01
Customer retention
Visible certification de-risks your relationship with customers who care about security.
ISO 27001 & SOC 2,
certified the first time.
End-to-end ISMS implementation by lead implementers who've sat on both sides of the audit table. Most clients are certified within 12 weeks.
ISO 27001: The international ISMS standard.
ISO/IEC 27001:2022 is the global standard for Information Security Management Systems. It defines the requirements for establishing, implementing, maintaining and continually improving an ISMS, with 93 controls in Annex A grouped into four themes. Organisational, People, Physical, Technological.
SOC 2: The North American trust standard.
SOC 2 is an AICPA framework focused on five Trust Services Criteria. Security (mandatory), Availability, Processing Integrity, Confidentiality, Privacy. Type I is a point-in-time report; Type II covers a 6-12 month operating period and is what most enterprise buyers ask for.
When you need both.
If you sell to UK/EU and US customers, doing both at the same time costs about 30% more than just one. Far less than doing them sequentially. Evidence collected once is reused across both audits.
Why it matters.
02
Simplify vendor reviews
Hand over the audit report instead of filling 200-question security questionnaires.
03
Win new business
Pre-qualifies you for procurement-led enterprise buyers who require certification.
04
Stand out
Most competitors aren't certified. The badge becomes a sales asset, not just a compliance artefact.
The 12-week path to certification.
1
Scope & gap analysis
Weeks 1-2. Define the ISMS boundary, map current controls against ISO/SOC, surface the gaps.
2
ISMS design
Weeks 3-5. Risk register, Statement of Applicability, policies, control selection.
3
Implementation
Weeks 6-10. Roll out controls, train people with ISMS responsibilities, collect evidence.
4
Audit support
Weeks 11-12. Internal audit + mock external audit. We sit alongside you through Stage 1 and Stage 2.
- ISMS scope statement & policy.Defines what's in and what's out, signed by leadership.
- Statement of Applicability (SoA).Annex A controls mapped to your business, with rationale for inclusions and exclusions.
- Risk register & treatment plan.Identified, scored, treated. Reviewed quarterly.
- Asset & supplier registers.What you own, who has access, who you trust with your data.
- Internal audit report.Required by Clause 9.2; we conduct it before the certification body does.
- Mock external audit.A dress rehearsal with a senior consultant playing the auditor.
- Certification audit support.We attend Stage 1 and Stage 2 audits with you.
Built on the standards auditors recognise.
- ISO/IEC 27001:2022
- ISO/IEC 27002:2022
- ISO/IEC 27005
- AICPA SOC 2 (TSP-100)
- NIST CSF 2.0
- UKAS-accredited bodies
What buyers usually ask.
How long does ISO 27001 / SOC 2 take?
Most clients are certified within 12 weeks. Smaller teams move faster; complex multi-product orgs can take 16-20 weeks. We commit to a fixed end date in the engagement letter.
What does it cost?
Implementation is a fixed scope, fixed fee. Typically £15k-£40k depending on scope and complexity. The certification audit itself is paid separately to the accredited certification body (£5k-£15k for ISO 27001, more for SOC 2).
Can we do ISO 27001 AND SOC 2 together?
Yes. The controls overlap by roughly 70%. We typically add 30% to the timeline and fee instead of running them in sequence (which would double the time).
Do you do the certification audit too?
No. That's a hard line under the standard. The certification audit must be performed by a UKAS-accredited certification body (such as BSI, LRQA, or NQA) for ISO 27001, or a licensed CPA firm for SOC 2. We project-manage the engagement with them.
What happens after we're certified?
Annual surveillance audits, plus full re-certification every 3 years. Most clients keep us on a light-touch vCISO retainer to maintain the ISMS between audits. Cheaper than rebuilding it each cycle.
Will my staff need training?
Minimal. The auditor expects everyone with ISMS responsibilities to know what they own. We run targeted 30-minute sessions only for those people. General security awareness training is a separate, much smaller piece.