HomeServicesCase StudiesInsightsAboutBook a free review

Home / Services / ISO 27001 & ISMS

Project + ongoing

ISO 27001 & ISMS

The certification that stops enterprise security questionnaires from killing your deals. Built to fit a startup, and taken all the way through to a passed external audit.

What an ISMS actually is

An ISMS — Information Security Management System — is the framework of policies, risk assessments, and controls that proves, to customers and auditors, that you manage security deliberately rather than by luck. ISO 27001:2022 is the international standard that certifies that ISMS against 93 Annex A controls.

For a startup it's less about the certificate on the wall and more about what it unlocks: enterprise buyers, government procurement, and security questionnaires stop being deal-blockers. And because the ISMS maps closely to SOC 2, the work isn't wasted if your buyers ask for that instead.

How I run it

  • Scope & risk assessment — what actually needs protecting, and from what
  • Statement of Applicability — which of the 93 controls apply, and why
  • Controls & policies — written for a small team, embedded in how you already work
  • SDLC guardrails — security in the pipeline, not a document nobody reads
  • Penetration-test coordination — scoping, vendor selection, and remediation
  • Internal audit & evidence — the paper trail auditors need, collected as you go
  • External audit — I sit with you through certification

Why me

I've built exactly this before — an ISO 27001:2022 program stood up from nothing, through a passed external audit, at a company where I was also the sole platform engineer. I know how to get certified without grinding a small engineering team to a halt, because I've had to live with the controls I wrote.