Loading
Infraspine guides organisations through every stage of ISO/IEC 27001:2022 — from the initial gap assessment and ISMS implementation through to internal audits, management review, and achieving certification. We have supported organisations from a broad range of sectors to achieve first-time certification on schedule and without audit surprises.
Our structured consulting methodology takes you from initial gap assessment to certified ISMS with no wasted effort and no surprises at the certification audit.
Before any ISMS implementation work begins, Infraspine conducts a structured gap assessment to establish exactly where your organisation currently stands against ISO/IEC 27001:2022. Our assessors review your existing policies, technical controls, and security processes against each of the standard's clauses and Annex A control domains. Every gap is documented with a risk severity rating, an indicative implementation effort, and a recommended remediation approach. The gap assessment also forms the starting point for your Information Security Risk Register — a living document that identifies information assets, threats, vulnerabilities, and residual risk levels, which is a mandatory deliverable under the standard. This phase typically takes one to two weeks and sets the entire implementation roadmap.
ISO 27001 certification requires a documented Information Security Management System underpinned by a comprehensive policy suite. Many organisations fail their first audit attempt because their policies exist in name only — they are generic, out of date, or not aligned to the organisation's actual operating environment. Infraspine develops a bespoke policy library tailored to your industry, size, and risk profile. This includes the Information Security Policy, Acceptable Use Policy, Access Control Policy, Cryptography Policy, Data Classification Policy, Supplier Security Policy, and all other mandatory and recommended documents required under the standard. Every policy is written in clear, plain language and reviewed with your team before finalisation to ensure it reflects how your organisation actually operates.
ISO 27001:2022 Annex A contains 93 information security controls across four themes: Organisational, People, Physical, and Technological. Not every control is mandatory — the standard requires a risk-based selection process documented in a Statement of Applicability. Infraspine guides your team through the SoA process, selecting and justifying controls based on your risk register and business context. For each selected control, we provide an implementation guide covering technical configuration, process design, and evidence requirements. Our consultants work alongside your IT team to implement technical controls — including access management, encryption standards, logging, and vulnerability management — ensuring they are correctly configured and generating the audit evidence required for certification.
ISO 27001 requires organisations to conduct internal audits of their ISMS at planned intervals before seeking certification. An effective internal audit programme identifies non-conformities and weaknesses before the external certification auditor does — allowing you to remediate issues in a controlled way rather than under time pressure. Infraspine designs and conducts your internal audit programme: developing audit schedules, audit checklists aligned to the standard's clauses, and competence-based audit teams. We conduct the audit, produce formal internal audit reports with non-conformity (NC) and observation (OBS) findings, and track corrective actions through to closure. This process also prepares your team for the rigour of the Stage 2 certification audit, reducing the risk of audit failure.
ISO 27001 places clear obligations on top management to actively oversee the ISMS — not just delegate it to an IT team. The standard requires documented management review meetings at planned intervals, covering the performance of the ISMS, changes in the risk environment, audit results, and continual improvement objectives. Many organisations struggle to demonstrate meaningful management engagement to their certification auditors. Infraspine prepares your management review agenda, pre-populates the required input data from ISMS monitoring outputs, facilitates the review meeting, and produces a formal management review record that satisfies certification audit requirements. We also help senior leadership understand their specific obligations under the standard, so they can answer auditor questions confidently.
Selecting the right certification body and managing the audit process effectively are critical to a successful first-time certification. Infraspine manages the certification body selection process, advising on UKAS-accredited bodies appropriate to your sector and size, and preparing your organisation for both the Stage 1 (documentation review) and Stage 2 (on-site audit) assessments. We coordinate document submissions, manage audit logistics, brief your team on what to expect during each audit stage, and prepare responses to any observations or minor non-conformities raised by the external auditor. Post-certification, we support your annual surveillance audits and three-year recertification cycle, ensuring the ISMS remains compliant as your organisation and the threat landscape evolve.
Common questions from organisations beginning their ISO 27001 certification journey.
Book a free gap assessment scoping call with Infraspine. We will give you an honest timeline, cost estimate, and implementation plan — no commitment required.