Information Security Management System (ISO 27001:2022)
ISO 27001
ISO 27001:2022 is the international gold standard for managing information security. We build a right-sized Information Security Management System (ISMS) and guide you through to certification by a UKAS-accredited body.
What you get
- A practical, audit-ready ISMS
- Risk assessment and Statement of Applicability
- Stage 1 and Stage 2 audit support
- Credibility for larger contracts and partners
Pricing: Request a quote
What ISO 27001:2022 is
ISO/IEC 27001:2022 is the leading international standard for an information security management system (ISMS). Where schemes like Cyber Essentials focus on a fixed set of technical controls, ISO 27001 takes a broader, risk-led view: it asks you to build and run a system for managing information security — identifying your risks, deciding how to treat them, implementing appropriate controls, and continually improving.
An ISMS is not a document or a piece of software; it is the combination of policies, processes, people and technology through which your organisation manages the confidentiality, integrity and availability of its information. Our guide to what an ISMS is unpacks the concept in plain English.
Certification to ISO 27001 is awarded by an independent certification body following a two-stage audit, and it is recognised worldwide as a serious, credible mark of information-security maturity.
The structure: clauses and Annex A
The standard has two connected parts:
- The management clauses (roughly clauses 4–10) set out the requirements for the ISMS itself — understanding your context, leadership commitment, planning, support, operation, performance evaluation and continual improvement. These are mandatory.
- Annex A provides a reference set of 93 controls, organised into four themes: organisational, people, physical and technological. You select the controls relevant to your risks and justify any you exclude in a document called the Statement of Applicability (SoA).
| Annex A theme | Focus |
|---|---|
| Organisational | Policies, roles, supplier and information-handling arrangements |
| People | Screening, awareness, responsibilities and conduct |
| Physical | Secure areas, equipment and physical protection |
| Technological | Access control, cryptography, logging, secure development and more |
The risk assessment drives which controls apply — you are not required to implement all 93 regardless of relevance.
Who should pursue it — and who might not need it
ISO 27001 suits organisations that want a recognised, comprehensive and scalable approach to information security. It is worth considering if:
- Clients, partners or tenders require or strongly favour certification.
- You handle significant volumes of sensitive or personal data and want mature, demonstrable governance.
- You are growing and need security to scale with the business rather than be bolted on.
- You want a single framework that can absorb obligations from UK GDPR, the DSPT and customer contracts.
Certification is voluntary — there is no legal obligation to hold it. Smaller organisations that only need a technical baseline may be better served initially by Cyber Essentials, and SMEs seeking a lighter, ISO-aligned route often prefer IASME Cyber Assurance. ISO 27001 is the right choice when the breadth and international recognition of a full ISMS justify the investment.
How certification works
The path to certification is well defined:
- Scope and context. Define what the ISMS covers and understand your internal and external context and interested parties.
- Risk assessment and treatment. Identify information-security risks, decide how to treat them, and select the Annex A controls that apply.
- Build the ISMS. Put the required policies, processes and controls in place, and produce your Statement of Applicability.
- Operate and generate evidence. Run the ISMS for a period so it produces real records — internal audits, a management review, risk treatment activity and improvement actions.
- Stage 1 audit. A UKAS-accredited certification body reviews your documentation and readiness.
- Stage 2 audit. The body assesses whether the ISMS is genuinely implemented and effective. Any nonconformities are addressed before certification.
- Ongoing assurance. Certification is maintained through annual surveillance audits and a recertification audit every three years.
You can gauge your starting position with our free ISO 27001 gap self-assessment.
Risk assessment: the engine of the ISMS
If one idea sits at the heart of ISO 27001, it is risk. The standard does not hand you a fixed list of things to do; instead it asks you to understand the information-security risks your organisation actually faces and to treat them in a proportionate way. This is what makes ISO 27001 scalable — a small care provider and a multinational both follow the same method, but arrive at very different control sets because their risks differ.
A workable approach usually runs like this. First, identify your information assets and the risks to their confidentiality, integrity and availability — what could go wrong, and how. Next, assess each risk, typically by considering how likely it is and how damaging it would be. Then decide how to treat each one: you might reduce it by applying a control, avoid it by stopping the activity, share it (for example through insurance or a supplier), or knowingly accept it where it is low enough. The Annex A controls you select flow directly from these decisions, and your Statement of Applicability records which controls apply and why any are excluded.
The reason this matters in practice is that auditors will trace your controls back to your risk assessment. Controls that appear from nowhere, or a risk assessment that bears no relation to your actual operations, are among the clearest signs that an ISMS exists only on paper. A genuine, well-reasoned risk assessment is both the quickest route to a right-sized ISMS and the strongest foundation for passing an audit.
Evidence and documents involved
An ISO 27001 ISMS produces a recognisable body of documentation, typically including:
- The ISMS scope and information-security policy
- A risk assessment methodology, risk register and risk treatment plan
- The Statement of Applicability justifying included and excluded controls
- Supporting policies (access control, supplier security, incident management, and so on)
- Records of internal audits, management reviews and corrective actions
- Evidence that selected Annex A controls are operating — logs, training records, access reviews
The auditors look not just for documents but for evidence that the system is genuinely lived day to day.
The management system is the point
Newcomers often assume ISO 27001 is mostly about the Annex A controls, and are surprised to learn that the mandatory management clauses are where certification is really won or lost. The clauses require leadership to be genuinely engaged, objectives to be set and measured, internal audits to be carried out, and a formal management review to take place — and then, crucially, for the organisation to act on what all of that reveals. This is the “continual improvement” loop that gives the standard its longevity. A set of well-written policies with no evidence that anyone reviews them, audits them or improves them will not satisfy an auditor, however comprehensive the controls look on paper. The system is designed to be lived: risks change, the business changes, and the ISMS is meant to keep pace. Understanding this early saves a lot of wasted effort, because it steers you toward building something sustainable rather than a binder that is dusted off once a year.
Common mistakes
- Over-scoping too early, making the first certification far heavier than it needs to be.
- Treating Annex A as a checklist rather than letting the risk assessment drive control selection.
- A Statement of Applicability that does not match reality, with controls claimed but not implemented.
- Skipping the “management system” work — internal audits and management reviews are mandatory, not optional extras.
- Going for the Stage 2 audit before the ISMS has run long enough to generate credible records.
How it relates to the other standards
ISO 27001 is the broadest framework we work with, and much of your other compliance can nest inside it:
- Cyber Essentials and Cyber Essentials Plus provide a verified technical baseline that supports Annex A technological controls.
- The DSPT and UK GDPR obligations map neatly onto ISMS policies and controls, reducing duplication.
- IASME Cyber Assurance offers a proportionate, ISO-aligned alternative for organisations not yet ready for full certification.
- An outsourced DPO can integrate data-protection governance directly into your ISMS.
Terms such as ISMS, Statement of Applicability and nonconformity are defined in our glossary.
How 360 Cyber Compliance helps
ISO 27001 is the most substantial standard on this site, and the biggest risk for a first-time applicant is doing far more work than necessary — or far less than the auditors expect. We help you find the right balance, working on a transparent fixed-fee engagement with a clear, staged delivery process.
We support you to scope sensibly, run a practical risk assessment, build an ISMS that fits how you actually operate, and produce the documentation and records a UKAS-accredited body will look for across Stage 1 and Stage 2. We help you run your first internal audit and management review, prepare for the audits, and respond to any findings — then keep the ISMS healthy through surveillance and recertification.
We provide practical support throughout the assessment and never promise certification, because that decision rests with the independent certification body. What we offer is a well-structured, honest route that makes the audits as smooth as they can realistically be.
What life looks like after certification
It is worth remembering that ISO 27001 is not a one-off achievement but an ongoing commitment. After Stage 2, the certification body returns for annual surveillance audits to confirm the ISMS is still operating, and you go through a fuller recertification audit every three years. Between those visits, your own internal audits, management reviews and improvement actions keep the system healthy. This rhythm is a feature rather than a burden: it is what stops security from quietly decaying once the initial push is over. We can stay involved to help you run that cycle — preparing for surveillance visits, keeping your risk assessment and Statement of Applicability current, and making sure the ISMS continues to reflect how you actually work. Get in touch to talk about your scope and timeline.
What you'll receive
- A defined ISMS scope and context
- An information security risk assessment and treatment plan
- A full policy and procedure set
- A Statement of Applicability (SoA)
- Internal audit and management review support
- Stage 1 and Stage 2 certification audit support
On your own vs. with 360 Cyber Compliance
| On your own | With us |
|---|---|
| Interpret the standard clause by clause | We translate ISO 27001 into a right-sized ISMS |
| Build every policy from a blank page | Proven templates tailored to your business |
| Guess your scope and Statement of Applicability | We define scope and SoA to keep effort proportionate |
| Face the audit alone | We prepare you for and support Stage 1 and Stage 2 |
A typical timeline
- 1
Month 1
Gap assessment, scope and context of the ISMS
- 2
Month 2
Policies, procedures and documentation
- 3
Month 3
Risk assessment and Statement of Applicability
- 4
Month 4
Implement controls and embed the ISMS
- 5
Month 5
Internal audit and management review
- 6
Month 6
Stage 1 and Stage 2 certification audits
Indicative only — your timeline depends on your starting point, size and deadline.
Who we help with ISO 27001
Example engagements
Guiding a SaaS provider to first-time ISO 27001 certification
A growing software company kept losing enterprise deals at the security-review stage because it could not show a recognised information security certification, and needed ISO 27001 to unlock larger contracts.
The provider passed its Stage 2 audit and gained a certification it could put in front of enterprise buyers during procurement.
Read the example →A first ISO 27001 certification for a growing SME
A professional services firm was being asked for ISO 27001 by prospective clients but feared the standard was designed for large corporations and would overwhelm a team of its size.
The SME achieved certification with a management system sized for its business, not a copy-paste corporate framework.
Read the example →Learn more about ISO 27001
How to conduct an ISO 27001 risk assessment: a step-by-step guide
A practical, plain-English guide to running an ISO/IEC 27001:2022 information security risk assessment, from identifying risks to building a treatment plan.
ISO 27001 Annex A controls explained: the 93 controls and 4 themes
A plain-English guide to the 93 Annex A controls in ISO/IEC 27001:2022, grouped across the four themes, and how to select the ones that fit your risks.
ISO 27001 cost and timeline: the factors that drive them
What really drives the cost and timeline of ISO/IEC 27001:2022 certification for SMEs, from scope and size to readiness, and how to plan a realistic budget.
ISO 27001 documentation checklist: what you actually need
A practical checklist of the mandatory documents and records required for ISO/IEC 27001:2022 certification, and how to keep them lean and audit-ready.
ISO 27001 for software companies: a practical guide
Why software firms pursue ISO/IEC 27001:2022, the controls that matter most for SaaS and dev teams, and how to fit an ISMS around modern development.
ISO 27001 internal audits: a practical guide
Why internal audits are mandatory under ISO/IEC 27001:2022, how to plan and run them, who can audit, and how they feed the management review and certification.
ISO 27001 across London
We support organisations in these boroughs — and remotely across the rest of the UK.
Why choose us for ISO 27001
Care & health specialists
DSPT, CQC expectations and NHS data flows are our day job, not a sideline.
Transparent fixed-fee engagements
A clear scope and price agreed up front — no open-ended day rates.
Remote delivery, UK-wide
Almost everything is done remotely, wherever you are in the country.
Award-winning expertise
Led by a BCS Fellow and NEXT CIO 2025, with 20+ years in IT, cyber security and compliance.
Practical, plain-English support
Clear guidance and templates throughout the assessment — no jargon.
Ongoing support
Annual renewals, surveillance audits and everyday advice after you are certified.
Frequently asked questions
How long does ISO 27001 take?
Typically 3–6 months for a well-prepared SME, longer for larger or lower-maturity organisations.
Is the audit remote?
Consultancy is remote; the UKAS-accredited certification audit can be remote or hybrid.
What is the Statement of Applicability?
The SoA lists the Annex A controls, whether each applies, and why — it's a central certification document.
What are Stage 1 and Stage 2 audits?
Stage 1 checks your documentation and readiness; Stage 2 tests whether your ISMS works in practice. Passing both leads to certification.
Do we need a consultant?
It's not mandatory, but a consultant keeps the ISMS proportionate, avoids over-documentation and shortens the path to certification.
What happens after certification?
Annual surveillance audits check the ISMS is maintained, with full recertification every three years.
Get started with ISO 27001
Tell us where you are and we’ll come back within one working day with clear, no-obligation next steps.
- Plain-English, jargon-free advice
- Fixed-price quotes — no surprises
- Delivered remotely across the UK