ISO 27001

ISO 27001 provides a clear, structured way to manage information security with confidence. At Cambridge Risk Solutions, we make the standard practical and proportionate, helping you build an ISMS that works day to day, protects your information and supports secure, well-run operations.

Why ISO 27001 Matters

Information is one of the most valuable assets organisations hold, supporting everything from customer relationships and staff management to product development, financial operations and service delivery. When information is protected effectively, it enables trust, smooth operations and good decision-making. When something goes wrong — whether through a cyber attack, system outage or human error — the consequences can be significant: 

  • disruption to essential services 
  • financial loss 
  • reputational harm 
  • regulatory or legal implications 
  • contract failures or loss of customer confidence 

ISO 27001 helps organisations address these risks in a calm, structured and proportionate way. It ensures controls are selected based on real world needs rather than assumptions or fear. It also provides clear assurance to customers, partners and regulators that information is being handled responsibly and securely. 

Importantly, ISO 27001 is flexible. It does not mandate the same controls for every organisation. Instead, it encourages thoughtful riskbased decisionmaking — something central to our approach. 

Common Challenges for Organisations Implementing ISO 27001

Despite its benefits, many organisations struggle when attempting ISO 27001 without guidance. Common challenges include: 

pexels-artempodrez-5716000

1. Defining the ISMS scope clearly

Organisations often either scope too broadly, creating unnecessary workload, or too narrowly, missing key risks. Scope decisions shape the entire ISMS, so clarity here is essential.

pexels-artempodrez-5716001

2. Overcomplicated or unrealistic risk assessments

Risk assessment is the backbone of ISO 27001, but many organisations produce assessments that are either overly technical, subjective or disconnected from daily operations.

pexels-ivan-s-4491881

3. Documentation overwhelm

Some organisations create large volumes of paperwork because they believe “more is safer”. Others rely on generic templates that do not reflect their real processes. Neither leads to a useful ISMS.

pexels-artempodrez-5716000

4. Misinterpreting Annex A controls

Controls in ISO 27001:2022 cover a wide range of topics — from access control to supplier relationships to physical security. They are not mandatory checklists, but many organisations treat them as such, resulting in overengineering.

pexels-jibarofoto-1659748

5. Difficulty sustaining the ISMS after certification

Initial motivation often drops once the certificate is awarded. Without steady maintenance, internal audits lose value, controls drift and documentation becomes outdated.

pexels-startup-stock-photos-7075

6. Aligning information security with the rest of the business

Information security must involve people, processes and technology. Many organisations struggle when responsibility, communication or ownership is unclear.

Cambridge Risk Solutions’ Approach

We help organisations build ISO 27001 arrangements that are workable, sustainable and grounded in real world operations. Our approach is built on clarity, proportionate controls and longterm resilience. 

Practical, not prescriptive

We do not impose “best practice” templates or technical solutions that don’t fit. We interpret ISO 27001 in the context of your organisation’s scale, risk profile and operational needs.

Human centred

Information security is not just about technology — it’s about people making decisions every day. Our documentation, training and guidance are written in clear English, designed to build understanding and confidence.

Integrated

We connect ISO 27001 with Data Protection, supply chain risk, operational resilience, crisis management and business continuity to create a coherent, joined up governance approach.

Support across the full lifecycle

From initial scoping to certification and long-term maintenance, we provide steady guidance, independent challenge and practical examples.

Key Components of ISO 27001

We help define a clear, manageable scope aligned with your operations, technology environment, physical locations and key information assets. This avoids unnecessary complexity and ensures meaningful coverage. 

We support organisations in identifying their information assets — the systems, datasets, applications and processes that matter most. Understanding how information flows helps identify dependencies, vulnerabilities and priorities. 

Risk assessment is central to ISO 27001. We guide clients through structured, realistic assessments focused on threats, vulnerabilities and impacts relevant to their size and context. The outcome is a practical risk register that drives the risk treatment plan. 

Annex A of ISO 27001:2022 includes 93 controls grouped into four themes: organisational, people, physical and technological. We help organisations select proportionate controls that address their actual risks rather than trying to implement everything for the sake of completeness. The SoA provides a clear, justifiable record of decisions. 

We develop documentation that is clear, concise and genuinely useful. Typical elements include: 

  • information security policies 
  • acceptable use 
  • access control 
  • device and remote working guidance 
  • secure configuration 
  • supplier security requirements 
  • incident management procedures 

Everything is written in accessible language and tailored to your organisation. 

Supplier and cloud service risks are increasingly prominent. We help organisations: 

  • assess supplier risks proportionately 
  • incorporate security expectations into contracts 
  • evaluate cloud security controls 
  • integrate third-party services into the ISMS 
  • monitor supplier performance and changes 

We support the development of calm, structured incident management processes including identification, escalation, response and learning. This builds confidence and reduces panic when unexpected events occur. 

Internal audits are not about catching people out; they are about learning. We help organisations design internal audit approaches that are proportionate, constructive and focused on improvement, rather than replicating certification audits. Management reviews are similarly tailored, focusing on trends, insights and decisions. 

The ISMS is a living system. We provide practical approaches to improvement planning, periodic reviews and adapting to organisational or technological change. 

Supporting ISO 27001 Certification

We support organisations at every stage of the certification journey: 

  • ISO 27001 gap analysis 
  • risk assessment and risk treatment planning 
  • control selection and SoA development 
  • documentation and policies 
  • internal audit support or independent internal audits 
  • pre-certification readiness reviews 
  • support through Stage 1 and Stage 2 certification audits 
  • post-certification improvement planning 

Our approach ensures certification is achievable, realistic and sustainable — not a rushed, check list driven exercise. 

Discuss Your Requirements

How Long Does ISO 27001 Take?

This is one of the questions we hear most often, and the honest answer is: it depends — but it is not as long as you might fear.

For a small or medium-sized organisation starting from a reasonable baseline, certification in six to nine months is realistic. We have delivered it in six. For larger or more complex organisations, or those with significant gaps to address, twelve months is a more comfortable target.

The main variables are:

  • Scope — a tightly defined, proportionate scope is faster to build and easier to audit
  • Starting point — organisations with existing policies, some security awareness, and documented processes move faster
  • Internal resource — having a designated internal lead who can engage actively with the process makes a material difference
  • Certification body availability — audit slots can affect the overall timeline, particularly for Stage 2

What we aim to avoid is the pattern of rushing to certification at the expense of building something that actually works. A certificate achieved in six months is only valuable if the ISMS behind it is genuine. That is always the goal.

If you have a deadline — a contract requirement, a tender, a client who has asked for it — tell us at the outset. We will give you an honest view of what is achievable.

ISO 27001 in Practice: Client Case Studies

ISO 27001 certified in six months: a tech startup case study — from first contact to certified with no non-conformances in under six months, with the client’s internal team going on to achieve Cyber Essentials independently.

Eight years of outsourced ISO compliance support for a tech company — a long-term partnership covering ISO 27001, ISO 9001 and ISO 14001, outsourced DPO, and a Kings Award for Enterprise along the way.

ISO 27001 certification for an NHS supplier within a global corporation — achieving meaningful certification for a 60-person team inside a large international business, using careful scope definition to make it both credible and auditable.

Integrated ISO 22301 and ISO 27001 for an automotive testing facility — a decade of continuous certification across both standards, with an exercising programme that drew specific praise from a UKAS-observed auditor.

Long-Term Sustainability of the ISMS

Maintaining ISO 27001 is often more challenging than achieving the certificate. We support long-term success through: 

  • periodic reviews of documentation 
  • updates to controls and risk assessments 
  • monitoring of incidents, trends and emerging threats 
  • supplier reviews 
  • staff awareness and refresher activities 
  • readiness for surveillance audits 
  • advice on integrating evolving standards (e.g. ISO 27002, ISO 22301, ISO 22361) 

Our aim is to help organisations view ISO 27001 as part of everyday governance rather than an annual administrative event. 

Why Organisations Choose Cambridge Risk Solutions

Clients choose us because: 

  • our principal consultant is a qualified ISO 27001 Lead Auditor — we know exactly what certification bodies look for, because we audit to the same standard ourselves
  • our guidance is calm, proportionate and grounded in nearly two decades of practical consultancy 
  • we avoid unnecessary complexity, tailoring ISO 27001 to your reality 
  • our documentation is clear, accessible and human 
  • we build long-term relationships (often over 10+ years) 
  • we provide consistent expertise — no subcontractors 
  • we integrate ISO 27001 with wider resilience, continuity and Data Protection 
  • we help organisations build sustainable, trusted security arrangements 

We support organisations of all sizes, from small technology companies to complex national services. 

Get In Touch

A Human, Practical Approach to ISO 27001

ISO 27001 should not feel overwhelming. When implemented properly, it provides clarity, confidence and reassurance for staff, customers and leadership. It helps organisations make better decisions, respond calmly to incidents and strengthen their resilience. Our role is to guide you through that journey — with clarity, steadiness and a practical approach that aligns with how your organisation truly works.
Contact Us