Select Page


Implementing the ISO 27001 standard is a challenge to any organisation. The requirement to become certified to any standard is often driven through contractual obligation, regulatory requirement or simply being the right thing to do for the organisation. In most scenarios, ensuring ISO 27001 compliance can seem like a daunting process.

For those wanting to understand their current security posture, the range of products below can be used to baseline your maturity level and help you evolve your information security strategy moving; this holds true even if you don’t want to pursue the full ISO 27001 certification.

Why Choose Nettitude?

Traditional approaches to ISO 27001 certification often apply a ‘one size fits all’ approach that doesn’t quite achieve what you really want, or fully align with your strategic objectives. These ‘GAP analysis exercises’ often miss crucial components of the certification, such as:

  • Your scope
  • Your driver for certification
  • More suitable alternatives

Nettitude’s experienced consultants, who are Lead Auditors themselves, will provide a real-world perspective on implementing ISO/IEC 27001 using Nettitude’s proven methodology to align this with your business objectives. With this approach, the route to certification is broken down into manageable elements which ensure that you’re in control of where you want your resources to be allocated. In making these informed choices, you’ll select only the elements you need assistance with and want to evaluate.

Frequently Asked Questions About ISO 27001 Certification

What version is ISO 27001 at, and how might that affect me?

ISO 27001 2013 is the current version and the second iteration. It is aligned to the ISO’s Annex SL standards specification, which describes the structure of future standards. Nettitude recognises this harmonisation by the ISO/IEC, especially for those holding any of the following:

  • SO 9001:2015 – Quality Management
  • SO 14001:2015 – Environmental Management
  • SO 22301:2012 – Business Continuity Management

If you have transitioned to any of the above, you are already ahead. If you’ve yet to make a move, the information you get from us will place you in a strong position to transition your other certifications sooner and build on the value you’ve gained from Nettitude.

By breaking down the certification into the following Base Activities (BAs), you can select as many or as few as you need in the time you want them. We will support you all the way. Nettitude is completely agnostic to the certification body you choose – our products will successfully support you on your journey regardless of who you choose to complete the certification assessment.

What are the steps in pursuing ISO 27001 certification?

BA1 – ISO27001 Management Workshop

Getting started is often the most challenging step, usually due to a misunderstanding of the requirements and purpose of the ISO 27001 standard. This workshop is for top-level management, decision-makers, and risk owners. We spend the day demystifying the standard into smart activities and objectives, which can be incorporated into either a project or within the business as usual activities. It will make the standard accessible and sow the seeds for engaging the rest of the organisation. For those running alternative security or compliance regimes such as PCI DSS, it will demonstrate how the work you are already doing can be incorporated into your ISO 27001 ISMS for quick wins.

BA2 – Information Security Management System (ISMS) Review

This review is aimed at the elements of the standard which form the core requirements and is focused at top management, decision makers and risk owners. It will evaluate how compliant you are with clauses 4 to 10 and provide you with a roadmap to achieving full compliance. Your roadmap will be tailored to your organisation and objectives so that the scope of your ISMS meets your strategy.

BA3 – Risk Management

Risk Management is at the heart of ISO/IC27001:2013. In conjunction with your Nettitude consultant, a risk management system incorporating the requirements of the standard will be developed which fits your organisation both in terms of size and complexity; this will incorporate into your ISMS and providing the necessary business processes to run the system.

BA4 – Security Control Review

Nettitude consultants will use a combination of substantive and compliance methods to assess your security controls against the ISO 27001 Annex A Controls (see below). Where the scope of the certification is not yet known, this will look across your entire organisation to provide you with an indication of your security posture and risk levels. It will also provide you with the ability to create SMART activities/objectives to address those risks. Your consultant may also recommend an alternative to ISO 27001 depending upon the findings within the organisation.

BA5 – Third-Party Risk Service

The ISO 27001 revision in 2013 increased the level of controls required when working with third parties. Nettitude’s consultants will work with you to determine your Risk Levels (RLs) and design an assessment process to harvest and manage the RLs from each third party. Whether you hold the certificate yet or not, Nettitude can support you in this area by completing those risk assessments on your behalf.

BA6 – Internal Audit Service

Your organisation may not initially have the time or resources to fulfil the requirements of Internal Audits. Nettitude can develop and deliver an internal audit programme to meet the requirements of the standard and more importantly grow your ISMS and security posture. As you get more familiar with the standard and processes, you may choose to bring this in-house or simply retain Nettitude to deliver this core element of the standard on your behalf.

What are the base activities that Nettitude can provide?

Nettitude is ready to assist you at all stages. We have compiled the following table with a number of scenarios and suggested base activities we can provide:

Frequently Asked Questions about Data Privacy Security

What is an incident response policy?

An Incident response plan or policy is a process you create before you experience a cyberattack. This is so that your team has a procedure to follow when you do experience a data breach. Nettitude follows the CREST Cybersecurity Incident Response process which is broken down into 3 phases: preparation, response, and follow up. Having a breach plan gives you the confidence to quickly nullify any threat to your data privacy security.

Why is data privacy security important?

Although it has always been important, the implications and need for higher security are coming into play now that technology is indispensable to everyday life. Using apps, browsing websites, and shopping online are all examples of how your data will be stored and managed online. For organisations today, the threat of cyber theft is a pertinent one. Having comprehensive data privacy plans in place can reduce and mitigate the risks of such events.

Does Nettitude practice sustainability?

As a company with a global footprint, sustainability is an area of importance to us. We are a registered ‘Investor in People’ organisation. Taking a cue from ISO 14001, we have strong sustainability practices put in place. Our organisation also hires fairly and equally, across gender and race. By working with us, you can rest assured that we implement data privacy security measures with ethics at the core of our mission.

Get a free quote

speak to our experts