[ ISO 27001 & SOC 2 ]
ISO 27001 Consulting
ISO 27001 certification opens enterprise procurement, satisfies NIS2 supply-chain obligations, and provides the most defensible evidence of GDPR Article 32 compliance. The preparation is 4–9 months of ISMS design, policy authoring, risk register work, and evidence collection. We do all of it — fixed price, no surprises at the audit.
ISO 27001 done once, done right
Many ISO 27001 consulting engagements produce a policy library and a risk register and then hand you a document to implement yourself. We don’t. Our engagement covers the full preparation cycle: ISMS scoping, risk assessment, Annex A control selection, policy authoring, technical control implementation, evidence collection, internal audit, and Stage 1 and Stage 2 auditor coordination. You are certified at the end — not just better-documented.
ISO 27001 consulting integrates naturally with our Fractional CISO retainer: the vCISO owns the ISMS on an ongoing basis once the certificate is issued, manages surveillance audits, and maintains the risk register. Most clients combine ISO 27001 consulting, our penetration testing service (required by Annex A control 8.8), and the vCISO retainer into one integrated security programme.
From gap analysis to certified ISMS
ISMS Design
Information Security Management System scoping, context of the organisation (clause 4), leadership requirements (clause 5), and the planning structure (clause 6) — designed to match your business size, industry, and certification body requirements. The ISMS boundary is defined so it covers what auditors will test and nothing unnecessary.
Risk Register & Treatment
ISO 27001 clause 6.1 risk assessment: information asset identification, threat and vulnerability analysis, likelihood and impact scoring, and treatment plan selection (mitigate, accept, transfer, avoid). Statement of Applicability (SoA) authored to ISO 27001:2022 Annex A. The risk register is maintained as a living document throughout the engagement.
Policy Documentation
Full policy suite authored to your business: information security policy, acceptable use, access management, incident response, supplier management, change management, business continuity, disaster recovery, and asset management. Written in plain English, reviewed by your team, approved at the right level, and maintained on a documented cadence.
Certification Audit Support
We coordinate the audit with your chosen certification body: Stage 1 document review and Stage 2 on-site or remote audit. We prepare your team for auditor interviews, manage the evidence room, respond to findings during the audit window, and track remediation of any nonconformities through to closure.
ISO 27001 Consulting — Frequently Asked Questions
How long does ISO 27001 certification take?
From kickoff to certification decision, ISO 27001 typically takes 4–9 months. Companies with no prior security controls or documentation take longer; organisations with existing security practices and some documentation can move faster. The main phases are: gap analysis and ISMS scoping (2–4 weeks), policy and risk register build (6–12 weeks), technical control implementation (parallel, 4–12 weeks), evidence collection and internal audit (4–6 weeks), Stage 1 audit (2–4 weeks), and Stage 2 audit (2–4 weeks). Our gap analysis in week one gives you an accurate project timeline before the main engagement begins.
ISO 27001 vs SOC 2 — which do I need?
ISO 27001 is more common in European enterprise procurement and is increasingly required under NIS2 supply-chain obligations. SOC 2 is the standard for US enterprise buyers and SaaS companies selling into the US market. If you sell to both markets, or if your buyers are large multinationals, you may need both. We scope combined ISO 27001 + SOC 2 engagements with a shared evidence base — approximately 70% of Annex A controls map to SOC 2 Trust Service Criteria, making dual-certification 20–35% cheaper than two separate programmes.
How much does ISO 27001 consulting cost?
Our fixed-price ISO 27001 consulting engagement starts from €12,000 for a well-defined ISMS scope at a company of 20–100 people. Larger organisations, broader ISMS scopes, or combined ISO 27001 + SOC 2 programmes are scoped individually. The engagement covers gap analysis, ISMS design, risk register, policy authoring, technical control implementation, evidence collection, internal audit, and Stage 1 & Stage 2 auditor coordination. The certification body audit fee is separate (typically €5,000–€15,000 depending on auditor and organisation size).
Do I need ISO 27001 for GDPR compliance?
ISO 27001 is not mandated by GDPR, but it substantially supports GDPR Article 32 compliance — which requires “appropriate technical and organisational measures” to protect personal data. An ISO 27001 ISMS is the most defensible evidence that those measures are systematic, documented, and reviewed. Many supervisory authorities and DPAs view ISO 27001 certification as strong evidence of GDPR security compliance. If you process significant volumes of EU personal data, or if you operate in a regulated sector, ISO 27001 is worth pursuing for regulatory risk management alone — independently of any enterprise buyer requirement.
ISO 27001 certification, without the consulting-firm tax
Tell us your ISMS scope, your certification timeline, and what evidence you already have — we’ll come back with a fixed-price proposal.
Kontakt aufnehmen → ISO 27001 & SOC 2 →