ISO27001 (Information Security)
Introducing Oxford Infosec
Oxford Infosec is a UK-based information security and privacy consultancy whose ISO 27001 Lead Auditors and DPOs hold internationally recognised credentials (ISO 27001 Lead Auditor/Implementor, CIPP/E, CIPM).
Our methodology is pragmatic and risk-driven, engineered for fast-moving organisations so that every recommended control is proportionate to real-world risk, ISO27001 requirements, and ICO expectations.
We can optionally combine this expertise with the Drata compliance-automation platform (or suchlike), giving customers continuous evidence collection, real-time Information Security Management System (ISMS) dashboards, and automated alerts instead of periodic checklists.
What Problem Do We Solve?
Winning enterprise and public sector deals increasingly depends not only on achieving ISO 27001 certification but on demonstrating that your security posture is continuously maintained.
Typical pain-points for high growth organisations are:
No dedicated security lead
Slow, fragmented implementation; audit non‑conformities
Limited capacity to keep controls current
Certification lapses, urgent fixes before surveillance audits
SaaS sprawl & dynamic infrastructure
Evidence gaps, unclear control ownership
Evolving threat & regulatory landscape
Controls drift away from organisational reality
Oxford Infosec provides an experienced implementation resource and ongoing ISO27001 maintenance, so you achieve certification quickly and stay continuously compliant.
Fit for Small and Medium‑Sized Businesses
This service recognises the reality of fast-moving teams: limited headcount, shifting priorities, and the need to keep shipping product while still holding a credible ISO 27001 certificate. Our approach keeps the standard achievable without turning it into a parallel bureaucracy.
Practical controls – we focus on what you actually do day-to-day and adjust policies and evidence to fit. If something genuinely doesn’t apply (for example, you don’t host physical servers), we mark it out of scope rather than inventing work.
Light-touch scheduling – internal audits, workshops and evidence collection are conducted with the minimum possible impact on rest of the business.
Automated evidence wherever possible – Drata integrations pull access logs, configuration states and test results from your existing systems, cutting down on manual screenshots and spreadsheets. Where automation isn’t possible, we agree the simplest manual check that will satisfy an auditor.
Risk-led priorities – not everything gets fixed at once. We order actions by compliance impact and the effort to deliver them, so you can stage improvements alongside normal delivery.
Straightforward guidance – we avoid standards-speak and explain what’s required in plain English. Policies come as editable templates, with notes that make clear what’s mandatory versus optional.
Named Practitioner
Lead ISO27001 Consultant
ISO 27001 Lead Implementor / Auditor
CISSP
CISM
Acts as single point of accountability, reporting to the customer’s executive sponsor.
Compliance Automation Platform
We recommend using Drata, a cloud-based compliance automation platform that serves as the “engine room” for day-to-day ISO27001 housekeeping, however, we can work with any similar platforms you might have in place already.
Once connected to your existing tools (e.g. AWS, Google Workspace, GitHub etc), it continuously collects evidence that key privacy and security controls are operating, maintains your policy documents, and displays progress on a live readiness dashboard. The platform automatically raises tasks, like policy reviews, vendor re-assessments or staff-training refreshers, assigns them to the right people with due dates, and preserves an auditable trail.
Scope of Activities
This service is split into the initial implementation, which takes you all the way to full certification, and then the subsequent maintenance of the controls and evidence to ensure you retain ISO27001 through surveillance and re-certification audits.
Phase 1 - Implementation
Kick-off & Context
A lightweight alignment call with founders or leadership to agree on:
Scope – decide which parts of the business/product are in (e.g. cloud platform, internal IT) and which aren’t.
Objective – certification with the least overhead possible, and keeping it afterwards.
Accountability – nominate a senior contact (often CTO/COO/founder) to make quick decisions.
Drata Implementation (optional)
Connect Drata to your existing systems (cloud, IAM, code repos, device management, ticketing, etc.) so it can automatically collect evidence.
We configure integrations, set owners and review cycles, and make sure the dashboard reflects how your business actually runs, minimising manual effort.
Risk Assessment
Identify your key assets (like customer data, code, infrastructure), spot the main threats and weaknesses, and record the risks in a simple register.
Each risk is given an owner and a treatment decision (accept, reduce, transfer, avoid), which is then followed up during quarterly risk management sessions.
Documentation
Create or refine core policies and procedures (e.g. Information Security, Access Control, Cryptography, Supplier Security) and align them to the required controls.
Control Implementation Support
Guide technical and organisational control deployment (MFA, logging, backup, HR onboarding/off-boarding, supplier due-diligence) and validate effectiveness
Internal Audit & Management Review
Conduct first-cycle internal audit and facilitate inaugural management-review meeting with leadership
Certification Preparation
Run readiness check, coordinate corrective actions, rehearse auditor Q&A and logistics
Phase 2 - Maintenance
Continuous Monitoring
Operate compliance automation integrations to harvest evidence, track control SLAs and surface alerts for out-of-tolerance items
Risk Management
Maintain rolling risk register; review emerging threats and update treatment actions on a quarterly cadence
Internal Audit Programme
Plan and execute thematic spot checks and full-scope audits, logging findings and corrective actions
Policy & Procedure Maintenance
Schedule reviews, update documents for changes to standards, and manage version control
Management Review
Prepare KPI dashboard and chair semi-annual management-review sessions, capturing decisions and action items
Audit Liaison
Coordinate with the Certification Body for surveillance and recertification audits; track evidence requests and responses
Security Awareness & Training
Deliver onboarding modules, annual refresher and targeted campaigns; monitor completion metrics
Supplier Security
Perform initial and periodic supplier risk assessments, maintain contract-security clauses and monitor third-party attestations
Incident & Change Advisory
Provide guidance for security incidents and major architectural or process changes
Standards & Regulatory Watch
Monitor ISO, NCSC, ICO, ENISA and sector-specific updates; advise on required control adjustments
ISO27001 Service Governance Cadence
The below table details a typical cadence of touch points needed to maintain ISO27001 throughout the year. This list is not prescriptive, and in many cases some sessions can be combined. The final meet cadence will always be enough to satisfy the requirements of ISO27001.
Operational Oversight
ISMS Working-Group Meeting – track open actions, new risks, control SLA breaches, alerts.
Monthly
Risk Management
Quarterly Risk Review – refresh asset list, re-score top risks, verify treatment progress, log emerging threats. Updates risk register & treatment plan.
Quarterly
Management Review
Present KPI deck (objectives, incidents, audit results, corrective actions). Record decisions and assignments for continual improvement.
Semi-annual (minimum)
Internal Audit Governance
Approve annual internal-audit plan; track execution and close-out of non-conformities; adjust scope based on risk review outcomes.
Annual plan; progress check each Steering Committee
Policy & Procedure Governance
Systematic review of the policy suite and operational procedures; capture regulatory or business-driven changes; publish updated versions.
Quarterly
Improvement & Non-conformity Log
Evaluate open corrective / preventive actions, recurring incident themes, and lessons learned; prioritise improvement initiatives.
Monthly
Supplier Security Oversight
Reassess critical third-party suppliers; review attestations, penetration-testing reports and contract clauses; update supplier risk register.
Quarterly
External Audit Liaison
Prepare auditor access, evidence sampling plan and logistics for surveillance / recertification audits; debrief outcomes and action plans.
Annually (surveillance) / every 3 years (recertification)
Training & Awareness Governance
Track security-awareness completion, role-based training needs, phishing-simulation results; plan next campaign.
Quarterly
Out‑of‑Scope
Deep technical remediation
For example: Network (re-)architecture & segmentation, source-code refactoring / secure-coding fixes, building or operating a SIEM/SOC
Other compliance frameworks
PCI-DSS, SOC 2, NIST CSF, ISO 27701, GDPR RoPA, etc.
Non-ISO27001 policies
Polices not required for ISO27001 compliance
Pen-testing & red-team
External / internal penetration tests, social-engineering simulations
Physical-security build-outs
Door-access systems, CCTV, server-room fit-outs
Legal & contract drafting
Negotiating / red-lining DPAs, MSAs, supplier security clauses
Security Incident Response (beyond best-endeavours support)
Emergency incident response, 24×7 crisis hotline, incident containment
Business Continuity & DR engineering
Designing alternate data centres, hot/hot fail-over, full DR run-books
HR process execution
Carrying out disciplinary actions, conducting background checks
Procurement & licensing
Purchasing SaaS tooling (SIEM, training portals, GRC platforms), certification-body fees
Travel & on-site expenses
Consultant travel, accommodation, per diem
DPO services
Acting as Data-Protection Officer under GDPR
Custom software / tool development
Building bespoke dashboards, scripts or automations beyond standard Drata integrations
Audit costs
The audit itself is procured directly from the auditing company – Oxford Infosec can advise on procurement
Assumptions
Executive sponsorship is active and visible
A named senior leader approves scope, risk appetite and resource allocations; without this, key decisions stall.
Customer provides timely access to people, systems and sites
Interviews, evidence collection and control validation depend on access to SMEs, cloud consoles, logs and (if applicable) premises.
Baseline security controls already exist (e.g. MFA, central logging)
Implementation effort is scoped to refine and evidence controls, not build them from scratch.
Business processes stay materially stable during the first six months
Major reorganisations, M&A activity or product pivots can alter risk context and ISMS scope, potentially impacting fees and timelines.
Customer implements remediation actions they own by agreed due dates
Oxford Infosec guides and validates; hands-on engineering work (e.g. enabling S3 encryption) remains a client responsibility.
Third-party suppliers will cooperate with security questionnaires / evidence requests
ISO 27001 Annex A control 5.19 requires supplier security; delays caused by non-responsive vendors are outside consultant control.
Legal review of policies and contracts is provided by the customer’s counsel
Oxford Infosec supplies security language, but final legal vetting sits with the customer.
Engagement is delivered remotely unless on-site days are mutually scheduled and pre-approved
Travel costs and lead-times are excluded unless explicitly agreed
All project communications are in English and within the customer’s standard working hours (Europe/London time zone)
Ensures availability for workshops, steering meetings and incident advisory calls.
Security incidents are disclosed promptly
Timely awareness is required to update the risk register, improvement log and Drata evidence.
Certification Body fees and scheduling are the customer’s responsibility
Oxford Infosec assists with liaison and readiness but does not contract directly with the auditor.
Term and Review
The implementation (Phase 1) is a fixed fee, while the Maintenance (Phase 2) has a minimum engagement term of twelve months, renewable annually, which begins after the first ISO27001 audit is completed.
Scope and fees are reviewed at each renewal to ensure the service continues to meet statutory and organisational requirements.
Last updated