ISO 27001 Assessment
Know where you stand. Independent assessment against ISO 27001:2022 with a practical roadmap to close the gaps.
ISO 27001 is the international standard for information security management. Whether you're working towards certification, need to demonstrate security maturity to clients, or want an honest view of your current posture, an independent assessment is the place to start.
We assess your organisation against ISO 27001:2022 and give you a clear picture of where you are, what's missing, and what to do about it. No audit reports that sit on a shelf. Actionable findings with a prioritised roadmap.
Assessment vs. audit: what's the difference?
Assessment (what we do)
An independent evaluation of your information security management system against ISO 27001 requirements. The goal is to understand your current state, find the gaps, and build a realistic plan to address them.
- Identifies gaps and risks
- Provides practical recommendations
- Prioritised roadmap you can act on
- Helps you prepare for certification
- Can be used for M&A due diligence
Certification audit
A formal audit by an accredited certification body that results in an ISO 27001 certificate. This is the endpoint, not the starting point.
- Pass/fail against the standard
- Results in formal certification
- Must be performed by accredited body
- Requires a mature ISMS already in place
- Typically annual surveillance audits
What we assess
A thorough review against the full ISO 27001:2022 standard, covering both the management system requirements and Annex A controls.
ISMS governance
Leadership commitment, security policy, roles and responsibilities, risk management approach, management review, and continual improvement processes.
Risk assessment
How you identify, assess, and treat information security risks. Risk methodology, risk register, treatment plans, and residual risk acceptance.
Organisational controls
Controls covering policies, asset management, access control, supplier relationships, incident management, business continuity, and compliance.
People controls
Controls covering screening, terms of employment, security awareness, disciplinary processes, and responsibilities after termination.
Physical controls
Controls covering physical security perimeters, entry controls, office security, equipment protection, and secure disposal.
Technological controls
Controls covering endpoint security, access rights, cryptography, secure development, vulnerability management, logging, and network security.
Use cases
Certification readiness
You're planning to get ISO 27001 certified and want to know how far you are. The assessment gives you a gap analysis and roadmap so you can invest your effort where it matters most, and walk into the certification audit with confidence.
M&A due diligence
Acquiring or merging with another organisation? An ISO 27001 assessment reveals the security posture of the target: what's solid, what's a risk, and what will need investment post-deal. Better to know before you sign.
Client and supply chain requirements
Your clients are asking about your security posture, or you need to demonstrate maturity without going through formal certification. An independent assessment report gives them, and you, the evidence.
Security baseline
You want to know where you stand. No certification pressure, no regulatory deadline, just an honest assessment of your information security management against the leading international standard.
How it works
- Scoping — We agree on the scope of the assessment: which parts of the organisation, which systems, which locations. This determines the depth and duration.
- Document review — Review of existing policies, procedures, risk assessments, and evidence of control implementation. We work with what you have, not what you wish you had.
- Interviews and walkthroughs — Conversations with key stakeholders to understand how security actually works in practice, not just on paper.
- Gap analysis — Systematic evaluation of each ISO 27001 requirement and Annex A control. Rated by maturity, with clear findings for each gap.
- Reporting and roadmap — A practical report with a prioritised roadmap. Each finding includes the risk, the effort to remediate, and a recommended approach.
Typical duration: 2-4 weeks, depending on scope and organisation size.
Why an independent assessment matters
- Objectivity — Internal teams know the organisation well but can have blind spots. An external assessor sees what's actually there, not what's assumed to be there.
- Experience across organisations — Having assessed security across different industries and sizes, an external assessor knows what "good" looks like and what's realistic for your context.
- Credibility — An independent assessment report carries more weight with boards, clients, regulators, and M&A counterparts than an internal self-assessment.
- No conflicts of interest — We assess. We don't sell you products, managed services, or certification. Our only interest is giving you an accurate picture.
Ready for an honest assessment?
Get in touch to discuss your situation. We'll scope the assessment to fit your needs and timeline.