> For the complete documentation index, see [llms.txt](https://docs.oxfordinfosec.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.oxfordinfosec.com/iso27001-information-security.md).
# ISO27001 (Information Security)
## Introducing the Service
If enterprise customers are asking for ISO 27001, investors are asking during due diligence, or contracts are starting to require it, this service is for you. ISO 27001 has become table stakes for small businesses selling into regulated industries or larger enterprises, and getting certified is only half the job. Customers and partners expect you to *stay* certified and demonstrate ongoing security rigour year after year.
Oxford Infosec takes small, fast-moving companies all the way from initial scoping to successful certification, then maintains the controls and evidence to keep you certified through surveillance and recertification audits. Our consultants hold internationally recognised qualifications in ISO 27001 implementation and auditing, along with data protection credentials (CIPP/E, CIPM).
Our approach is pragmatic and risk-driven, built for small businesses so that every recommended control is proportionate to real-world risk, ISO 27001 requirements, and ICO expectations.
We can optionally combine this expertise with a compliance automation platform (explained below), giving you continuous evidence collection, real-time dashboards showing your security status, and automated alerts instead of periodic checklists.
## What Problem Does This Solve?
Whether you're chasing enterprise customers, responding to procurement questionnaires, or simply want to prove you take security seriously, ISO 27001 certification is increasingly becoming table stakes. But it's not enough to get certified once. Customers and partners expect you to *stay* certified and demonstrate ongoing security rigour.
Typical challenges for growing organisations:
| Challenge | Consequence |
| --------------------------------------------- | ------------------------------------------------------------- |
| **No dedicated security lead** | Slow, fragmented implementation; issues flagged during audits |
| **Limited capacity to keep controls current** | Certification lapses, urgent fixes before surveillance audits |
| **SaaS sprawl and dynamic infrastructure** | Evidence gaps, unclear control ownership |
| **Evolving threat and regulatory landscape** | Controls drift away from how the business actually operates |
Oxford Infosec provides an experienced implementation consultant and ongoing ISO 27001 maintenance, so you achieve certification quickly and stay continuously compliant.
## Compliance Automation Platform
Before diving into the detail, it's worth explaining the compliance automation platform we recommend, since it underpins much of how we work.
A cloud-based compliance automation platform serves as the "engine room" for day-to-day ISO 27001 housekeeping. Once connected to your existing tools (for example AWS, Google Workspace, GitHub, your MDM), it continuously collects evidence that key security controls are operating, maintains your policy documents, and displays progress on a live readiness dashboard. The platform automatically raises tasks (like policy reviews, vendor re-assessments or staff-training refreshers), assigns them to the right people with due dates, and preserves an auditable trail.
We can work with whichever compliance automation platform you already have in place (such as Vanta or Secureframe).
## Fit for Small Businesses
This service is designed for organisations that need a credible ISO 27001 certificate without the overhead of an enterprise-scale programme. Typically that means:
* **20 to 200 employees**: large enough to face certification demands, small enough that enterprise templates would swamp the business
* **Handling sensitive data**: customer data, product information, intellectual property, or other information that matters to your customers
* **Operating in the UK or Europe**: subject to ISO 27001 expectations from enterprise buyers, investors, or regulators
* **Facing external pressure**: procurement questionnaires, investor due diligence, or contractual certification requirements
Our approach recognises the reality of small, fast-moving teams: limited headcount, shifting priorities, and the need to keep shipping product while still holding a credible ISO 27001 certificate. It keeps the standard achievable without turning it into a parallel bureaucracy.
* **Practical controls**: we focus on what you actually do day-to-day and adjust policies and evidence to fit. If something genuinely doesn't apply (for example, you don't host physical servers), we mark it out of scope rather than inventing work.
* **Light-touch scheduling**: internal audits, workshops, and evidence collection are conducted with the minimum possible impact on the rest of the business.
* **Automated evidence wherever possible**: The platform's integrations pull access logs, configuration states and test results from your existing systems, cutting down on manual screenshots and spreadsheets. Where automation isn't possible, we agree the simplest manual check that will satisfy an auditor.
* **Risk-led priorities**: not everything gets fixed at once. We order actions by compliance impact and the effort to deliver them, so you can stage improvements alongside normal delivery.
* **Straightforward guidance**: we avoid standards-speak and explain what's required in plain English. Policies come as editable templates, with notes that make clear what's mandatory versus optional.
If you don't have basic security controls in place yet, our Security Foundations service is usually a better starting point. And if you're driven by one customer asking once, it's worth checking whether certification is actually needed or whether a strong set of controls and an attestation will do.
## Outcomes: What You Get
### Certification you can rely on
| Outcome | What this means |
| ----------------------------------------------------- | ----------------------------------------------------------------------------------------------- |
| **You achieve certification on your target timeline** | Scoping, implementation, and audit prep aligned to your deal, investor, or contractual deadline |
| **The certificate reflects the business** | Controls match how you actually operate, not a generic template that auditors see through |
| **You stay certified year after year** | Surveillance and recertification audits pass without last-minute firefighting |
### Credibility with customers and investors
| Outcome | What this means |
| -------------------------------------------------- | ---------------------------------------------------------------------------- |
| **You can answer security questionnaires quickly** | Evidence is ready, mapped to common frameworks and what buyers typically ask |
| **Due diligence goes smoothly** | Investors and enterprise buyers can see you've taken this seriously |
| **Security stops blocking deals** | Procurement gets the assurance it needs without a last-minute scramble |
### A programme that runs itself
| Outcome | What this means |
| ----------------------------------------- | ------------------------------------------------------------------------ |
| **You know where you stand** | Live view of control status, evidence coverage and open actions |
| **Issues surface early** | Problems are caught before the external audit, not during it |
| **The standard fits around the business** | Controls and cadence calibrated to small teams, not enterprise templates |
## Scope of Activities
This service is split into the initial implementation, which takes you all the way to full certification, and then the subsequent maintenance of the controls and evidence to ensure you retain ISO 27001 through surveillance and re-certification audits.
### Phase 1: Implementation
Phase 1 typically takes three to six months, depending on your starting point, complexity, and how quickly you can action remediation items.
| Category | Activity |
| ------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Kick-off and Context** | A lightweight alignment call with founders or leadership to agree on:
- Scope: which parts of the business and product are in (for example, cloud platform, internal IT) and which aren't.
- Objective: certification with the least overhead possible, and keeping it afterwards.
- Accountability: nominate a senior contact (often founder, CTO or COO) to make quick decisions.
- Interested parties: who cares about your security and what do they expect (customers, regulators, investors, staff).
|
| **Compliance Platform Implementation (optional)** | Connect the platform to your existing systems (cloud, identity provider, code repos, device management, ticketing, etc.) so it can automatically collect evidence. We configure integrations, set owners and review cycles, and make sure the dashboard reflects how your business actually runs, minimising manual effort. |
| **Asset Inventory** | Identify and document your key assets (customer data, source code, infrastructure, key systems), so you know what you're protecting. This inventory is maintained and reviewed as part of ongoing risk management. |
| **Risk Assessment** | Spot the main threats and weaknesses to your assets and record the risks in a simple register. Each risk is given an owner and a treatment decision (accept, reduce, transfer, or avoid), which is then followed up during quarterly risk management sessions. |
| **Documentation** | Create or refine core policies and procedures (for example, Information Security Policy, Access Control, Cryptography, Supplier Security) and align them to the required controls. We also document how you communicate about security matters internally and externally. |
| **Control Implementation Support** | Guide technical and organisational control deployment (MFA, logging, backup, HR onboarding/off-boarding, supplier due-diligence) and validate effectiveness. This includes documenting your business continuity and disaster recovery arrangements. |
| **Competence and Training** | Ensure people doing security-relevant work have the right skills and knowledge. Set up security awareness training for all staff, with records to demonstrate compliance. |
| **Internal Audit and Management Review** | Conduct first-cycle internal audit and facilitate inaugural management review meeting with leadership. |
| **Certification Preparation** | Run readiness check, coordinate corrective actions, rehearse auditor Q\&A and logistics. |
### Phase 2: Maintenance
| Category | Activity |
| ------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Continuous Monitoring** | Operate compliance automation integrations to harvest evidence, track control performance and surface alerts for controls that aren't working as expected |
| **Asset and Risk Management** | Maintain asset inventory and rolling risk register; review emerging threats and update treatment actions on a quarterly cadence |
| **Internal Audit Programme** | Plan and execute thematic spot checks and full-scope audits, logging findings and corrective actions |
| **Policy and Procedure Maintenance** | Schedule reviews, update documents for changes to standards or business operations, and manage version control |
| **Management Review** | Prepare a summary of key metrics and run semi-annual management review sessions, capturing decisions and action items |
| **Audit Liaison** | Coordinate with the Certification Body for surveillance and recertification audits; track evidence requests and responses |
| **Security Awareness and Training** | Deliver onboarding modules, annual refresher and targeted campaigns; monitor completion metrics and maintain competence records |
| **Supplier Security** | Perform initial and periodic supplier risk assessments, maintain contract security clauses and monitor third-party security reports |
| **Business Continuity Review** | Periodically review and test your business continuity and disaster recovery documentation to ensure it remains current and workable |
| **Incident and Change Advisory** | Provide guidance for security incidents and major architectural or process changes |
| **Standards and Regulatory Watch** | Monitor ISO, NCSC, ICO, ENISA, and sector-specific updates; advise on required control adjustments |
## Service Governance Cadence
Maintaining ISO 27001 isn't a one-off effort. The standard requires regular reviews, audits, and updates. The table below shows a typical rhythm of activities. For smaller organisations, several of these can be combined into single sessions, and the monthly review is often just a 30-minute call rather than a formal meeting.
| Category | Activity | Frequency |
| ------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------- |
| **Monthly Check-in** | Track open actions, new risks, control performance issues, and alerts. | Monthly |
| **Risk Review** | Refresh asset list, re-score top risks, verify treatment progress, log emerging threats. Updates risk register and treatment plan. | Quarterly |
| **Management Review** | Present summary of objectives, incidents, audit results, and corrective actions. Record decisions and assignments for continual improvement. | Semi-annual (minimum) |
| **Internal Audit Governance** | Approve annual internal audit plan; track execution and close-out of findings; adjust scope based on risk review outcomes. | Annual plan; progress check at each leadership meeting |
| **Policy and Procedure Governance** | Systematic review of the policy suite and operational procedures; capture regulatory or business-driven changes; publish updated versions. | Quarterly |
| **Improvement Log** | Evaluate open corrective and preventive actions, recurring incident themes, and lessons learned; prioritise improvement initiatives. | Monthly |
| **Supplier Security Oversight** | Reassess critical third-party suppliers; review security reports and certifications, penetration testing reports and contract clauses; update supplier risk register. | Quarterly |
| **External Audit Liaison** | Prepare auditor access, evidence sampling plan and logistics for surveillance or recertification audits; debrief outcomes and action plans. | Annually (surveillance) / every 3 years (recertification) |
| **Training and Awareness Governance** | Track security awareness completion, role-based training needs, phishing simulation results; plan next campaign. | Quarterly |
## Who Delivers the Service
You'll work with a named Lead Consultant who holds recognised ISO 27001 implementation and audit qualifications. They act as your single point of contact and are accountable for delivery, reporting to whoever you nominate as executive sponsor (often the founder, CTO, or COO).
## What's Not Included
The following items are not included in this service. Where relevant, we can recommend specialists or help you procure these services separately.
| Category | What's not included |
| --------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Deep technical remediation** | Network architecture and segmentation, source-code refactoring, building or operating a SIEM/SOC. These would typically be delivered by your development team or an IT provider |
| **Other compliance frameworks** | PCI-DSS, NIST CSF, ISO 27701, GDPR RoPA, etc. See our separate service descriptions for SOC 2 and other frameworks |
| **Non-ISO 27001 policies** | Policies not required for ISO 27001 compliance |
| **Penetration testing** | External or internal penetration tests, social-engineering simulations |
| **Physical security build-outs** | Door-access systems, CCTV, server-room fit-outs |
| **Legal and contract drafting** | Negotiating or red-lining DPAs, MSAs, supplier security clauses |
| **Security incident response (beyond best-endeavours support)** | Emergency incident response, 24×7 crisis hotline, incident containment |
| **Business continuity infrastructure** | Designing alternate data centres, hot/hot fail-over, building out DR infrastructure. Note that *documenting and testing* your BC/DR arrangements is included as part of ISO 27001 |
| **HR process execution** | Carrying out disciplinary actions, conducting background checks |
| **Procurement and licensing** | Purchasing SaaS tooling (SIEM, training portals, GRC platforms), certification body fees |
| **Travel and on-site expenses** | Consultant travel, accommodation, per diem |
| **DPO services** | Acting as Data Protection Officer under GDPR. See our DPO as a Service description |
| **Custom software or tool development** | Building custom dashboards, scripts or automations beyond standard platform integrations |
| **Audit costs** | The certification audit itself is procured directly from the auditing company. We can advise on selecting and procuring an auditor |
## Assumptions
| Assumption | Why this matters |
| ---------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Executive sponsorship is active and visible** | A named senior leader approves scope, risk appetite and resource allocations; without this, key decisions stall. |
| **You provide timely access to people, systems, and sites** | Interviews, evidence collection, and control validation depend on access to the right people, cloud consoles, logs, and (if applicable) premises. |
| **Basic security practices are in place or can be implemented quickly** | For example, multi-factor authentication and centralised user accounts. We can advise on quick wins during kick-off if there are gaps. |
| **Business processes stay reasonably stable during the first six months** | Major reorganisations, M\&A activity or product pivots can alter risk context and scope. We'll flag these proactively and discuss implications. |
| **You implement remediation actions you own by agreed due dates** | Oxford Infosec guides and validates; hands-on engineering work (for example, enabling encryption) remains your responsibility. |
| **Third-party suppliers will cooperate with security questionnaires or evidence requests** | ISO 27001 requires supplier security; delays caused by non-responsive vendors are outside our control. |
| **Legal review of policies and contracts is provided by your own counsel** | Oxford Infosec supplies security language, but final legal vetting sits with you. |
| **Engagement is delivered remotely unless on-site days are mutually scheduled and pre-approved** | Travel costs are excluded unless explicitly agreed. |
| **All project communications are in English and within your standard working hours (UK/Europe time zone)** | Ensures availability for workshops, meetings, and incident advisory calls. |
| **Security incidents are disclosed promptly** | Timely awareness is required to update the risk register, improvement log and evidence in the platform. |
| **Certification body fees and scheduling are your responsibility** | Oxford Infosec assists with liaison and readiness but does not contract directly with the auditor. |
## Term and Review
Phase 1 (implementation) is a fixed fee.
Phase 2 (maintenance) has a minimum engagement term of twelve months, renewable annually, which begins after the first ISO 27001 audit is completed.
Scope and fees are reviewed at each renewal to ensure the service continues to meet your needs.
## Combining with Other Services
The ISO 27001 service works well alongside Oxford Infosec's other services:
* **SOC 2**: if you're selling into both UK and US markets, you may need both ISO 27001 and SOC 2. Significant control overlap means a second certification is less work than the first. We can help you decide whether to run them in parallel, sequence them, or pick one.
* **vCISO**: your vCISO provides ongoing strategic oversight while this service handles implementation and maintenance. Together, they keep the programme aligned with business priorities rather than becoming a bureaucratic exercise.
* **DPO as a Service**: many ISO 27001 controls touch personal data. Having a DPO in place covers the privacy side properly and demonstrates a clear commitment to data protection.
* **Security Foundations**: if the underlying security isn't in place yet, Security Foundations gets the baseline right first. Certification is much easier once the fundamentals are solid.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://docs.oxfordinfosec.com/iso27001-information-security.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.