We establish ISO 27001 and ISO 20000 management systems and prepare them for audit; a systematic framework closes control gaps and recurring audit findings.
EVIDENCEISO 27001ISO 27701KVKKDORA
01Current stateTopology, traffic, and dependency visibility.
02Target architectureSegmentation, capacity, and availability design.
03Controlled cutoverChange window, validation, and rollback plan.
04HypercareMonitoring, tuning, and operational handover.
The critical topics this service addresses and the outcome we deliver in each.
Standard-aligned management system
contract-scoped
We help you build a management system aligned with ISO 27001 (ISMS) and ISO 20000 (ITSM) requirements; the certification decision rests with the accredited body.
Certification-ready evidence set
evidence readiness
We organise the document set, including Annex A controls and the SoA, as an evidence file ready for the certification auditor's review.
Measurable SLA and resilience targets
measured target
We tie IT-service quality and response indicators to measurable SLA targets and acceptance criteria.
Audit and corrective-action ownership
published after approval
We own and evidence internal audit and corrective actions; the choice of certification body and the final decision remain yours.
Delivery model
Delivery approach
How we phase the service across delivery, governance, and connected service pillars.
01
We begin by defining current state and scope, building an asset inventory and clarifying control needs through risk-assessment workshops.
02
Using the shared High Level Structure of ISO 27001 and ISO 20000, we unify processes and support control implementation with technical configuration.
03
We keep the system alive through an internal-audit programme and management review, sustaining preparation ahead of surveillance audits.
Operating contexts
Example operating contexts
Illustrative surfaces where this service is commonly activated.
IT service provider
A service provider seeking to build ISO 27001 and ISO 20000 together as an integrated management system.
Recurring audit findings
Closing control gaps and recurring findings caused by the lack of a systematic framework.
Customer assurance request
Meeting enterprise customers' information-security assurance expectations with standard-aligned evidence.
DEPTH
Technical and compliance depth
This service's depth on sector-specific technical and compliance topics.
Risk assessment and SoA
We assess risk with ISO 27005, OCTAVE or FAIR methodology and tie the 93 controls to a customised statement of applicability.
Document and workshop set
We develop 40+ policies and 60+ procedures through workshops, supporting knowledge transfer and ownership.
Audit-cycle support
We sustain readiness on a cadence of two internal audits and one surveillance audit per year and track corrective actions.
What It Solves
Information security management without a structured framework results in reactive, inconsistently applied controls that satisfy neither security requirements nor audit expectations. ISO 27001 and ISO 20000 provide internationally recognized frameworks that systematize security governance, service delivery, and continuous improvement — transforming ad-hoc security practices into a documented, auditable management system. Our implementation service navigates organizations from initial gap assessment through certification in a structured, resource-efficient program that minimizes internal burden while maximizing certification readiness.
ISO 27001:2022 Information Security Management System (ISMS) implementation
ISO 20000-1:2018 IT Service Management System (ITSMS) implementation
Statement of Applicability (SoA) with 93 Annex A control assessments
Internal audit program establishment and lead auditor training
Key Benefits
Benefit
Support audit and compliance readiness with evidence records instead of unsupported public outcome promises
Benefit
Win regulated-sector contracts requiring certified ISMS as a prerequisite, expanding addressable market
Benefit
Make risk and response indicators visible through measured controls, rehearsed playbooks, and evidence review
Standards
ISO 27001:2022, ISO 27002:2022, ISO 20000-1:2018
Scope
Full organization or defined scope boundary (specific services/sites)
Certification Body
Accredited CB selection and audit coordination support
Surveillance
Annual surveillance audit support included for 3-year certification cycle
Scope
Our ISMS implementation engagement follows the ISO 27001 PDCA (Plan-Do-Check-Act) methodology across four phases: establish, implement, monitor, and improve. The establish phase defines the ISMS scope, organizational context, and risk management framework. Implement covers policy development, control implementation, and awareness training. Monitor establishes the internal audit program and management review process. Improve closes non-conformities and prepares for certification audit. ISO 20000 implementation follows a parallel structure focused on IT service delivery processes.
ISMS scope definition and organizational context analysis (ISO 27001 Clauses 4-5)
Information security risk assessment and risk treatment plan (ISO 27001 Clauses 6-8)
Annex A control implementation across all 4 domains and 93 controls
Management system documentation: policies, procedures, work instructions, and records
Key Benefits
Benefit
Deliver a fully documented ISMS with all mandatory documentation for certification audit readiness
Benefit
Establish a risk-based security program aligned to your specific asset, threat, and vulnerability landscape
Benefit
Integrate ISMS into existing IT governance structures, avoiding the parallel-bureaucracy antipattern
Role-based security awareness training with annual refresh cycle
Deliverables
The ISMS implementation delivers a complete, audit-ready management system including all mandatory and recommended documentation, a trained internal audit team, and a certification body engagement managed on the client's behalf. Post-certification, we provide surveillance audit support throughout the three-year certification cycle to ensure the ISMS remains conformant and effective. Clients also receive a security metrics framework enabling ongoing measurement and management review reporting.
Complete ISMS documentation library (40+ documents) in client-ready format
ISO 27001 Stage 1 and Stage 2 certification audit coordination and response support
Internal auditor training — ISO 27001 lead auditor certified facilitator
Corrective action management for Stage 1 and Stage 2 nonconformities
Key Benefits
Benefit
Support audit and compliance readiness with evidence records instead of unsupported public outcome promises
Benefit
Transfer fully capable internal audit team, reducing ongoing external support dependency after certification
Benefit
Maintain certification through the three-year cycle with annual surveillance audit support included
ISO 27001 internal auditor training (16 hours, includes practical exercises)
Surveillance
Annual surveillance audit pre-assessment and response support for 3 years
Frequently Asked Questions
What is the difference between ISO 27001 certification and compliance?
ISO 27001 compliance means implementing controls that align with the standard. ISO 27001 certification means an accredited third-party certification body has independently verified that your ISMS meets the standard's requirements through a documented audit process. Certification provides externally verifiable proof of compliance that satisfies customer due diligence, procurement requirements, and regulatory expectations that internal attestations cannot.
Does ISO 27001:2022 differ significantly from the 2013 version?
Yes. The 2022 update restructured Annex A from 114 controls in 14 domains to 93 controls in 4 themes, added 11 new controls (including threat intelligence, cloud security, and ICT supply chain security), and updated the organizational context requirements. Organizations certified to ISO 27001:2013 must transition to the 2022 version by October 2025. We support both new implementations and transition projects.
Can ISO 27001 be implemented for a specific service or department rather than the entire organization?
Yes. ISO 27001 allows flexible scope definition — certification can cover a single business unit, service line, data center, or geographic location. Scoped implementations typically complete faster and at lower cost while still providing meaningful certification value. We help define a scope that is commercially significant (satisfying customer requirements) while being practically achievable within your resource and timeline constraints.
How does ISO 20000 relate to ITIL?
ISO 20000 is the auditable standard that defines requirements for an IT Service Management System (ITSMS). ITIL is the process framework that provides practical guidance on how to implement those requirements. They are complementary: ITIL provides the operational methodology, and ISO 20000 provides the certification framework. An organization implementing ITIL practices is well-positioned to pursue ISO 20000 certification with relatively modest additional documentation effort.
What does the certification audit actually involve?
ISO 27001 certification involves two stages conducted by an accredited certification body. Stage 1 is a documentation review — the auditor verifies that your ISMS documentation meets the standard's requirements. Stage 2 is an on-site audit where the auditor interviews staff, reviews evidence, and tests whether documented controls are actually implemented and effective. We accompany clients through both stages and manage responses to auditor findings.
How much internal resource commitment is required for ISMS implementation?
Typical internal resource commitment is a scoped internal owner plus subject matter expert time during implementation, in addition to subject matter expert time for risk assessment workshops and policy reviews. We minimize this through structured workshop agendas, pre-populated document templates, and online collaboration tools that reduce meeting time and document review cycles compared to traditional consulting approaches.
Related service groups
Compare the other workstreams under the same pillar as well.