Select Page


Implementing the ISO 27001 standard is a challenge to any organisation. The requirement to become certified to any standard is often driven through contractual obligation, regulatory requirement or simply being the right thing to do for organisation; in nearly all occasions it can seem a daunting process and can be difficult to evaluate.

For those wanting to understand their current security posture, the range of products below can be used to baseline your maturity level and help you evolve your information security strategy moving; this is true even if you don’t want to pursue the full certification.

Why Choose Nettitude?

Traditional approaches to certification often apply a ‘one size fits all’ that doesn’t quite fit what you really want, nor does it fully align to your strategic objectives. These ‘GAP analysis exercises’ often miss crucial components of the certification, such as:

  • What is your scope?
  • What is the driver for certification?
  • Is an alternative more suitable?

Nettitude’s experienced consultants, who are Lead Auditors themselves, will provide a real-world perspective on implementing ISO/IEC 27001 using Nettitude’s proven methodology to align this to your business objectives. With this approach, the route to certification is broken into manageable elements which ensure that you’re in control of where you want your resources to be used. In making these informed choices, you’ll select only the elements you need assistance with and want to evaluate.

What Version is ISO 27001 at and How Might That Affect Me?

ISO 27001 2013 is the current version and the second iteration. It is aligned to the ISO’s Annex SL standards specification which describes the structure of future standards. Nettitude recognises this harmonisation by the ISO/IEC, especially for those holding any of the following:

  • SO 9001:2015 – Quality Management
  • SO 14001:2015 – Environmental Management
  • SO 22301:2012 – Business Continuity Management

Where you have transitioned to any of the above, you are already ahead. If you’ve yet to make the move, the information you get from us will place you in a strong position to transition your other certifications sooner and build on the value you’ve gained from Nettitude.

By breaking down the certification into the following Base Activities (BAs), you can select as many or as few as you need,  in the time you want them. We will support you all the way. Nettitude is completely agnostic to the certification body you choose, our products will successfully support you on your journey whoever completes the certification assessment.

BA1 – ISO27001 Management Workshop

Getting started is often the most challenging step, usually through a misunderstanding of the ISO 27001 standard and its purpose. This workshop is for top-level management, decision-makers, and risk owners. We spend the day demystifying the standard into smart activities and objectives, which can be incorporated into either a project or within business as usual activities. It will make the standard accessible and sow the seeds for engaging the rest of the organisation. For those running alternative security or compliance regimes such as PCI DSS, it will demonstrate how the work you are already doing can be incorporated into your ISO 27001 ISMS for quick wins.

BA2 – Information Security Management System (ISMS) Review

This review is aimed at the elements of the standard which form the core requirements and is focused at top management, decision makers and risk owners. It will evaluate how compliant you are with clauses 4 to 10 and provide you with a roadmap to achieving full compliance. Your roadmap will be tailored to your organisation and objectives, so that the scope of your ISMS meets your strategy.

BA3 – Risk Management

Risk Management is at the heart of ISO/IC27001:2013. In conjunction with your Nettitude consultant, a risk management system incorporating the requirements of the standard will be developed which fits your organisation both in terms of size and complexity; this will incorporate into your ISMS and providing the necessary business processes to run the system.

BA4 – Security Control Review

Nettitude consultants will use a combination of substantive and compliance methods to assess your security controls against the ISO 27001 Annex A Controls (see below). Where the scope of the certification is not yet known, this will look across your entire organisation to provide you with an indication of your security posture and risk levels. It will also provide you with the ability to create SMART activities/objectives to address those risks. Your consultant may also recommend an alternative to ISO 27001 depending upon the findings within the organisation.

BA5 – Third-Party Risk Service

The ISO 27001 revision in 2013 increased the level of controls required when working with third parties. Nettitude’s consultants will work with you to determine your Risk Levels (RLs) and design an assessment process to harvest and manage the RLs from each third-party. Whether you hold the certificate yet or not, Nettitude can support you in this area by completing those risk assessments on your behalf.

BA6 – Internal Audit Service

Your organisation may not initially have the time or resources to fulfil the requirements of Internal Audits. Nettitude can develop and deliver an internal audit programme to meet the requirements of the standard and more importantly grow your ISMS and security posture. As your familiarity with the standard and processes improve, you may choose to bring this in house or simply retain Nettitude to deliver this core element of the standard on your behalf.

Get a free quote

speak to our experts

Choosing Your Base Activities

Nettitude is ready to assist you at all stages and have compiled the following table providing a number of scenarios and suggested base activities we can provide: