ISO Readiness

ISO 27001 readiness for growing businesses

We help UK SMEs build Information Security Management Systems that hold up under audit - practical risk management and security controls embedded in your operations, not just documented in a policy suite nobody reads.

The Standard Explained

What is ISO 27001?

ISO 27001 is the international standard for Information Security Management Systems (ISMS). It specifies requirements for establishing, implementing, maintaining, and continually improving an organisation's approach to managing information security risks.

The current version - ISO 27001:2022 - requires organisations to identify information assets, assess the risks to those assets, select and implement appropriate controls from Annex A (or justify their exclusion), and demonstrate that the ISMS is operational and improving over time.

For SMEs, the practical focus is on: scoping the ISMS correctly, completing a documented risk assessment, producing a Statement of Applicability, implementing proportionate controls, and establishing internal audit and management review.

ISO 27001:2022 Annex A - four control themes

Organisational controls37 controls

Policies, roles, supplier relationships, information classification, incident management

People controls8 controls

Screening, terms of employment, security awareness, confidentiality agreements

Physical controls14 controls

Physical security perimeters, clear desk policy, equipment security, secure disposal

Technological controls34 controls

Access control, cryptography, secure development, vulnerability management, logging

How does ISO 27001 connect to ISO 9001?

Both standards share the same High Level Structure - so internal audit, management review, corrective actions, and risk-based thinking can be built once and used for both certifications. See combined readiness →

Common Challenges

Sound familiar?

These are the situations we most commonly help businesses navigate on the path to ISO 27001.

A client or enterprise customer is asking for ISO 27001

Enterprise procurement teams and regulated sector clients increasingly mandate ISO 27001 or equivalent assurance. Without it, you may be disqualified from the tender or contract renewal.

We handle sensitive data but don't know if we're managing the risk properly

Holding customer data, employee records, or commercially sensitive information creates obligations. ISO 27001 gives you a structured framework for understanding and managing that risk.

We started a risk assessment but stalled

Information security risk assessments require a consistent methodology, a defined asset scope, and clear criteria for risk treatment decisions. Many organisations start and find the approach unclear without guidance.

We have policies, but no evidence they are followed

An information security policy that nobody has read - and that is not embedded in day-to-day operations - provides almost no assurance to an auditor. Certification requires demonstrated conformance.

Our Approach

How the engagement works

A structured, five-stage process from gap assessment to pre-certification review.

01

Gap Assessment & Scope Definition

Typical: 1–2 weeks

We assess your current information security posture against ISO 27001:2022 and define the scope of your ISMS - which assets, processes, locations, and people are in scope. You receive a gap assessment report with a prioritised readiness roadmap.

02

Risk Assessment

Typical: 2–4 weeks

We work with you to identify information assets, threats, vulnerabilities, and existing controls. Using a documented methodology, we produce a risk register with risk scores and treatment decisions - a core audit evidence requirement.

03

Statement of Applicability (SoA)

Typical: 1–2 weeks

We produce your Statement of Applicability - a clause-by-clause reference to all ISO 27001:2022 Annex A controls, documenting which are applicable, which are implemented, and which are excluded with justification. The SoA is a mandatory certification artefact.

04

Policy & Control Implementation

Typical: 4–8 weeks

We develop your information security policy suite, implement prioritised controls, and document procedures your team will actually follow. This includes access control, asset management, incident management, supplier security, and more.

05

Internal Audit & Management Review

Typical: 2–3 weeks

We establish your internal audit programme, conduct a pre-certification ISMS audit, and support your management review process. We identify any remaining non-conformances and help you resolve them before the certification body arrives.

Total typical timeline: 4–9 months from initial engagement to pre-certification review. Narrower scope or existing security practices can shorten this significantly.

Deliverables

What you get

A complete ISMS implementation - from risk assessment and SoA through to internal audit and management review.

  • ISO 27001:2022 gap assessment report and scope document
  • Information asset register and risk assessment methodology
  • Risk register with treatment decisions and risk treatment plan
  • Statement of Applicability (SoA) covering all Annex A controls
  • Information security policy suite (core policies and supporting procedures)
  • Internal audit programme and pre-certification ISMS audit
  • Management review agenda, template, and evidence pack guidance
  • Incident management procedure and response log

Included as standard

  • ISO 27001:2022 gap assessment report and scope document
  • Information asset register and risk assessment methodology
  • Risk register with treatment decisions and risk treatment plan
  • Statement of Applicability (SoA) covering all Annex A controls
  • Information security policy suite (core policies and supporting procedures)
  • Internal audit programme and pre-certification ISMS audit
  • Management review agenda, template, and evidence pack guidance
  • Incident management procedure and response log

Optional add-ons

  • Ongoing ISMS support during the certification process
  • Supplier due diligence questionnaire template pack
  • Staff security awareness training programme
  • Stage 1 or Stage 2 audit accompaniment
  • Post-certification annual maintenance and surveillance audit support
  • Integration with ISO 9001 (combined readiness engagement)

Common questions

Not seeing your question? Get in touch

Does Systemantic certify us to ISO 27001?

No. Certification is granted by an accredited certification body following a successful audit. Our role is to implement and embed your ISMS so that it is genuinely audit-ready - documented, operational, and demonstrably conformant to the standard. We do not conduct certification audits.

What is the difference between ISO 27001:2013 and ISO 27001:2022?

ISO 27001:2022 is the current version, published in October 2022. Organisations certified to the 2013 version were required to transition by October 2025. The 2022 version restructured and consolidated the Annex A controls (from 114 controls in 14 domains to 93 controls in 4 themes) and introduced 11 new controls. All new certifications should be to the 2022 version.

What is the Statement of Applicability?

The Statement of Applicability (SoA) is a mandatory ISO 27001 document. It references every control in Annex A of the standard and documents whether each control is applicable to your organisation, whether it is currently implemented, and - for excluded controls - the justification for exclusion. Certification bodies require the SoA as core audit evidence.

How long does ISO 27001 readiness take?

For most SMEs, a realistic timeline is 4–9 months from initial engagement to pre-certification review. ISO 27001 typically takes slightly longer than ISO 9001 due to the risk assessment process and the breadth of the Annex A controls. Organisations with existing security practices or a narrower scope can often move faster.

Do we need a Chief Information Security Officer (CISO)?

No. The standard requires that information security responsibilities are clearly assigned, but it does not mandate a CISO or a dedicated security team. Many SMEs appoint an existing manager as the ISMS owner and distribute specific responsibilities across roles. We help you design a workable governance structure for your size.

Can we do ISO 27001 and ISO 9001 at the same time?

Yes - and the efficiency gains are significant. Both standards share the same High Level Structure. Internal audit, management review, corrective actions, document control, and risk-based thinking are common to both. By pursuing them together, you build these elements once rather than twice. See our combined ISO + Operations engagement.

Related services

ISO 9001 Readiness

Build your Quality Management System alongside your ISMS.

Learn more

ISO + Operations (Combined)

Pursue ISO 9001 and 27001 readiness together using an integrated approach.

Learn more

Business Analysis & Systems

Process mapping, systems design, and operational leadership for growing teams.

Learn more

Ready to begin your ISO 27001 readiness journey?

Book a free 30-minute readiness call. We will discuss your current security posture, define what scope makes sense for your organisation, and outline a realistic path to audit readiness. No commitment required.