ISO 27001 Pre-Audit

Preparing your organisation for ISO/IEC 27001 certification through an accredited body — gap analysis, documentation, internal audit, and Stage 1 / Stage 2 support.

What we do

ISO 27001 pre-audit prepares your organisation for certification — from gap analysis to audit support.

Gap analysis

We map your current controls against every requirement of ISO/IEC 27001:2022 — Annex A and clauses 4–10. Findings report with a prioritised remediation plan in 2 weeks.

STEP 1

Risk assessment + SoA

Risk assessment aligned with ISO 31000 / ISO 27005. Statement of Applicability — what we apply, what we exclude, and why. No off-the-shelf templates.

RISK

Policies and procedures

We write or update the ISMS policy and procedure set tailored to your organisation — documents that match how you actually work, not boilerplate.

DOCS

Internal audit

Formal internal audit required by clause 9.2. Findings report, nonconformity classification, closing plan before Stage 1.

CLAUSE 9.2

Certification process support

We assist during Stage 1 and Stage 2 with the accredited certification body. Team preparation, documentation, and responses to auditor findings. The body issues the certificate.

STAGE 1 + 2

Process phases

Four phases — timelines are indicative and depend on the organisation's starting maturity.

Mapping the gap

Full review of current controls, policies, and processes against ISO/IEC 27001:2022. Findings report with a prioritised remediation plan.

Risk + documentation

Risk assessment, SoA, policies, procedures, evidence collection. Depth depends on the organisation's starting maturity.

Audit + remediation

Internal audit per clause 9.2. Closing nonconformities before contact with the accredited certification body.

Certification audit

We assist during both stages of the certification audit. The accredited body issues the certificate — we help your team navigate the process without surprises.

Who it's for

Three segments where ISO 27001 pre-audit delivers the most value.

SMBs in regulated sectors

Companies subject to NIS2/DORA where a regulator or enterprise client requires ISO 27001 as a compliance baseline.

Growth-stage SaaS and fintech

Pre-Series B/C companies for whom ISO 27001 is an enterprise-sales accelerator and a maturity signal in investor due diligence.

Organisations in RFI/RFP processes

Companies needing ISO 27001 as a qualifier for public procurement or enterprise contracts.

Frequently asked questions

Do you issue the ISO 27001 certificate?

No. The certificate is issued solely by an accredited certification body — a national IAF/PCA member or equivalent. Our role is to prepare the organisation for the process and provide support during Stage 1 and Stage 2.

How long does the whole process take?

Typically 3–6 months depending on the organisation's starting maturity. The fastest are companies with existing policies and partial documentation; the slowest are organisations for whom this is the first formal set of security policies.

Which accredited bodies do you work with?

We work with whichever accredited body the client selects. We can advise on the choice based on sector experience and auditor location, but the decision belongs to your organisation.

What happens after certification?

Surveillance audits in years 1 and 2, recertification in year 3. ISMS maintenance is best handled by a permanent CISO function or equivalent — see vCISO. Alternatively, we provide point support during surveillance audits.

Book a pre-audit consultation

Free initial conversation — we'll review your current posture and propose a plan.

Schedule a consultation