ISO/IEC 27001:2022

An ISMS that certifies — and continues to.

A certifiable Information Security Management System aligned to ISO/IEC 27001:2022 and the Annex A controls, engineered to survive its second and third surveillance audits, not just its first.

01 — Overview

ISO 27001 is a certifiable standard, not a report. Once granted, certification lasts three years, subject to annual surveillance audits and a full recertification in year three.

Most ISMS implementations fail not at certification, but eighteen months later — when the appointed information security manager has left, the risk register has calcified, and the Statement of Applicability no longer resembles the business.

Cyber Inspect builds ISMSs that outlast the consultant. We embed the management system into how your organisation already operates, so the certificate you receive in year one is defended by your own people in year three.

02 — Engagement

Our approach.

  1. I

    Context, scope, and ISMS charter

    We define the scope, interested parties, and ISMS boundary — and secure the executive commitment ISO requires clause-by-clause.

  2. II

    Risk assessment & treatment

    A rigorous risk methodology, populated risk register, and defensible risk treatment plan aligned to Annex A.

  3. III

    Control design & implementation

    The 93 Annex A controls, applied to your environment — with a Statement of Applicability that a lead auditor can defend.

  4. IV

    Documentation & internal audit

    The full mandatory documentation set, plus an internal audit program that satisfies clause 9.2.

  5. V

    Certification audit facilitation

    We prepare you for Stage 1 and Stage 2, sit alongside you through the audit, and manage findings to closure.

03 — Deliverables

What you receive.

  • ISMS charter, scope statement, and context analysis
  • Risk assessment methodology and populated risk register
  • Statement of Applicability, defensibly justified
  • Full mandatory ISO documentation set (clauses 4–10)
  • Annex A control implementation across all 93 controls
  • Internal audit program and management review pack
  • Certification body selection support
  • Stage 1 and Stage 2 audit facilitation
  • Surveillance audit support for years two and three

04 — Timeline

Expected duration.

Sixteen to twenty-four weeks from kickoff to Stage 2 audit is typical. Organisations with existing SOC 2, HITRUST, or NIST alignment often compress this substantially. Certification bodies then require six to ten weeks to issue the certificate.

Ready to begin?

A partner-led readiness call is complimentary. We'll scope your engagement inside forty-five minutes.

Schedule the call →

05 — FAQ

Common questions.

ISO 27001 or SOC 2 — which should we pursue?+

SOC 2 for a North American enterprise sales motion. ISO 27001 for international buyers, regulated sectors, and any government-adjacent work. Many clients hold both and use one program to feed the other.

Do you handle ISO 27701 as well?+

Yes. ISO 27701 is a privacy extension that layers onto an existing ISO 27001 ISMS. We frequently run 27001 and 27701 as a single engagement.

Which certification bodies do you work with?+

We support all UKAS and ANAB-accredited certification bodies. Our selection guidance considers your buyer market, sector, and long-term surveillance cost.

What happens after we're certified?+

The ISMS needs annual internal audit, management review, and surveillance audit support. Our managed ISMS retainer clients pass surveillance without disruption; we recommend it for the first three-year cycle.