Product & Regulatory

ISO 27001 — information security, set as a system.

An information security management system aligned to the 2022 revision — risk treatment, Annex A controls, and a Statement of Applicability that holds up under enterprise customer scrutiny.

Request a readiness assessment Our approach

What it is

The international standard for information security management systems.

ISO/IEC 27001 specifies the requirements for establishing, operating, monitoring, and improving an information security management system. The 2022 revision reorganised Annex A into 93 controls across four themes — organisational, people, physical, and technological — but the fundamental bargain is unchanged: understand your information assets, assess the risks to their confidentiality, integrity, and availability, and apply controls proportionate to those risks.

ISO 27001 is a management-system standard, not a checklist. Certification confirms that you have built a risk-driven system, are running it, and can evidence that. It is the most widely recognised international information-security certificate and is increasingly a minimum requirement for enterprise technology procurement.

Who needs it

Organisations handling customer, employee, or commercially sensitive data.

Software firms, SaaS businesses, managed-service providers, BPO and KPO operators, fintechs, and healthcare technology companies form the core of ISO 27001 adoption. Beyond technology, the standard is increasingly pursued by professional-services firms, financial intermediaries, and any organisation entering enterprise B2B procurement funnels — where a security questionnaire without 27001 or SOC 2 is effectively a rejection.

Benefits

What a well-built BIFMA system earns you.

Enterprise deal eligibility.

Large-customer procurement funnels increasingly list ISO 27001 or SOC 2 as a pre-qualification requirement. The certificate removes the friction from that filter.

Structured risk management.

Clause 6 forces explicit identification of information-security risks, acceptance criteria, and treatment decisions. The system surfaces decisions that would otherwise live in informal knowledge.

Regulatory alignment.

ISO 27001 maps well to a broad set of regulatory regimes — GDPR, HIPAA, India's DPDP Act, sectoral rules — and serves as a strong foundation for additional privacy or sector-specific certifications.

Control of the supply chain.

Annex A 5.19–5.23 focus on supplier relationships. Implementation forces disciplined vendor risk management, which is where most real incidents now originate.

Incident readiness.

A tested incident response capability — rather than a policy document — is a Clause 8 requirement. Organisations discover weaknesses in tabletop exercises rather than in live incidents.

Board-level visibility.

Management review turns information security from a CISO concern into a board-level agenda item, with quantified risk and performance reporting.

Requirements, in outline

What the standard actually asks of you.

Clause 4 requires understanding the organisation and its context, the needs of interested parties, and the scope of the ISMS. Clause 5 places leadership accountability for the ISMS, including an information security policy and defined roles. Clause 6 covers risk assessment, risk treatment, and the Statement of Applicability — the document that declares which Annex A controls are applicable and why.

Clause 7 addresses resources, competence, awareness, communication, and documented information. Clause 8 drives operational planning and control, including the implementation and operation of the risk treatment plan. Clause 9 covers performance evaluation through monitoring, measurement, internal audit, and management review. Clause 10 addresses non-conformity and continual improvement. The 2022 revision also introduced an explicit requirement to plan changes to the ISMS and to align with the harmonised structure used across other ISO management-system standards.

Our approach

Five stages, from discovery to certificate.

Scoping & asset inventory

Define the scope of the ISMS honestly — boundaries, locations, interfaces — and build an information-asset inventory that will actually drive the risk assessment.

Risk assessment & SoA

Risk assessment workshops that produce a defensible risk register, risk treatment plan, and Statement of Applicability. We write SoAs that auditors and customers can actually read.

Control implementation

Close the gaps against applicable Annex A controls — organisational policies, HR, access control, cryptography, physical security, operations, supplier management, and incident response.

Internal audit & review

Full internal audit across the clauses and sampled controls, management review, and incident-response tabletop. Findings closed before the certification auditor is ever in the room.

Certification audit

Attendance at Stage 1 (documentation review) and Stage 2 (implementation audit), coaching on findings response, and handover of the certificate and surveillance calendar.

Timeline & investment

Honest ranges, not placeholder pricing.

A first-time implementation for an organisation of 40 to 150 employees typically reaches Stage 2 in ten to fourteen weeks. Larger organisations, multi-site scopes, or organisations starting without any documented security practice extend the window to four to six months. A common pattern is a parallel SOC 2 Type I readiness, which reuses much of the same control evidence.

Fees depend on scope, employee count, number of locations, and the maturity of existing controls. We quote after the gap analysis. Certification-body audit fees, plus any penetration testing or technical assessment costs, are separate and vary with scope.

Frequently asked

Questions we answer on most BIFMA calls.

Not explicitly, but the risk assessment almost always identifies external technical testing as a proportionate control for internet-facing systems, and auditors expect to see the resulting evidence. Penetration testing is typically scoped alongside implementation.

ISO 27001 is a management-system certification under an international standard; SOC 2 is an attestation report under AICPA's Trust Services Criteria. Many organisations hold both. We often run the two programmes in parallel because the control evidence overlaps substantially.

Annex A was restructured into four themes and 93 controls (down from 114), with eleven new controls (threat intelligence, cloud, data leakage prevention, secure coding, and others). Transition support is a common engagement.

If it processes information within your ISMS scope, yes. The shared-responsibility model does not remove your accountability — it distributes it. We work with the major hyperscalers' compliance artefacts to keep the evidence burden proportionate.

Lighter than most teams fear. The standard requires a defined set of policies and records; the rest is whatever the risk treatment plan demands. We resist documentation that does not drive operational control.

Related services

Get a readiness assessment for ISO 27001.

Half a day with a senior consultant, a clause-level gap report, and a candid timeline. No commitment beyond the assessment itself.

Request assessment