your ISO 27001 readiness goals.