Cybersecurity GRC · ISO 27001 Certification

ISO 27001: certified,
and still certified the year after.

Required in tenders, requested by insurers, scrutinized in due diligence: ISO 27001 has become the proof of digital trust. I support you from gap analysis to certification audit, and over time, with no paper compliance.

The engagement

What the mission covers.

Gap analysis

Assessment against the standard's requirements and the 93 controls of Annex A (2022 version), with a prioritized, costed action plan separating what protects from what documents.

ISMS build

Scope, risk analysis, statement of applicability, policies and living governance: a management system built for your real risks, not for the auditor.

Mock audit and certification

Team readiness, mock audit, support through both stages of the certification audit, findings addressed through to certification.

Surveillance and corrective action plans

Preparation of annual surveillance audits, management of corrective action plans on non-conformities through to closure: certification is a cruising regime, not a finish line.

References

Engagements delivered through the audit, not just the report.

My ISO 27001 references cover the full cycle: certification support delivered through the audit with a certification body, and corrective action plans managed in surveillance audit contexts, with dozens of non-conformities addressed and tracked to closure. The same foundation then serves NIS2 and DORA.

A commitment of method: no paper certification. An ISMS built for the auditor rather than for the risks collapses at the first surveillance audit, or the first incident.
Frequently asked questions

What I get asked about ISO 27001.

How long does certification take?

From 6 to 18 months depending on the starting maturity and the certified scope: gap analysis, ISMS build, control deployment, mock audit, then the two-stage certification audit. A milestone-driven journey avoids the two classic pitfalls: the project that stalls and the paper certification.

What happens after the certificate?

The certificate is valid for three years, with a surveillance audit every year and recertification at the end of the cycle. Non-conformities raised call for corrective action plans tracked to closure: this is often where organizations need support the most.

Do you take over existing ISMS?

Yes, and it is a frequent case: taking over an existing ISMS, preparing a surveillance audit, managing a corrective action plan after major non-conformities. My references include precisely this type of engagement.

Free resource

Test your ISO 27001 maturity for free.

6 pillars, 36 questions, 8 minutes. Walk away with a snapshot of your gap to certification and your priorities.

Start the self-assessment

Aim for the certificate that lasts.

One 30-minute call and you know where you stand, the realistic trajectory and under what conditions to move forward.

Book a qualification call

First call free, no commitment. See also the Cybersecurity GRC page.