Compliance Services

ISO 27001 Certification Consulting

Build a certified ISMS — without losing a year to documentation that goes nowhere.

ISO 27001 certification consulting from a practitioner who has applied Annex A controls in real audit contexts across multiple organizations. CISSP, CCSP, and CISM certified.

Schedule a Free Consultation

The ISO 27001 Challenge for SMBs

ISO 27001 certification requires a full Information Security Management System — a 6–18 month process that involves scoping the ISMS, building a risk register, mapping Annex A controls, implementing policies and procedures, and passing two audit stages. Most SMBs don't have internal expertise to run this without help.

The Annex A control mapping alone (93 controls across 4 themes in ISO 27001:2022) is complex work that requires both security expertise and organizational context. Without someone who has done this before, teams spend months building documentation that doesn't meet auditor expectations — and discover this at Stage 1.

What We Deliver

An ISMS that passes auditor scrutiny — documentation and controls built to the standard, not to a generic template.

ISMS scope definition and boundary documentation
Risk treatment plan aligned to Annex A controls
Policy and procedure library (required and supporting documents)
Annex A controls implementation guidance
Internal audit support before Stage 1
Certification audit preparation and auditor liaison

ISO 27001:2022 Key Requirements

•ISMS scope document
•Information security policy
•Risk assessment and risk treatment process
•Statement of Applicability (SoA)
•93 Annex A controls assessed and documented
•Internal audit program
•Management review records

Our Process

A five-stage engagement from scoping through certification that mirrors the actual audit structure.

Scoping & Gap

Define ISMS scope and boundaries. Assess current state against ISO 27001 requirements.

ISMS Design

Build the risk register, risk treatment plan, and policy library your ISMS requires.

Controls Implementation

Annex A control build-out — all 93 controls assessed, applicable ones implemented.

Internal Audit

Pre-certification readiness review to identify gaps before Stage 1.

Certification Support

Auditor liaison during Stage 1 (documentation review) and Stage 2 (certification audit).

Who This Is For

Companies seeking ISO 27001 certification for the first time
Organizations with European customers or enterprise supplier certification requirements
SaaS companies that need a globally recognized security credential beyond SOC 2
Businesses entering regulated industries where ISO 27001 is the standard

Real-World ISO 27001 Control Experience

Jonathan Carpenter served as Director of GRC at Kevel, where he led both SOC 1 and SOC 2 compliance programs from gap assessment through certification. He has also performed third-party vendor reviews aligned to ISO 27001 controls at other organizations — applying Annex A control frameworks in real audit contexts.

CISSP, CCSP, and CISM certified. 25+ years enterprise security experience. Based in Biddeford, Maine — serving clients nationally and internationally.

CISSP

Certified Information Systems Security Professional

CCSP

Certified Cloud Security Professional

CISM

Certified Information Security Manager

GRC & Audit Experience

→Led SOC 1 and SOC 2 programs at Kevel (Director of GRC) — gap assessment through certification
→Built Statement of Applicability, risk treatment plan, and full policy library used in live audit
→Knows what auditors ask for in both Stage 1 and Stage 2 — because he's been in the room

Ready to pursue ISO 27001 certification?

Schedule a free consultation. We'll discuss your certification goals, timeline, and what ISMS implementation would look like for your organization.