Home/Services/Audits & Attestation/ISO 27001 (ISMS)

Audits & Attestation

ISO 27001 (ISMS)

Internal and certification-support audits of your Information Security Management System against ISO/IEC 27001:2022 and its Annex A controls.

Request this service → See our approach

Overview

Assurance over your ISMS, end to end.

ISO 27001 certification signals a mature, risk-based approach to information security. Maintaining it requires regular internal audits and clean surveillance and recertification audits.

We audit your ISMS against the management-system clauses and Annex A controls, verifying that your risk treatment, policies and controls are implemented and effective — and that you’re ready for the certification body.

What’s covered

The areas this audit examines.

ISMS management clauses

Context, leadership, planning, support and operation.

Risk assessment & treatment

Methodology and documented risk decisions.

Annex A controls

Organisational, people, physical and technological.

Statement of Applicability

Justification and coverage review.

Internal audit & review

Programme effectiveness and management review.

Who needs this

Does this match your needs?

Where this engagement tends to add the most value.

Companies pursuing certificationA formal ISO 27001 credential.

IT & software firmsTender and client requirements.

BPOs & data processorsClient-mandated ISMS.

Enterprises managing sensitive dataStructured security governance.

Suppliers to large organisationsContractual ISO requirement.

Certified orgs needing internal auditsAnnual surveillance readiness.

Regulatory drivers

Why this is required

ISO/IEC 27001 certification is achieved and maintained through independent audit and is increasingly required by clients, tenders and regulators; the audit verifies that your ISMS is both well-designed and operating effectively.

ISO/IEC 27001:2022

Certification requires a Stage 1 and Stage 2 audit by an accredited body, with surveillance audits to maintain it.

Client contracts & tenders

A valid certificate is frequently a condition of enterprise and government contracts.

Regulatory alignment

Several Indian regulators recognise or expect ISO 27001 as evidence of a sound security posture.

How we work

How the engagement runs.

A disciplined sequence that ends in a clear, evidence-backed outcome.

Scoping & ISMS review

Confirming the ISMS scope, Statement of Applicability and documentation.

Stage 1 documentation audit

Reviewing the ISMS design and readiness for certification.

Stage 2 effectiveness audit

Testing that the ISMS operates effectively in practice.

Nonconformity evaluation

Raising and classifying nonconformities against the standard.

Findings & report

A clear audit report with findings and required actions.

Recommendation & surveillance

Certification recommendation and the ongoing surveillance plan.

What you receive

Documentation built for every audience.

Formal audit reportFindings against ISO/IEC 27001 with evidence.
Statement of Applicability reviewAssessment of your SoA and control coverage.
Nonconformity registerMajor and minor nonconformities raised.
Certification recommendationA clear recommendation on certification.
Surveillance planThe ongoing audit schedule to maintain certification.

Standards & frameworks

We tie this engagement to the frameworks and regulations you answer to.

ISO/IEC 27001:2022ISO/IEC 27002ISO 27005SOC 2 (mapping)

Checklist

Are you ready? A quick checklist

What to have in place before we begin.

ISMS scope defined

Risk assessment & SoA current

Annex A controls implemented

Policies and procedures approved

Internal audit programme planned

Evidence of control operation

Management review records

Nonconformity / CAPA process ready

FAQ

Common questions

Do you issue the certificate?

No — certification is issued by an accredited certification body. We perform internal and pre-certification audits to get you ready and support you through theirs.

How often are internal audits needed?

ISO 27001 requires internal audits at planned intervals, covering the entire ISMS across a defined cycle — at minimum annually, and often spread across the year by area. They must be carried out objectively, by auditors independent of the area being audited. We can run them as a managed programme so the requirement is met without burdening your team.

Which version do you audit against?

We audit against ISO/IEC 27001:2022, including the restructured Annex A with its four control themes. If you are still certified to the 2013 version, we provide transition support to move you onto the 2022 control set ahead of your next recertification.