ISO/IEC 27001 is the internationally recognised standard for an information security management system. A certificate shows customers, partners and supervisory authorities that you manage information security systematically — not by chance. As an appointed lead auditor, I assess your ISMS fairly and transparently and deliver findings you can actually work with.
What the audit covers
The audit examines the effectiveness of your management system against the normative requirements (clauses 4–10) and the appropriateness of the Annex A controls. The focus is on your scope, risk assessment and treatment, the Statement of Applicability (SoA), and evidence that the defined measures are lived day to day.
A two-stage process
The certification audit takes place in two stages: in Stage 1 I assess the documentation and your audit readiness; in Stage 2 I review effectiveness on site or remotely. After successful certification, annual surveillance audits follow, with recertification after three years.
Areas we focus on
- Context, scope and leadership responsibility
- Risk assessment and risk treatment plan
- Statement of Applicability (SoA) and justification of controls
- Organisational, people, physical and technological controls (Annex A:2022)
- Internal audit, management review and continual improvement
- Supplier management, incident management and business-continuity links