What an ISMS actually is
An ISMS — Information Security Management System — is the framework of policies, risk assessments, and controls that proves, to customers and auditors, that you manage security deliberately rather than by luck. ISO 27001:2022 is the international standard that certifies that ISMS against 93 Annex A controls.
For a startup it's less about the certificate on the wall and more about what it unlocks: enterprise buyers, government procurement, and security questionnaires stop being deal-blockers. And because the ISMS maps closely to SOC 2, the work isn't wasted if your buyers ask for that instead.
How I run it
- Scope & risk assessment — what actually needs protecting, and from what
- Statement of Applicability — which of the 93 controls apply, and why
- Controls & policies — written for a small team, embedded in how you already work
- SDLC guardrails — security in the pipeline, not a document nobody reads
- Penetration-test coordination — scoping, vendor selection, and remediation
- Internal audit & evidence — the paper trail auditors need, collected as you go
- External audit — I sit with you through certification
Why me
I've built exactly this before — an ISO 27001:2022 program stood up from nothing, through a passed external audit, at a company where I was also the sole platform engineer. I know how to get certified without grinding a small engineering team to a halt, because I've had to live with the controls I wrote.