Policy no one follows
A neatly approved security policy, and an organisation that works around it in practice. It exists, it is signed off, and it steers no decision at all.
Your ISO 27001 is on the wall, the policy is written. Yet the sharpest audit finding is rarely a missing control. It is a control that runs without anyone able to show that it runs. That gap sits between paper and practice. That is where we go in.
The problem
Three patterns that come back every audit cycle. Not because the policy is wrong, but because it does not touch the practice.
A neatly approved security policy, and an organisation that works around it in practice. It exists, it is signed off, and it steers no decision at all.
The control does work. But the evidence is missing, out of date, or comes from a system that no longer exists. On the audit date, only what you can show counts.
Certified is not proof that it works, it is a starting point. The question is whether the cadence runs on a Tuesday in March, when the auditor has gone.
How we do it
Not standing up a new system. We close the gap between what is documented and what happens, in an order that holds.
Where policy deviates from practice, where the evidence is incomplete, and where no owner has been named. Not a maturity score, but a list you can pick up tomorrow.
You do not close the gap with new policy, but with procedures: who does what, in which step, and what evidence falls out of it. Policy sets the direction, the procedure closes the gap.
We test whether the control works, not whether it is written down. Designed and present is not the same as working under pressure.
Risk assessment, controls, evidence, internal audit and management review as one running cycle. After that it runs itself, and we only call when you call us.
What you keep
The distinction
The market delivers an ISMS implementation: a set of documents, a certificate, done. We start at the diagnosis, where paper falls out of step with practice and what it takes to make it work.
Operating effectiveness over design and existence. A control only counts when it holds under pressure, not when it is written down. And an ISMS does not stand alone: it connects risk, controls, detection and architecture into one whole you answer for to your board.
Not a stack of policy for the audit folder, but a working system that steers day to day. The document is a means, not an end.
Not a report of recommendations with the execution left to you. The same senior who runs the baseline writes the procedures and tests whether they work.
The cadence is transferable and runs on when the make-up changes. No dependence on one person or one provider.
Get started
Not a months-long implementation. One conversation in which we decide where paper and practice drift apart, and what it takes to make the cadence run.
Plan a conversation