Skip to main content
ISO 27001 & ISMS

ISO 27001 that works once the auditor has gone.

Your ISO 27001 is on the wall, the policy is written. Yet the sharpest audit finding is rarely a missing control. It is a control that runs without anyone able to show that it runs. That gap sits between paper and practice. That is where we go in.

FramesISO 27001:2022, NIS2 art. 21, NIST CSF 2.0, BIO
For whomCISO, security manager, board
Lead timeBaseline 3-4 weeks, a working cadence in 3-6 months

The problem

An ISMS on paper steers nothing.

Three patterns that come back every audit cycle. Not because the policy is wrong, but because it does not touch the practice.

Policy no one follows

A neatly approved security policy, and an organisation that works around it in practice. It exists, it is signed off, and it steers no decision at all.

Evidence that does not hold on the date

The control does work. But the evidence is missing, out of date, or comes from a system that no longer exists. On the audit date, only what you can show counts.

An ISMS as a tick-box

Certified is not proof that it works, it is a starting point. The question is whether the cadence runs on a Tuesday in March, when the auditor has gone.

How we do it

First measure where paper and practice drift apart.

Not standing up a new system. We close the gap between what is documented and what happens, in an order that holds.

01

Baseline

Where policy deviates from practice, where the evidence is incomplete, and where no owner has been named. Not a maturity score, but a list you can pick up tomorrow.

02

Policy and procedures

You do not close the gap with new policy, but with procedures: who does what, in which step, and what evidence falls out of it. Policy sets the direction, the procedure closes the gap.

03

Test that it works

We test whether the control works, not whether it is written down. Designed and present is not the same as working under pressure.

04

The cadence runs

Risk assessment, controls, evidence, internal audit and management review as one running cycle. After that it runs itself, and we only call when you call us.

What you keep

A system that runs, not one that merely exists.

  • An ISMS that steers, instead of a folder gathering dust
  • Evidence that holds on any date, not only on the audit date
  • Ownership explicitly placed, per control
  • A board you can show that the right things are happening
  • A cadence you carry on yourself, with no dependence on one person

The distinction

Diagnosis before system

The market delivers an ISMS implementation: a set of documents, a certificate, done. We start at the diagnosis, where paper falls out of step with practice and what it takes to make it work.

Operating effectiveness over design and existence. A control only counts when it holds under pressure, not when it is written down. And an ISMS does not stand alone: it connects risk, controls, detection and architecture into one whole you answer for to your board.

An operating model, not a document set

Not a stack of policy for the audit folder, but a working system that steers day to day. The document is a means, not an end.

Our seniors land it too

Not a report of recommendations with the execution left to you. The same senior who runs the baseline writes the procedures and tests whether they work.

It stays yours

The cadence is transferable and runs on when the make-up changes. No dependence on one person or one provider.

Get started

Does your ISMS run, or does it only exist?

Not a months-long implementation. One conversation in which we decide where paper and practice drift apart, and what it takes to make the cadence run.

Plan a conversation

30 minutes with a senior, no pitch.

Request a conversationCall directly088 - 163 23 25