We don't hand you a binder. We embed information security into how your business works — and get you certified.
ISO 27001 certification is increasingly table stakes for winning enterprise clients, satisfying financial services regulators, and demonstrating that your organisation takes data protection seriously. But the implementation itself is where most organisations struggle — because building a genuine Information Security Management System (ISMS) is not a documentation project. It requires operational change.
Secforge has delivered ISO 27001:2022 implementations across financial services, technology, healthcare, and manufacturing. Our approach is hands-on and practical. We integrate controls into your actual workflows — not a parallel set of procedures that exist only to satisfy auditors.
ISO 27001:2022 introduced eleven new Annex A controls and reorganised the control set from 114 to 93 controls across four themes. The new controls reflect the reality of how modern organisations operate: cloud services, threat intelligence, physical security monitoring, data masking, and secure coding are now explicitly addressed. If your organisation was certified under the 2013 version, transition to 2022 is mandatory — and represents an opportunity to refresh your ISMS, not just update paperwork.
We assess your current state against all 93 Annex A controls and the 10 main clauses of the standard. You receive a gap register that prioritises remediation actions by implementation complexity and risk impact — the foundation of your project plan.
We establish your risk assessment methodology, conduct the risk assessment, and produce your risk treatment plan. In parallel, we draft the policy and procedure documentation required by the standard — tailored to your organisation, not copied from a template library.
Controls are implemented in your operational environment. We work with your IT team on access management, logging, change management, and supplier assessment processes. We build the evidence records your certification auditor will want to see — so that your Stage 2 audit does not produce last-minute scrambles for documentation.
We conduct your internal audit as required by Clause 9.2, lead your management review, close out non-conformities, and prepare your team for the Stage 1 and Stage 2 certification audits. We are present during the certification audit to support your team in responding to auditor queries.
Organisations dealing with personal data or those whose operations must continue through disruption often need more than ISO 27001 alone:
An extension to ISO 27001 that addresses the requirements of privacy frameworks including India's DPDP Act, GDPR (for organisations handling EU resident data), and other applicable regulations. Particularly relevant for healthcare, fintech, and any organisation processing significant volumes of personal data.
Business continuity planning is a control requirement under ISO 27001 — ISO 22301 takes it further. We implement Business Continuity Management Systems for organisations where operational resilience is a regulatory expectation (financial services, healthcare) or a client contractual requirement (BPO, data centres).
Certification is not the end of the programme — it is the beginning. The ISO 27001 standard requires ongoing operation of the ISMS, annual internal audits, management reviews, and surveillance audits by your certification body in years one and two after initial certification. Secforge provides ongoing support to keep your ISMS operational and your surveillance audit preparation current.
