A SECURITY SYSTEM BUILT ON STANDARDS

Information Security Management Systems

We establish ISO 27001 and ISO 20000 management systems and prepare them for audit; a systematic framework closes control gaps and recurring audit findings.

ISO 27001ISO 27701KVKKDORA
01 Current state Topology, traffic, and dependency visibility.
02 Target architecture Segmentation, capacity, and availability design.
03 Controlled cutover Change window, validation, and rollback plan.
04 Hypercare Monitoring, tuning, and operational handover.
POSITION

Where this service sits in the portfolio

Capability card infographic for Information Security Management Systems
SERVICE SCOPE

What this service addresses

The critical topics this service addresses and the outcome we deliver in each.

Standard-aligned management system

contract-scoped

We help you build a management system aligned with ISO 27001 (ISMS) and ISO 20000 (ITSM) requirements; the certification decision rests with the accredited body.

Certification-ready evidence set

evidence readiness

We organise the document set, including Annex A controls and the SoA, as an evidence file ready for the certification auditor's review.

Measurable SLA and resilience targets

measured target

We tie IT-service quality and response indicators to measurable SLA targets and acceptance criteria.

Audit and corrective-action ownership

published after approval

We own and evidence internal audit and corrective actions; the choice of certification body and the final decision remain yours.

Delivery model

Delivery approach

How we phase the service across delivery, governance, and connected service pillars.

  1. We begin by defining current state and scope, building an asset inventory and clarifying control needs through risk-assessment workshops.

  2. Using the shared High Level Structure of ISO 27001 and ISO 20000, we unify processes and support control implementation with technical configuration.

  3. We keep the system alive through an internal-audit programme and management review, sustaining preparation ahead of surveillance audits.

Operating contexts

Example operating contexts

Illustrative surfaces where this service is commonly activated.

IT service provider

A service provider seeking to build ISO 27001 and ISO 20000 together as an integrated management system.

Recurring audit findings

Closing control gaps and recurring findings caused by the lack of a systematic framework.

Customer assurance request

Meeting enterprise customers' information-security assurance expectations with standard-aligned evidence.

DEPTH

Technical and compliance depth

This service's depth on sector-specific technical and compliance topics.

Risk assessment and SoA

We assess risk with ISO 27005, OCTAVE or FAIR methodology and tie the 93 controls to a customised statement of applicability.

Document and workshop set

We develop 40+ policies and 60+ procedures through workshops, supporting knowledge transfer and ownership.

Audit-cycle support

We sustain readiness on a cadence of two internal audits and one surveillance audit per year and track corrective actions.

What It Solves

Information security management without a structured framework results in reactive, inconsistently applied controls that satisfy neither security requirements nor audit expectations. ISO 27001 and ISO 20000 provide internationally recognized frameworks that systematize security governance, service delivery, and continuous improvement — transforming ad-hoc security practices into a documented, auditable management system. Our implementation service navigates organizations from initial gap assessment through certification in a structured, resource-efficient program that minimizes internal burden while maximizing certification readiness.

ISO 27001:2022 Information Security Management System (ISMS) implementation
ISO 20000-1:2018 IT Service Management System (ITSMS) implementation
Statement of Applicability (SoA) with 93 Annex A control assessments
Internal audit program establishment and lead auditor training

Key Benefits

Benefit

Support audit and compliance readiness with evidence records instead of unsupported public outcome promises

Benefit

Win regulated-sector contracts requiring certified ISMS as a prerequisite, expanding addressable market

Benefit

Make risk and response indicators visible through measured controls, rehearsed playbooks, and evidence review

Standards
ISO 27001:2022, ISO 27002:2022, ISO 20000-1:2018
Scope
Full organization or defined scope boundary (specific services/sites)
Certification Body
Accredited CB selection and audit coordination support
Surveillance
Annual surveillance audit support included for 3-year certification cycle

Scope

Our ISMS implementation engagement follows the ISO 27001 PDCA (Plan-Do-Check-Act) methodology across four phases: establish, implement, monitor, and improve. The establish phase defines the ISMS scope, organizational context, and risk management framework. Implement covers policy development, control implementation, and awareness training. Monitor establishes the internal audit program and management review process. Improve closes non-conformities and prepares for certification audit. ISO 20000 implementation follows a parallel structure focused on IT service delivery processes.

ISMS scope definition and organizational context analysis (ISO 27001 Clauses 4-5)
Information security risk assessment and risk treatment plan (ISO 27001 Clauses 6-8)
Annex A control implementation across all 4 domains and 93 controls
Management system documentation: policies, procedures, work instructions, and records

Key Benefits

Benefit

Deliver a fully documented ISMS with all mandatory documentation for certification audit readiness

Benefit

Establish a risk-based security program aligned to your specific asset, threat, and vulnerability landscape

Benefit

Integrate ISMS into existing IT governance structures, avoiding the parallel-bureaucracy antipattern

Documentation
Information security policy, SoA, risk register, asset inventory, 40+ supporting policies
Risk Method
ISO 27005-aligned qualitative risk assessment with likelihood/impact matrix
Controls
Technical (network, endpoint, access, crypto) + administrative + physical controls
Awareness
Role-based security awareness training with annual refresh cycle

Deliverables

The ISMS implementation delivers a complete, audit-ready management system including all mandatory and recommended documentation, a trained internal audit team, and a certification body engagement managed on the client's behalf. Post-certification, we provide surveillance audit support throughout the three-year certification cycle to ensure the ISMS remains conformant and effective. Clients also receive a security metrics framework enabling ongoing measurement and management review reporting.

Complete ISMS documentation library (40+ documents) in client-ready format
ISO 27001 Stage 1 and Stage 2 certification audit coordination and response support
Internal auditor training — ISO 27001 lead auditor certified facilitator
Corrective action management for Stage 1 and Stage 2 nonconformities

Key Benefits

Benefit

Support audit and compliance readiness with evidence records instead of unsupported public outcome promises

Benefit

Transfer fully capable internal audit team, reducing ongoing external support dependency after certification

Benefit

Maintain certification through the three-year cycle with annual surveillance audit support included

Document Count
40+ mandatory and supporting ISMS documents
Audit Support
Stage 1 preparation, Stage 2 audit accompaniment, nonconformity response
Training
ISO 27001 internal auditor training (16 hours, includes practical exercises)
Surveillance
Annual surveillance audit pre-assessment and response support for 3 years

Frequently Asked Questions

What is the difference between ISO 27001 certification and compliance?

ISO 27001 compliance means implementing controls that align with the standard. ISO 27001 certification means an accredited third-party certification body has independently verified that your ISMS meets the standard's requirements through a documented audit process. Certification provides externally verifiable proof of compliance that satisfies customer due diligence, procurement requirements, and regulatory expectations that internal attestations cannot.

Does ISO 27001:2022 differ significantly from the 2013 version?

Yes. The 2022 update restructured Annex A from 114 controls in 14 domains to 93 controls in 4 themes, added 11 new controls (including threat intelligence, cloud security, and ICT supply chain security), and updated the organizational context requirements. Organizations certified to ISO 27001:2013 must transition to the 2022 version by October 2025. We support both new implementations and transition projects.

Can ISO 27001 be implemented for a specific service or department rather than the entire organization?

Yes. ISO 27001 allows flexible scope definition — certification can cover a single business unit, service line, data center, or geographic location. Scoped implementations typically complete faster and at lower cost while still providing meaningful certification value. We help define a scope that is commercially significant (satisfying customer requirements) while being practically achievable within your resource and timeline constraints.

How does ISO 20000 relate to ITIL?

ISO 20000 is the auditable standard that defines requirements for an IT Service Management System (ITSMS). ITIL is the process framework that provides practical guidance on how to implement those requirements. They are complementary: ITIL provides the operational methodology, and ISO 20000 provides the certification framework. An organization implementing ITIL practices is well-positioned to pursue ISO 20000 certification with relatively modest additional documentation effort.

What does the certification audit actually involve?

ISO 27001 certification involves two stages conducted by an accredited certification body. Stage 1 is a documentation review — the auditor verifies that your ISMS documentation meets the standard's requirements. Stage 2 is an on-site audit where the auditor interviews staff, reviews evidence, and tests whether documented controls are actually implemented and effective. We accompany clients through both stages and manage responses to auditor findings.

How much internal resource commitment is required for ISMS implementation?

Typical internal resource commitment is a scoped internal owner plus subject matter expert time during implementation, in addition to subject matter expert time for risk assessment workshops and policy reviews. We minimize this through structured workshop agendas, pre-populated document templates, and online collaboration tools that reduce meeting time and document review cycles compared to traditional consulting approaches.

STARTING POINT

Where should the conversation begin?

This short form routes your request to the right support team. We clarify context first, then define the safe sharing method.

  1. We capture context
  2. We choose a safe channel
  3. We clarify the first direction

Privacy-aware first contact; safe sharing flow when needed; no sales pressure.

Main request topic