ISO 27001 without the theatre.
ISO 27001 has a reputation for eating a year and a small department. Most of that year is meetings. The work underneath is smaller than the folklore: a real risk assessment, a management system that fits how you actually run, and the evidence to pass an external audit. We have carried organisations through it solo historically, four consecutive years. One senior ISO 27001 consultant, no committee required.
21-day ISO Readiness
Deadline Guaranteed
Audit-Ready
Truth Over Comfort
Whole-Estate Diagnosis
Senior-Led Execution
ISO 27001 isn’t paperwork. It’s proof.
The myth is that ISO 27001 is a year of writing policies. The truth is nearly the opposite. You can write every policy in a fortnight and still fail, because the auditor is not marking your prose. They are checking whether the thing you wrote down is the thing you actually do. A folder of immaculate documents describing a company that does not exist is the most common way to fail.
At its core it is three things working together. A clear-eyed look at what could go wrong, which is the risk assessment. A set of controls and habits that answer those risks, which is the management system, the ISMS. And evidence that you genuinely operate them. Get those real and the certificate follows. Fake them and the certificate, if it even arrives, protects nobody.
Most of the year other people spend goes on meetings about who will write the document describing the meeting. Done by one person who has built and held a certified system before, that wasted motion vanishes and what remains is the actual work. Smaller than it looks. Heavier than it sounds.
At its core it is three things working together. A clear-eyed look at what could go wrong, which is the risk assessment. A set of controls and habits that answer those risks, which is the management system, the ISMS. And evidence that you genuinely operate them. Get those real and the certificate follows. Fake them and the certificate, if it even arrives, protects nobody.
Most of the year other people spend goes on meetings about who will write the document describing the meeting. Done by one person who has built and held a certified system before, that wasted motion vanishes and what remains is the actual work. Smaller than it looks. Heavier than it sounds.
What is ISO 27001?
ISO 27001 is the international standard for information security management. It does not hand you a shopping list of gadgets. It asks you to build a system, an Information Security Management System, or ISMS, that finds your risks, decides what to do about each, and keeps doing it.
Certification means an independent, accredited body has examined that system and confirmed it is real and working. Unlike a self-assessment, you cannot mark your own homework: an external auditor does, on a cycle that repeats for as long as you hold the badge. That is exactly why it carries weight with the customers who ask for it.
Certification means an independent, accredited body has examined that system and confirmed it is real and working. Unlike a self-assessment, you cannot mark your own homework: an external auditor does, on a cycle that repeats for as long as you hold the badge. That is exactly why it carries weight with the customers who ask for it.
What an ISMS actually needs
Strip away the folklore and a working ISMS is a handful of moving parts. A defined scope, so everyone knows what is covered and what is not. A risk assessment that is honest rather than decorative. A set of controls chosen to match those risks, justified in a document the auditor reads closely. And the unglamorous rhythm that keeps it alive: internal audits, management reviews, and proof you act on what they find.
The 2022 version of the standard sorts its controls into four themes and expects you to say, for each, whether it applies and why. This is the Statement of Applicability, and it is where shortcuts go to die. An honest one takes thought. A copied one collapses under the first real question.
None of this needs a year. It needs someone who has assembled the parts before and knows which ones an auditor actually leans on.
The 2022 version of the standard sorts its controls into four themes and expects you to say, for each, whether it applies and why. This is the Statement of Applicability, and it is where shortcuts go to die. An honest one takes thought. A copied one collapses under the first real question.
None of this needs a year. It needs someone who has assembled the parts before and knows which ones an auditor actually leans on.
How long does it take?
Weeks of focused work, not the quarters of folklore, when someone who has done it leads. The honest variable is your starting point. A business already running sensible security, perhaps already holding Cyber Essentials, is closer than it thinks, because many of the same controls feed straight into the standard. A business starting from a blank page needs longer, mostly to build evidence rather than to write documents. After certification, the standard never quite finishes: a surveillance audit each year keeps the badge, and a fuller recertification comes round every three. The work is front-loaded. The upkeep is light, if it was built to be lived in rather than filed.
0
Typical Turnaround
What does ISO 27001 cost?
There is no single number, and anyone offering one before seeing your business is selling a package, not a price. The cost splits into parts that behave very differently. One you cannot avoid, one you can shrink, and one most people forget.
The unavoidable part is the certification body. An accredited auditor charges by the day to run the two-stage initial audit and the surveillance visits after it, scaled to your size and scope. The shrinkable part is getting ready: with someone who has been through it the wasted months evaporate, alone the cost is paid in time and false starts. The forgotten part is ongoing, the annual surveillance and the three-yearly recertification, which is why a system built to be maintained cheaply is worth more than one crammed together to pass once.
We will not be the lowest quote. We will be the one that gets you certified without the year, and leaves you with a system that does not cost a fortune to keep.
The unavoidable part is the certification body. An accredited auditor charges by the day to run the two-stage initial audit and the surveillance visits after it, scaled to your size and scope. The shrinkable part is getting ready: with someone who has been through it the wasted months evaporate, alone the cost is paid in time and false starts. The forgotten part is ongoing, the annual surveillance and the three-yearly recertification, which is why a system built to be maintained cheaply is worth more than one crammed together to pass once.
We will not be the lowest quote. We will be the one that gets you certified without the year, and leaves you with a system that does not cost a fortune to keep.
0
For typical implementation
What to actually budget for.
The audit fee is the part everyone quotes and the smallest part of the truth. Here is the fuller picture, so nothing ambushes you halfway through.
| What | Typical | Notes |
|---|---|---|
| Certification body audit | Day-rated, scaled to scope | Stage 1 plus Stage 2, then a surveillance audit each year. The unavoidable external cost. |
| Getting ready | Weeks with senior help, months alone | The line a good consultant shrinks the most. |
| Internal time | Real hours, not zero | Your people gathering evidence, attending the audit, owning controls. |
| Tooling | Nothing, up to monthly software | A spreadsheet runs a small ISMS perfectly well. Platforms help at scale. |
| Ongoing cycle | Yearly, then every third year | Surveillance audits, then full recertification. Budget for the badge you keep, not just the one you win. |
What catches people out.
– The document trap. They write beautiful policies and assume that was the job. The auditor asks for evidence the policy was followed, and the room goes quiet.
– The scope dodge. Draw it too narrow and the certificate means nothing to the customer who asked. Too wide and you drown. Scope is a decision, not a default.
– The unaccredited certificate. Not every “ISO 27001 certificate” comes from a properly accredited body. The cheap ones are not worth the frame, and the serious customers checking will know the difference.
– The forgotten rhythm. Internal audits and management reviews are mandatory, not optional, and they are the first thing missing when the surveillance auditor comes back.
– The version hangover. The standard moved to its 2022 shape. Anything still built the old way needs bringing across before it counts.
– The mix-up. ISO 27001 is the standard you certify against. ISO 27002 is the guidance. People buy the wrong document and wonder why nobody will audit them.
– The scope dodge. Draw it too narrow and the certificate means nothing to the customer who asked. Too wide and you drown. Scope is a decision, not a default.
– The unaccredited certificate. Not every “ISO 27001 certificate” comes from a properly accredited body. The cheap ones are not worth the frame, and the serious customers checking will know the difference.
– The forgotten rhythm. Internal audits and management reviews are mandatory, not optional, and they are the first thing missing when the surveillance auditor comes back.
– The version hangover. The standard moved to its 2022 shape. Anything still built the old way needs bringing across before it counts.
– The mix-up. ISO 27001 is the standard you certify against. ISO 27002 is the guidance. People buy the wrong document and wonder why nobody will audit them.
What an ISO 27001 consultant actually does.
01. Scope and assess
Decide what the system covers, then look honestly at what could go wrong inside it. Get the scope wrong here and everything downstream is either pointless or enormous.
Scope definition
Risk assessment
Gap analysis
Asset & control mapping
02. Build the system
Assemble the ISMS to fit how you really operate, not a template of how a textbook company operates. Controls chosen for reasons you can defend out loud.
ISMS build
Policy set
Statement of Applicability
Annex A control selection
03. Make it run
A standard you only perform for the audit fails the audit. The habits go in and start producing the evidence an assessor will ask to see.
Internal audit
Management review
Evidence collection
Staff awareness
04. Pass and keep it
Through the two-stage audit, then built to survive the years after it without becoming a second job. Certified, and still certified next year.
Stage 1 & 2 readiness
Certification body liaison
Surveillance support
Recertification plan
A perfect binder. An empty company.
Ask an AI to produce an ISMS and it gives you something remarkable: a full set of policies, a risk register, a Statement of Applicability, all polished, all overnight. It describes a beautifully secure organisation. The only flaw is that the organisation does not exist. ISO 27001 was never a test of whether you can produce the documents. It is a test of whether you do the things the documents claim. An auditor pulls one thread, asks to watch it happen, and the generated binder unravels in a sentence. The writing was always the easy part. Operating it, every day, when nobody is watching, is the part no model can do for you. Knowing the difference is the job.
What you will not get here.
No year of meetings to decide who attends the next meeting. No certificate from a body nobody serious recognises. No ISMS that lives in a folder and dies the day the auditor leaves. We will tell you if Cyber Essentials is genuinely all you need, even though it is the smaller job, because selling you a standard you do not require is the quickest way to be the consultant you never call again. The certificate has to mean something. We build the system that makes it true.
Q&A: PCI DSS Basics

What Is an ISO 27001 Consultant?
Someone who builds and runs the management system for you, or with you, and gets it through an external audit. The useful ones have held a live certificate themselves, not just advised on one. We have taken an organisation through it solo, four consecutive years, including the annual audits that keep it.
What Is ISO 27001?
The international standard for information security management. It asks you to build a system, an ISMS, that finds your risks, decides what to do about them, and proves you keep doing it. An accredited external body audits it, which is why customers trust it more than a self-assessment.
What’s the Difference Between ISO 27001 and ISO 27002?
ISO 27001 is the standard you certify against: the requirements for the management system. ISO 27002 is the guidance that explains the controls in more depth. You are audited against 27001. 27002 just helps you build it. People buy the wrong one constantly.
How Long Does ISO 27001 Certification Take?
Weeks of focused work with someone who has done it, longer if you start from nothing and have to build evidence from scratch. Already holding Cyber Essentials shortens it, because many controls overlap. The myth of a full year is mostly meetings, not work.
How Much Does ISO 27001 Cost?
Three parts: the accredited auditor’s day-rated fee (unavoidable), getting ready (the part a good consultant shrinks), and the ongoing surveillance and recertification cycle (the part people forget). There is no honest single number before someone has seen your scope. Anyone giving you one is quoting a package.
Do I Need ISO 27001, or Is Cyber Essentials Enough?
Often Cyber Essentials is enough, and we will say so. ISO 27001 earns its cost when large customers, regulated sectors or international deals demand it, or when a competitor who holds it is beating you to contracts. If nobody is asking, the cheaper certificate may serve you better.
Does an ISO 27001 Certificate Expire?
It runs on a three-year cycle. An accredited body audits you initially, checks you each year with a surveillance audit, and fully recertifies you in year three. Skip the upkeep and you lose it, which is why a system built to be lived in beats one crammed together to pass once.
Can AI Build My ISMS?
It can write every document overnight, and they will look immaculate. It cannot make your organisation actually do what they describe, and that is the only thing the auditor checks. A generated binder for a company that does not operate it fails on the first real question.
AI will write you a flawless security policy overnight. The auditor will ask who actually follows it.
Find out if you even need it.
Most ISO enquiries start with a customer demand or a tender requirement, and a fair number of those turn out not to need the full standard at all. A short call is usually enough to tell you whether ISO 27001 is genuinely the thing being asked for, how far your existing security already carries you, and what an honest timeline looks like for your scope.