ISO/IEC 27001:2022
A certifiable Information Security Management System aligned to ISO/IEC 27001:2022 and the Annex A controls, engineered to survive its second and third surveillance audits, not just its first.
01 — Overview
ISO 27001 is a certifiable standard, not a report. Once granted, certification lasts three years, subject to annual surveillance audits and a full recertification in year three.
Most ISMS implementations fail not at certification, but eighteen months later — when the appointed information security manager has left, the risk register has calcified, and the Statement of Applicability no longer resembles the business.
Cyber Inspect builds ISMSs that outlast the consultant. We embed the management system into how your organisation already operates, so the certificate you receive in year one is defended by your own people in year three.
02 — Engagement
We define the scope, interested parties, and ISMS boundary — and secure the executive commitment ISO requires clause-by-clause.
A rigorous risk methodology, populated risk register, and defensible risk treatment plan aligned to Annex A.
The 93 Annex A controls, applied to your environment — with a Statement of Applicability that a lead auditor can defend.
The full mandatory documentation set, plus an internal audit program that satisfies clause 9.2.
We prepare you for Stage 1 and Stage 2, sit alongside you through the audit, and manage findings to closure.
03 — Deliverables
04 — Timeline
Sixteen to twenty-four weeks from kickoff to Stage 2 audit is typical. Organisations with existing SOC 2, HITRUST, or NIST alignment often compress this substantially. Certification bodies then require six to ten weeks to issue the certificate.
Ready to begin?
A partner-led readiness call is complimentary. We'll scope your engagement inside forty-five minutes.
Schedule the call →05 — FAQ
SOC 2 for a North American enterprise sales motion. ISO 27001 for international buyers, regulated sectors, and any government-adjacent work. Many clients hold both and use one program to feed the other.
Yes. ISO 27701 is a privacy extension that layers onto an existing ISO 27001 ISMS. We frequently run 27001 and 27701 as a single engagement.
We support all UKAS and ANAB-accredited certification bodies. Our selection guidance considers your buyer market, sector, and long-term surveillance cost.
The ISMS needs annual internal audit, management review, and surveillance audit support. Our managed ISMS retainer clients pass surveillance without disruption; we recommend it for the first three-year cycle.