ISO 27001 - Information SecurityAre we certified?
When enterprise customers ask for ISO 27001, investors raise it in due diligence, or contracts start to require it, being secure isn't the point; you need the certificate that proves it. For most growing businesses, certification has become table stakes for selling into regulated industries and larger enterprises.
ISO 27001 answers it. We take small, fast-moving companies from initial scoping all the way to certification, then maintain the controls and evidence that keep you certified through surveillance and recertification audits, year after year.
In short
- 01A credible ISO 27001 certificate, achieved on the timeline your deal or investor needs.
- 02Evidence ready for questionnaires and due diligence, so security stops blocking deals.
- 03A programme that keeps you certified through surveillance and recertification audits, not just the first one.
What problems we solve
Getting certified is only half the job; staying certified is the rest. You're in the right place if any of these sound familiar:
“Customers keep asking if we're certified”
Enterprise buyers and procurement now expect ISO 27001 before they'll sign.
“We've no dedicated security lead”
Implementation stalls and fragments, and issues get flagged during the audit.
“We can't keep controls current”
Certification lapses, and you scramble to fix things before each surveillance audit.
“Our tools and infrastructure keep changing”
SaaS sprawl leaves evidence gaps and unclear ownership of controls.
“The rules keep moving”
Threats and regulations evolve, and controls drift from how you actually operate.
“Due diligence keeps stalling deals”
Buyers and investors want proof you take security seriously, and you can't show it quickly.
How ISO 27001 certification works
3 to 6 months
Implementation
We agree scope and accountability, build your asset inventory and risk register, write the core policies, and support the controls that close the gaps.
External audit
Certification
We run the first internal audit and management review, clear the readiness findings, and take you through the certification audit with the certification body.
12-month minimum
Maintenance
We keep evidence, risks, and policies current and liaise with the certification body, so you pass surveillance and recertification audits without firefighting.
That's the high-level path. The full service description sets out every activity, assumption, and exclusion.
Read the full service descriptionCompanies we've worked with.
What we put in place
Each control is scoped to how you actually operate. If something genuinely doesn't apply (for example, if you don't host physical servers), we mark it out of scope rather than inventing work.
Who it's for
20 to 200 employees: large enough to face certification demands, small enough that enterprise templates would swamp the business
Handling sensitive data: customer data, product information, or intellectual property that matters to your customers
UK or Europe: subject to ISO 27001 expectations from enterprise buyers, investors, or regulators
Under external pressure: procurement questionnaires, investor due diligence, or contractual certification requirements
Some security already in place: MFA and centralised accounts exist, or can be put in quickly
What's not included
- Hands-on engineering (your team enables controls)
- Remediation actions you own and deliver
- Legal review of policies and contracts
- Certification body fees and scheduling
- Travel and on-site costs unless pre-agreed
You work with a named Lead Consultant who holds internationally recognised ISO 27001 implementation and audit qualifications, along with data protection credentials (CIPP/E, CIPM). They are your single point of contact, accountable for delivery. Where it helps, we pair them with a compliance automation platform such as Drata, so evidence is collected continuously and your status shows on a live dashboard instead of a periodic scramble.
Term and pricing
Phase 1: Implementation
3–6 monthsFixed fee
Phase 2: Maintenance
12-month minimumRecurring fee, renewable annually
With SOC 2, vCISO, or DPO
OptionalCan be combined where it makes sense
Exact figures depend on your size, your starting point, and how much needs putting in place. Use the calculator for an indicative estimate.
Estimate the costCommon questions
ISO 27001 FAQs
See whether ISO 27001 is the right move.
A short conversation is usually enough to tell whether certification is worth pursuing now, and whether Security Foundations should come first. If something else suits you better, we'll say so.