Skip to content
GRC · ISO 27001 LA-led Implementation

Implementation, not advice — for
ISO 27001 Certification

ISO 27001, NESA / UAE IA V2, PDPL, ADHICS, and formal risk programs — delivered hands-on by an ISO 27001 Lead Auditor. We implement. Accredited certification bodies certify. Never both. No conflict of interest, ever.

ISO 27001 Lead Auditor on every engagement Implementation only — never the certifier Audit-ready evidence pack included

0h Quote Turnaround
0d Typical ISO Track
0 Frameworks Delivered
0% Implementation, not Advice
Standards ISO/IEC 27001:2022 ISO/IEC 27002:2022 ISO/IEC 27005 UAE IA V2 ADHICS v2 UAE PDPL Dubai ISR v2

Pricing — Four tiers

Pick your scope, lock the fee

From single-framework readiness scans for SMEs to multi-framework certification programs.

Starter

AED 12,000

Ideal for: Sub-30-employee UAE companies needing first-pass compliance scoping.

  • PDPL readiness scan OR ISO 27001 mini-gap (single framework)
  • Up to 5 staff interviews
  • High-priority gaps + 90-day priority list
  • Remediation walkthrough call
  • Full Annex A walk-through
  • Policy authoring

Designed for UAE SMEs under 30 employees. One-time engagement, no retest included.

Get a quote

Essentials

AED 22,000

Ideal for: SMEs and mid-market needing a formal single-framework gap assessment.

  • ISO 27001 gap assessment OR PDPL readiness (single framework)
  • All 93 Annex A controls (if ISO) or full PDPL articles
  • 5–10 staff interviews
  • Maturity scoring + remediation roadmap
  • Executive summary
  • Full implementation
  • Combined frameworks
Get a quote

Enterprise

AED 75,000–110,000

Ideal for: Multi-framework programs — ISO 27001 + ADHICS or NESA.

  • Combined program (ISO 27001 + ADHICS v2 OR NESA / UAE IA V2)
  • Unified control set across frameworks
  • Multi-site or regulated-sector scope
  • Full evidence pack + audit liaison
  • Quarterly check-ins for 12 months post-certification
  • Certification audit fees (paid to certifier)
  • PCI DSS (separate quote)
Get a quote

Not sure which tier fits?

Book a 20-min scoping call

Year 2 — 2027 roadmap

Planned additions. Join the waitlist and we'll email you 30 days before each service launches.

2027

Incident Response Retainer

Monthly retainer for IR SLA, playbook maintenance, and annual exercise. Your IR team on speed-dial.

2027

ISO 27701:2025 (Privacy Information Management)

Privacy management systems layered on ISO 27001. Natural upsell as UAE PDPL enforcement tightens.

2027

NIST CSF 2.0 + Board Risk Reporting

Structured risk programs with appetite statements, registers, and quarterly board reports.

2027

PCI DSS v4.0

Payment card compliance — launching if fintech is our Year-1 vertical anchor.

2027

Dubai ISR v2

Dubai Government information security regulation — government-adjacent and supplier contracts.

2027

Third-Party Risk Assessment

Scalable vendor security assessment service. Mandated by UAE IA V2 and ISO 27001.

Year 3 — 2028 roadmap

Advanced and regional expansion. Join a waitlist if you want first access.

2028

NCA ECC + SAMA CSF

Saudi Arabia market entry — NCA Essential Cybersecurity Controls + SAMA financial framework.

2028

COBIT 2019

Enterprise IT governance for banks, telcos, and government. C-suite engagement.

2028

ISO/IEC 42001 — AI Governance

First-mover AI governance advisory in UAE — Every large client deploying AI; none have governance yet.

2028

DORA / NIS2

EU financial and critical-infrastructure directives. Demand-pull only — EU-linked clients.

Why GRC matters for UAE

Enforcement is moving from paper to penalty. A written policy isn't a program.

UAE PDPL is in active enforcement. NESA / UAE IA V2 assessments are being run across semi-government and regulated sectors. ADHICS compliance is mandatory for Abu Dhabi healthcare providers. Dubai ISR v2 is a gate for any Dubai government supplier. Every one of these frameworks needs implementation, not more advice.

Our team has lived inside these standards — not just read them — and we deliver hands-on programmes that end with audit-ready evidence and operational controls, partnered with accredited certification bodies where a certificate is required. Never both implementer and certifier. Never a conflict of interest.

We're pursuing our own ISO 27001:2022 certification in 2026 — the same program we deliver to clients, applied to ourselves first.

FAQ

Common questions

Are you also the auditor? Isn't that a conflict of interest?
No — and we never will be. We are the implementer. The certificate is issued by an accredited certification body (DNV, BSI, BV, Intertek, TÜV — your choice). This separation is required by ISO/IEC 17021 and we keep it absolute. Other firms blur this line; we do not. We'll happily make the introduction to a certifier we trust.
How long does ISO 27001 take from kickoff to certification?
Typical SME path: 4 – 6 months end-to-end. Gap assessment (2–3 weeks), implementation including risk register, SoA, policies, and controls (8–12 weeks), internal audit + management review (2 weeks), Stage 1 audit (1 week), remediation, Stage 2 audit (1 week). Larger or multi-site organisations need 6–9 months. We provide a date-by-date Gantt at the scoping stage.
Will you actually do the work, or just hand us templates?
We do the work. Policies are authored to fit *your* business — not generic boilerplate. The risk register is populated from interviews and asset inventories we run with your team. Controls are configured in your systems, not ticked on a spreadsheet. Templates exist as accelerators, but the deliverable is operational evidence, not paperwork.
We need ISO 27001 + UAE PDPL + NESA — can you do all three together?
Yes — and you should. There's ~70% control overlap between ISO 27001 Annex A, UAE IA V2, and PDPL. We deliver a unified control set mapped against all three frameworks, so you implement once and evidence three times. Adding ADHICS v2 (healthcare) or PCI DSS (payments) on top is a matter of mapping, not duplicate effort.
What if our scope changes mid-project (acquisition, new region, new product)?
Scope changes are normal — we expect them. Every engagement has a written change-control clause: small additions are absorbed, larger ones get a transparent change-order with adjusted timeline and fee. No surprise invoices. The certification scope statement can also be drafted to cover anticipated growth so you don't re-certify after every change.
Do you provide ongoing support after certification?
Yes. After Stage 2, most clients move onto a maintenance retainer covering: surveillance audit prep, internal audits, management reviews, policy updates, control re-tests, and evidence pack curation. Optional add-on, billed monthly or per surveillance cycle — you stay certified without re-running an implementation project every year.

Have an upcoming audit, a compliance directive, or a client asking for ISO 27001?

Book a free 30-minute scoping call. We'll scope your program, give you a written quote within 48 hours, and show you exactly what's involved — without the consultancy runaround.

Book a Free GRC Scoping Call
Book a Free GRC Scoping Call