ISO27001 (Information Security)

No dedicated security lead

Slow, fragmented implementation; issues flagged during audits

Limited capacity to keep controls current

Certification lapses, urgent fixes before surveillance audits

SaaS sprawl and dynamic infrastructure

Evidence gaps, unclear control ownership

Evolving threat and regulatory landscape

Controls drift away from how the business actually operates

Kick-off and Context

A lightweight alignment call with founders or leadership to agree on:

Scope - which parts of the business and product are in (for example, cloud platform, internal IT) and which aren't;

Objective - certification with the least overhead possible, and keeping it afterwards; Accountability - nominate a senior contact (often founder, CTO or COO) to make quick decisions;

Interested parties - who cares about your security and what do they expect (customers, regulators, investors, staff).

Drata Implementation (optional)

Connect Drata to your existing systems (cloud, identity provider, code repos, device management, ticketing, etc.) so it can automatically collect evidence. We configure integrations, set owners and review cycles, and make sure the dashboard reflects how your business actually runs, minimising manual effort.

Asset Inventory

Identify and document your key assets - customer data, source code, infrastructure, key systems - so you know what you're protecting. This inventory is maintained and reviewed as part of ongoing risk management.

Risk Assessment

Spot the main threats and weaknesses to your assets and record the risks in a simple register. Each risk is given an owner and a treatment decision (accept, reduce, transfer, or avoid), which is then followed up during quarterly risk management sessions.

Documentation

Create or refine core policies and procedures (for example, Information Security Policy, Access Control, Cryptography, Supplier Security) and align them to the required controls. We also document how you communicate about security matters internally and externally.

Control Implementation Support

Guide technical and organisational control deployment (MFA, logging, backup, HR onboarding/off-boarding, supplier due-diligence) and validate effectiveness. This includes documenting your business continuity and disaster recovery arrangements.

Competence and Training

Ensure people doing security-relevant work have the right skills and knowledge. Set up security awareness training for all staff, with records to demonstrate compliance.

Internal Audit and Management Review

Conduct first-cycle internal audit and facilitate inaugural management review meeting with leadership.

Certification Preparation

Run readiness check, coordinate corrective actions, rehearse auditor Q&A and logistics.

Continuous Monitoring

Operate compliance automation integrations to harvest evidence, track control performance and surface alerts for controls that aren't working as expected

Asset and Risk Management

Maintain asset inventory and rolling risk register; review emerging threats and update treatment actions on a quarterly cadence

Internal Audit Programme

Plan and execute thematic spot checks and full-scope audits, logging findings and corrective actions

Policy and Procedure Maintenance

Schedule reviews, update documents for changes to standards or business operations, and manage version control

Management Review

Prepare a summary of key metrics and run semi-annual management review sessions, capturing decisions and action items

Audit Liaison

Coordinate with the Certification Body for surveillance and recertification audits; track evidence requests and responses

Security Awareness and Training

Deliver onboarding modules, annual refresher and targeted campaigns; monitor completion metrics and maintain competence records

Supplier Security

Perform initial and periodic supplier risk assessments, maintain contract security clauses and monitor third-party security reports

Business Continuity Review

Periodically review and test your business continuity and disaster recovery documentation to ensure it remains current and workable

Incident and Change Advisory

Provide guidance for security incidents and major architectural or process changes

Standards and Regulatory Watch

Monitor ISO, NCSC, ICO, ENISA and sector-specific updates; advise on required control adjustments

Monthly Check-in

Track open actions, new risks, control performance issues, and alerts.

Monthly

Risk Review

Refresh asset list, re-score top risks, verify treatment progress, log emerging threats. Updates risk register and treatment plan.

Quarterly

Management Review

Present summary of objectives, incidents, audit results, and corrective actions. Record decisions and assignments for continual improvement.

Semi-annual (minimum)

Internal Audit Governance

Approve annual internal audit plan; track execution and close-out of findings; adjust scope based on risk review outcomes.

Annual plan; progress check at each leadership meeting

Policy and Procedure Governance

Systematic review of the policy suite and operational procedures; capture regulatory or business-driven changes; publish updated versions.

Quarterly

Improvement Log

Evaluate open corrective and preventive actions, recurring incident themes, and lessons learned; prioritise improvement initiatives.

Monthly

Supplier Security Oversight

Reassess critical third-party suppliers; review security reports and certifications, penetration testing reports and contract clauses; update supplier risk register.

Quarterly

External Audit Liaison

Prepare auditor access, evidence sampling plan and logistics for surveillance or recertification audits; debrief outcomes and action plans.

Annually (surveillance) / every 3 years (recertification)

Training and Awareness Governance

Track security awareness completion, role-based training needs, phishing simulation results; plan next campaign.

Quarterly

Deep technical remediation

Network architecture and segmentation, source-code refactoring, building or operating a SIEM/SOC - these would typically be delivered by your development team or an IT provider

Other compliance frameworks

PCI-DSS, NIST CSF, ISO 27701, GDPR RoPA, etc. - see our separate service descriptions for SOC 2 and other frameworks

Non-ISO 27001 policies

Policies not required for ISO 27001 compliance

Penetration testing

External or internal penetration tests, social-engineering simulations

Physical security build-outs

Door-access systems, CCTV, server-room fit-outs

Legal and contract drafting

Negotiating or red-lining DPAs, MSAs, supplier security clauses

Security incident response (beyond best-endeavours support)

Emergency incident response, 24×7 crisis hotline, incident containment

Business continuity infrastructure

Designing alternate data centres, hot/hot fail-over, building out DR infrastructure - note that documenting and testing your BC/DR arrangements is included as part of ISO 27001

HR process execution

Carrying out disciplinary actions, conducting background checks

Procurement and licensing

Purchasing SaaS tooling (SIEM, training portals, GRC platforms), certification body fees

Travel and on-site expenses

Consultant travel, accommodation, per diem

DPO services

Acting as Data Protection Officer under GDPR - see our DPO-as-a-Service offering

Custom software or tool development

Building bespoke dashboards, scripts or automations beyond standard Drata integrations

Audit costs

The certification audit itself is procured directly from the auditing company - we can advise on selecting and procuring an auditor

Executive sponsorship is active and visible

A named senior leader approves scope, risk appetite and resource allocations; without this, key decisions stall.

You provide timely access to people, systems and sites

Interviews, evidence collection and control validation depend on access to the right people, cloud consoles, logs and (if applicable) premises.

Basic security practices are in place or can be implemented quickly

For example, multi-factor authentication and centralised user accounts. We can advise on quick wins during kick-off if there are gaps.

Business processes stay reasonably stable during the first six months

Major reorganisations, M&A activity or product pivots can alter risk context and scope. We'll flag these proactively and discuss implications.

You implement remediation actions you own by agreed due dates

Oxford Infosec guides and validates; hands-on engineering work (for example, enabling encryption) remains your responsibility.

Third-party suppliers will cooperate with security questionnaires or evidence requests

ISO 27001 requires supplier security; delays caused by non-responsive vendors are outside our control.

Legal review of policies and contracts is provided by your own counsel

Oxford Infosec supplies security language, but final legal vetting sits with you.

Engagement is delivered remotely unless on-site days are mutually scheduled and pre-approved

Travel costs are excluded unless explicitly agreed.

All project communications are in English and within your standard working hours (UK/Europe time zone)

Ensures availability for workshops, meetings and incident advisory calls.

Security incidents are disclosed promptly

Timely awareness is required to update the risk register, improvement log and evidence in Drata.

Certification body fees and scheduling are your responsibility

Oxford Infosec assists with liaison and readiness but does not contract directly with the auditor.