ISO 27001 is the international standard for information security management systems. European, Middle Eastern, and Asia-Pacific enterprise buyers require it. We build and certify your ISMS from gap to certified report — and stay through every annual surveillance audit.
14–20 weeks to initial certification
ISO 27001 ISMS certificate + surveillance audits
Senior advisor — not a junior
98% of clients pass their audit
Fixed fee — agreed upfront
ISO 27001 is the international standard for Information Security Management Systems (ISMS), published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It specifies the requirements for establishing, implementing, maintaining, and continually improving a systematic approach to managing sensitive company information.
Unlike SOC 2, which is an attestation report produced annually by a CPA firm, ISO 27001 is a certification issued by an accredited certification body (typically a UKAS, DAkkS, or equivalent accredited registrar). The certification is valid for three years, with annual surveillance audits in years two and three, and a full re-certification audit in year three.
ISO 27001 is the preferred or required information security standard for enterprise buyers in the United Kingdom, European Union, Middle East, Singapore, Australia, and most other international markets. For US-based technology companies expanding internationally, or for any company competing for contracts with UK, EU, or Middle Eastern enterprises, ISO 27001 certification is the international equivalent of SOC 2 — and increasingly, enterprise buyers require both.
ISO 27001:2022 organises its controls into four themes and 11 Annex A control domains. We build every control specifically for your organisation’s architecture, risk profile, and business context.
Your information security policy framework — the documented management commitment to information security, the policies that govern every area of your ISMS, and the governance structure that ensures policies are implemented, reviewed, and enforced. This is where your ISMS begins and where auditors look first.
Roles, responsibilities, and accountability for information security across your organisation. Includes segregation of duties, contact with authorities and special interest groups, and information security in project management. For cloud-native companies, this covers the governance model for your cloud environments and your SaaS tool stack.
Security responsibilities in employment contracts, background screening, information security awareness training, and the secure offboarding process. For fast-growing companies, people controls are often the most significant gap — particularly around joiners, movers, and leavers processes and access revocation.
Controls for your office environments, server rooms, clean desk policy, and the physical protection of information processing facilities. For cloud-native companies, this section is largely satisfied through your cloud provider's ISO 27001 certification — but your office and home working environments remain in scope.
The technical controls that form the backbone of most ISO 27001 programmes: network security, cryptography, system acquisition and development, vulnerability management, backup and recovery, logging and monitoring, and malware protection. This is where the majority of engineering implementation effort is focused.
Supplier security assessments, contractual security requirements, and monitoring of supplier service delivery. Alongside: your incident management procedures, learning from incidents, and evidence of a tested incident response capability. Financial services and healthcare buyers scrutinise both areas closely.
ISO 27001 is the standard they recognise. We will tell you whether you need ISO 27001 alone, alongside SOC 2, or whether a combined programme makes sense for your specific international expansion. 30-minute consultation, no cost.
We assess your existing controls against the ISO 27001:2022 Annex A control set and Statement of Applicability requirements. We define your ISMS scope — the business units, systems, locations, and services covered by your certification — and deliver a gap report with every finding mapped to the relevant Annex A control, classified by severity, with a prioritised remediation roadmap.
We build your ISMS — the policies, procedures, risk register, Statement of Applicability, asset inventory, and all Annex A controls required for your scope. We implement the technical controls alongside your engineering team and produce the documentation your certification body will review. This is the heaviest phase of the programme — and the phase where having experienced practitioners matters most.
ISO 27001 requires an internal audit and a management review before Stage 2 certification. We conduct your internal audit, document the findings, and facilitate your management review — providing the formal evidence your certification body will require to confirm your ISMS has been operating as described.
Your certification body conducts a Stage 1 documentation review and a Stage 2 on-site (or remote) audit. We prepare your team for both, manage the audit process, respond to any non-conformities raised, and stay engaged until your certificate is issued. 98% of our clients achieve certification at the first Stage 2 audit.
ISO 27001 certificates are valid for three years with annual surveillance audits in years two and three. We stay engaged through every surveillance cycle — maintaining your controls, updating your documentation as your business evolves, and ensuring your certificate remains valid and current.
A formal certification issued by an accredited certification body after a Stage 1 and Stage 2 audit. The certificate carries your registration number, the name of the accredited body, and a defined scope. This is what enterprise procurement teams mean when they ask if you are 'ISO 27001 certified.' It is a credentialled, third-party verified certificate — not a self-assessment or a gap report.
Some organisations implement ISO 27001 controls without pursuing formal certification from an accredited body. They are 'compliant with' ISO 27001 but not 'certified to' it. This distinction matters to enterprise buyers. Most will accept self-declared compliance for smaller contracts or early-stage relationships, but require a certificate for significant contracts, data processing agreements, or regulated industry sales. We recommend pursuing formal certification.
For companies selling to both North American and international enterprise buyers, a combined SOC 2 and ISO 27001 programme is the most efficient path to dual certification. The frameworks share substantial control overlap — access management, encryption, vulnerability management, incident response — and we build these controls once to satisfy both, rather than running two sequential programmes. Combined programmes typically save 30–40% in time and advisory cost compared to sequential certifications.
If your question is not here, just email us — we will give you a straight answer.
SOC 2 is the primary standard used by North American enterprise buyers. ISO 27001 is the international standard recognised by European, UK, Middle Eastern, and Asia-Pacific enterprise buyers. Both provide independent third-party assurance of your security programme — but they are issued by different types of auditors, cover different control frameworks, and satisfy different buyer populations. Most international companies build both using a combined programme.
ISO 27001 certification typically takes 14–20 weeks from engagement kick-off to certificate issuance, depending on the size and complexity of your environment. The process involves a gap assessment, ISMS implementation, internal audit and management review, and two formal certification audits (Stage 1 documentation review and Stage 2 on-site audit).
ISO 27001 costs have two components: advisory fees and certification body fees. Certification body fees vary by registrar and scope but typically range from £8,000–£25,000 for the initial certification cycle (Stage 1, Stage 2, and three years of surveillance). Advisory fees depend on programme scope. At SOC 2 Advisory, all engagements are fixed-fee — your total investment is agreed upfront before any work begins.
Yes — and for most companies selling to both US and international buyers, a combined programme is significantly more efficient than two sequential certifications. The frameworks share substantial control overlap. We build these controls once, satisfy both frameworks simultaneously, and deliver both certifications on a single programme timeline. Combined programmes typically save 30–40% in time and cost.
For companies selling exclusively to North American buyers, SOC 2 alone is usually sufficient. If you are expanding into Europe, the UK, the Middle East, or Asia-Pacific, ISO 27001 is typically required by enterprise buyers in those markets. Most UK and EU enterprise procurement teams will not accept SOC 2 as a substitute for ISO 27001 — they are different standards serving different governance frameworks.
Book a free 30-minute consultation. A senior advisor will tell you whether you need ISO 27001 alone, alongside SOC 2, or combined — and give you a realistic timeline and cost estimate for your specific situation.
After remediation, confirm you are genuinely ready before your auditor arrives. Our readiness assessment runs the same tests your auditor will run.
We stay with you through the formal audit — managing auditor requests, reviewing evidence, and handling every question until your report is issued.
Financial services and fintech companies selling into European markets typically require both ISO 27001 and SOC 2. We specialise in the combined compliance stack for financial services technology vendors.
