Most organisations attempting ISO 27001 without specialist support stall during development, fail their first audit, or build frameworks that become a maintenance burden. We build ISMS frameworks designed to be owned, maintained, and demonstrated for years to come.
What We Cover
Whether you are pursuing certification for the first time, transitioning from the 2013 to the 2022 standard, or maintaining an existing ISMS, we provide specialist support across every stage.
Gap analysis, ISMS development, risk assessment, control implementation, and audit preparation for organisations pursuing ISO 27001:2022 for the first time.
Structured transition from ISO 27001:2013 to the 2022 standard, including Annex A realignment and new control implementation.
Programme management, surveillance audit preparation, risk register maintenance, and continuous improvement for certified organisations.
Independent internal audit against the standard to surface gaps before your external auditor does and provide a prioritised remediation plan.
Why It Matters
ISO 27001 certification is increasingly expected by enterprise clients, public sector procurement frameworks, and regulated sector partners. But the organisations that get real value from it are not the ones that treat it as a box to tick. They are the ones that build an ISMS that genuinely reflects how they manage information security risk.
An ISMS built to the minimum required to pass an audit will fail under scrutiny at the next surveillance audit. An ISMS built as a working management system will pass every audit and reduce your actual exposure in the process.
Our approach is to build something sustainable from the outset: policies and controls your team can maintain, understand, and evolve without ongoing external dependency. External support should strengthen your capability, not create it.
Podium Analytics is a sport-for-good foundation that needed ISO 27001:2022 certification with limited internal resources and no dedicated compliance function. For a data-driven organisation seeking to build trust with partners and funders, certification was not just a compliance milestone. It was a signal of credibility.
We began with a structured gap analysis to understand exactly where Podium stood against the standard, then developed a streamlined ISMS tailored to their size and risk profile, not an enterprise-grade framework retrofitted to a smaller organisation. The focus throughout was on building something sustainable: policies and controls their team could maintain, understand, and evolve without ongoing external dependency.
"Secure Step Forward's expert guidance was instrumental in achieving our ISO 27001 certification. Their approach is practical, professional, and focused on building sustainable compliance, not just ticking boxes."
Damian Smith, CIO, Podium AnalyticsCommon Questions
First-time ISO 27001:2022 certification typically takes four to nine months depending on the size and complexity of your organisation, the maturity of your existing information security practices, and how quickly your team can engage with the process. We begin with a gap analysis that gives you a realistic timeline based on your specific starting point.
ISO 27001:2022 introduced a restructured Annex A with 93 controls organised into four themes, replacing the previous 114 controls across 14 domains. Eleven new controls were added covering threat intelligence, cloud security, and data masking among others. The transition deadline was October 2025.
ISO 27001 certification is increasingly expected by enterprise clients, public sector procurement frameworks, and regulated sector partners. Beyond contractual requirements, it provides a structured framework for managing information security risk that reduces your actual exposure and demonstrates due diligence to boards and regulators.
Certification involves developing an Information Security Management System that meets the requirements of the standard, conducting a risk assessment, implementing appropriate controls, and passing a two-stage audit by an accredited certification body. Stage one is a documentation review. Stage two is an on-site assessment of whether your ISMS operates as documented.
Yes. Certification is the beginning of a maintenance commitment, not the end. We offer ongoing programme management, surveillance audit preparation, and continuous improvement support to keep your ISMS current as your business and the standard evolve.
A 30-minute conversation will give us a clear picture of where you are and what a realistic path to certification looks like for your organisation.
Free Download
A structured overview of our four-stage certification methodology, how we build sustainable ISMS frameworks, and our engagement model for first-time and transitioning organisations.