Back to Services

ISMS Policies & Certification

I'll walk alongside you through ISO/IEC 27001, building policies and preparing for certification with patient guidance.

Building Your Information Security Management System

ISO/IEC 27001 certification demonstrates your commitment to information security, opening doors to customers and partners who require it. But more than that, it helps you build genuinely better security practices. I’ll guide you through this journey with care and patience.

What I Provide

ISMS Implementation

  • Gap analysis against ISO/IEC 27001 requirements
  • Information security policy development
  • Risk assessment methodology
  • Statement of Applicability (SoA) creation
  • Control selection and justification
  • Management system documentation

Policy & Procedure Development

  • Security policies aligned with ISO 27001
  • Operating procedures for all controls
  • Work instructions for your team
  • Forms and templates
  • Clear, practical documentation your team will actually use

Risk Management

  • Asset inventory and classification
  • Threat and vulnerability identification
  • Risk assessment and treatment
  • Risk treatment planning
  • Ongoing risk monitoring

Control Implementation

  • Technical controls setup and configuration
  • Administrative controls establishment
  • Physical security measures
  • Organizational controls
  • Evidence collection and documentation

Certification Preparation

  • Internal audit planning and execution
  • Management review facilitation
  • Pre-certification readiness assessment
  • Non-conformity identification and correction
  • Certification body liaison
  • Audit support

Ongoing Maintenance

  • Annual surveillance audit preparation
  • Continuous improvement planning
  • Policy review and updates
  • Internal audit programs
  • Management review coordination

Who This Is For

  • Growing Businesses: Pursuing ISO 27001 to win larger customers
  • Security-Conscious Organizations: Wanting formal security management
  • Regulated Industries: Needing compliance framework
  • Businesses Requiring Certification: Customers or partners demanding ISO 27001

The Journey Together

Phase 1: Understanding (2-4 weeks)

  • Your business and current security state
  • ISO 27001 requirements and what they mean for you
  • Gap analysis and roadmap creation
  • Resource and timeline planning

Phase 2: Building (3-6 months)

  • Policy and procedure development
  • Risk assessment execution
  • Control implementation
  • Documentation creation
  • Team training

Phase 3: Preparation (1-2 months)

  • Internal audit execution
  • Management review
  • Pre-certification assessment
  • Correction of findings
  • Final readiness check

Phase 4: Certification (1-2 months)

  • Stage 1 audit support
  • Stage 2 audit support
  • Non-conformity resolution
  • Certification achievement

Phase 5: Maintenance (Ongoing)

  • Surveillance audit preparation
  • Continuous improvement
  • Annual management review
  • Regular internal audits

Important to Understand

ISO/IEC 27001 certification requires real commitment:

  • Time: Typically 6-12 months from start to certification
  • Resources: Your team’s time and participation
  • Investment: Certification body costs, potential tool purchases
  • Culture: Genuine organizational commitment to security
  • Ongoing: Maintaining certification requires continuous effort

I’m honest about what’s involved—this isn’t quick or easy, but it’s worthwhile.

My Approach

Practical Over Perfect: We build an ISMS that works for your business, not just checks boxes

Clear Communication: ISO 27001 can be complex—I translate it into plain language

Collaborative: This is your ISMS, not mine—I guide, you own it

Sustainable: We create systems you can maintain long-term

Supportive: Every organization struggles with some aspects—that’s normal and okay

What Makes This Different

Large consultancies might send different people each time or provide generic templates. I become part of your team, learning your business deeply and creating an ISMS that fits your reality.

This isn’t about generating documents to pass an audit—it’s about building security management that genuinely improves your organization.

Common Concerns I Address

  • “We’re too small for ISO 27001” - If you handle sensitive information, you’re not
  • “This will be too expensive” - I help you find cost-effective approaches
  • “We don’t have time” - We work at a pace that fits your capacity
  • “It’s too complicated” - I break it down into manageable pieces
  • “Will we pass?” - With proper preparation, absolutely

After Certification

The real work begins after certification. I help you:

  • Maintain compliance without it feeling burdensome
  • Prepare for annual surveillance audits
  • Continuously improve your ISMS
  • Integrate security into daily operations
  • Keep your team engaged

Investment in Your Future

ISO/IEC 27001 certification opens business opportunities, demonstrates commitment to security, and builds genuine protection for your information assets. I’ll walk this journey with you, providing patient guidance and expert support every step of the way.

Think of me as your trusted guide through what can seem like a complex process—making it manageable, practical, and ultimately valuable for your organization.