ISO 27001 —
Structured, ongoing information security management.
ISO 27001 is more than a standard. It's a way to build structured, measurable and ongoing information security management — one that strengthens trust with customers and business partners.
ISO 27001 is the new table stake.
Enterprise clients ask for ISO 27001 in vendor questionnaires. Tier-1 customers won't sign without it. Insurance companies discount premiums for certified vendors. For tech, B2B SaaS, and any company handling enterprise data — certification is no longer optional.
End-to-end support in building an information security management system and preparing the organization for the certification audit.
- Gap analysis against ISO 27001:2022
- Build of the information security management system (ISMS)
- Policies and procedures written to match the organization and the certification scope
- Risk treatment plan with documented controls
- Internal audit preparation
- Mock audit and remediation of findings
- Coordination with the certification body
- Annual surveillance audit support — scope defined per engagement
A structured process — from initial assessment to the certification audit.
Overall duration depends on the organization's starting point, the certification scope, the availability of internal stakeholders and the pace at which controls are implemented. In practice, the engagement follows these stages:
Gap analysis
Current state compared against ISO 27001:2022 requirements, with the main gaps identified and described.
ISMS build
Scope definition, risk assessment, policy authoring and control implementation — adapted to the organization rather than generic templates.
Audit preparation & mock audit
Support for preparing or running the internal audit through an appropriately independent party, in line with objectivity requirements, followed by a mock audit so findings can be addressed before the certification audit.
Certification audit
Coordination with the certification body and support for the organization throughout the audit. The certification decision is made solely by an independent certification body.
Which certification body do you work with?
We're vendor-neutral. We work only with certification bodies accredited in Israel — for example, the Standards Institution of Israel (SII). We pick the right body together based on your industry and target customers.
What if our current state is really bad?
That's normal. The gap analysis tells us honestly how far you are. If certification is unrealistic in your timeline, we'll say so before you spend money.
Will you lead us against ISO 27001:2013 or 2022?
2022. The old version is being phased out. Start fresh on the current standard.
What is a Mock audit and why do we need it?
A mock audit is a dress rehearsal before the certification body's official audit. We run an internal review that mirrors exactly what the external auditor will ask to see — documents, procedures, evidence of controls, decision logs. Anything that surfaces gets fixed before it reaches the real audit. The result: when the certification body arrives, no surprises. The risk of failing the formal audit (and paying for a re-audit) drops dramatically.
What is a Surveillance audit and why do we need support for it?
An ISO 27001 certificate is valid for 3 years — but to keep it, you need a follow-up audit every year. This is called a surveillance audit — the certification body returns to verify your system is still operating correctly, procedures are being updated, and you're improving over time. Without these audits — the certificate is revoked. We support this annual audit (preparation + on-site coordination) — scope and pricing defined per engagement, and it can also be combined with ongoing cyber management.
Can this combine with CaaS?
Yes — and it's recommended. ISO 27001 is the start; ongoing cyber management is how you keep the certification valid year after year. The two can be combined.