ISO Readiness

ISO readiness that improves how your business runs

We help UK SMEs achieve ISO 9001 (Quality) and ISO 27001 (Information Security) readiness - using the same practical systems thinking we apply to operational improvement. Not paperwork for its own sake. Documented processes that work.

What this means in practice

Readiness, not just documentation

ISO certification requires two things: a documented management system, and evidence that you actually operate it. Most businesses that fail audits have the first and not the second.

Our approach builds both together. We document your processes based on how your business actually runs - not a generic template - and we embed the system with your team so it is operational before the auditor arrives, not theatrical.

ISO 9001 and ISO 27001 share a common structure. Internal audit, management review, risk-based thinking, corrective actions, and document control are required by both. If you are pursuing both standards, we build these shared elements once and apply them to both - which is why combined engagements are more efficient than sequential ones.

ISO 9001:2015

Quality Management System (QMS)

ISO 27001:2022

Information Security Management System (ISMS)

Shared by both standards

  • Internal audit programme
  • Management review
  • Risk-based thinking
  • Document and record control
  • Corrective actions (CAPA)
  • Continual improvement
Who It's For

Is this the right engagement for you?

We work with UK SMEs navigating compliance requirements for the first time - not large enterprises building on established compliance functions.

Winning contracts that require accreditation

ISO 9001 and ISO 27001 are increasingly mandatory in public sector tenders, enterprise procurement, and regulated industries. Without them, you may not even make the shortlist.

Satisfying customer or investor due diligence

Larger clients, due diligence teams, and enterprise SaaS buyers are routinely asking for evidence of quality and security management. A structured readiness process produces that evidence.

Bringing order to a system that has grown without structure

Many growing businesses have informal processes and undocumented practices that work - until they don't. ISO readiness gives you the structure to make those practices reliable and auditable.

Deliverables

What you get

A complete readiness package - documented, embedded, and appropriate for the standard and scope you are working towards.

Gap assessment

Clause-by-clause review of your current position against the relevant standard, with a scored readiness report and prioritised action plan.

Documentation pack

Quality Manual or ISMS documentation, core procedures, and SOPs - written to reflect how your business actually works, not a generic template.

Risk register and treatment plan

Documented risk assessment using a consistent methodology, with treatment decisions clearly recorded - a core audit evidence requirement for both standards.

Policy suite

The policies required by the standard - information security policy, quality policy, and supporting policies - reviewed, completed, and approved by management.

Internal audit programme

A structured internal audit schedule, methodology, and trained internal auditors - so you can maintain the management system after we leave.

Management review pack

Agenda template, evidence guide, and minutes structure so your management review meetings produce the outputs required by the standard.

Implementation roadmap

A clear, sequenced plan from where you are now to pre-certification review - with milestones, owners, and realistic timelines.

We do not certify you - certification is awarded by an accredited third-party body after a successful audit. Our role is implementation and audit preparation. We get you ready; the certification body confirms it.

Our Approach

How it works

A structured engagement that adapts to your standard, scope, and starting point.

01

Gap assessment

Typical: 1–3 weeks

We assess your current operations against the standard, clause by clause. You receive a scored report showing exactly where you are ready, where gaps exist, and in what order to close them. No surprises later.

02

Scope and planning

Typical: 1 week

We define the scope of the management system, identify the processes that must be documented, and produce a realistic roadmap. For combined ISO 9001 and 27001 engagements, we plan the shared foundations first.

03

Documentation and controls

Typical: 4–10 weeks

We build the required documentation alongside your team - Quality Manual, procedures, risk register, SOPs, Statement of Applicability where applicable. Documents are built to be used, not archived.

04

Embedding and training

Typical: 2–4 weeks

We train your team on the documented processes, establish the internal audit programme, and set up your management review rhythm. The system must be operational, not theoretical.

05

Pre-certification review

Typical: 1–2 weeks

Before your Stage 1 or Stage 2 audit with the certification body, we conduct a pre-audit review. We identify remaining gaps and support you in closing them - so there are no surprises on audit day.

Choose Your Path

Which standard are you working towards?

The engagement is adapted to your standard and scope. If you are pursuing both, we structure it so the shared foundation is built once - saving time and effort compared to two sequential projects.

ISO 9001

Quality Management System (QMS)

For businesses that need documented processes, consistent delivery, and evidence of customer focus. ISO 9001 is the most widely recognised quality standard - common in professional services, public sector supply chains, and manufacturing.

Best for: Quality accreditation, contract requirements, recurring quality issues

ISO 9001 detail page

ISO 27001

Information Security Management System (ISMS)

For businesses handling sensitive data, satisfying enterprise security requirements, or responding to customer due diligence. ISO 27001 requires a documented risk assessment, Statement of Applicability, and implemented controls.

Best for: Data handling, enterprise clients, information security assurance

ISO 27001 detail page

The Systemantic approach

Pursuing both standards together

ISO 9001 and ISO 27001 share the same High Level Structure. Internal audit, management review, risk-based thinking, corrective actions, and document control are required by both. When we build these elements once and apply them to both standards in parallel, dual readiness is typically 20–30% faster than sequential engagements - and produces a more coherent management system.

  • Single internal audit programme covering both standards
  • One management review cycle - two standards in scope
  • Integrated risk register for quality and security
  • Certification body combined audits are standard practice

Free 30-minute call · No commitment

Common questions

Something not covered here? Get in touch

Does Systemantic certify us?

No. Certification is awarded by an accredited third-party certification body (such as BSI, LRQA, or NQA) following a successful audit. Our role is implementation support and audit preparation - getting you ready so the audit is not a surprise.

How long does readiness take?

Depends on scope and your starting point. ISO 9001 alone: typically 3–5 months. ISO 27001 alone: typically 4–7 months. Both together: typically 5–9 months - which is faster than doing them sequentially, because the shared foundation (internal audit, management review, risk process, document control) is built once.

Should we do both standards or just one?

Start with whichever is driving the immediate business need. If a contract requires ISO 9001, start there. If a customer is asking for ISO 27001, start there. If both are on the horizon, doing them together is more efficient - the two standards share a common structure and significant documentation overlap.

We already have some documentation. Does that help?

Yes - we start with a gap assessment that reviews what you already have. Existing documentation, even informal, reduces the effort required. We adapt what works and replace or build what doesn't, rather than starting from scratch.

What size of business do you work with?

Primarily UK SMEs between 15 and 200 people. Large enough to have real operational complexity, small enough that an agile implementation approach is possible. We do not build enterprise-scale bureaucracy - we build management systems proportionate to your size and risk.

How does ISO readiness connect to your other services?

ISO readiness is a systems problem. Documented processes, clear accountability, and consistent records are the foundations of both good operations and ISO conformance. Clients who have worked with us on process mapping and systems design often find the readiness engagement faster, because the operational foundations are already stronger.

Related service

Already working on your operations?

Clients who have worked with us on process mapping and systems design tend to find the ISO readiness engagement faster and less disruptive - because the operational foundations are already in better shape. Documented processes, clear accountability, and consistent records are both good operations and ISO conformance requirements.

Ready to begin your ISO readiness journey?

Book a free 30-minute readiness call. We will discuss which standard you are working towards, where you are now, and what a realistic path to audit readiness looks like for your business. No commitment required.