GRC — Flagship Service

ISO 27001 Implementation & Certification Support

End-to-end ISO 27001:2022 ISMS implementation — from gap assessment through policy authoring, risk register, control implementation, internal audit, and accredited-body audit support. We implement. Accredited bodies certify. Never both.

AED 50,000 – 120,000 ISO 27001 Lead Auditor · GRC Mastery 4 – 6 months typical
Book a 30-min Scoping Call →
Book a 30-min Scoping Call →
Jump to FAQ

What it is

A full, hands-on ISO 27001:2022 ISMS implementation program — delivered by an ISO 27001 Lead Auditor who has built ISMS programs from scratch and read the standard cover-to-cover, not just skimmed the Annex.

Every engagement produces a working ISMS, not a shelf of policies nobody reads. Policies are authored to your organisation (not generic templates), controls are implemented with your technical team, risks are assessed and treated with documented justification, and the internal audit is genuine — not a tick-box rehearsal for the external auditor.

You leave the engagement with a certified ISMS and a team that can run it. We step back after certification; we do not hold the keys to your own program.

What this is not

Not a policy-template reseller. Policies authored to your organisation, not copy-paste from a template library.
Not a compliance-in-a-box subscription. We deliver a program, not a SaaS rental.
Not a certifier. An accredited certification body issues the certificate. We partner with them; we're never both implementer and certifier.
Not a lock-in. You own everything we produce. No hidden dependencies on our team after certification.

Who this is for

1
An enterprise client or bank has asked for ISO 27001 certification as a condition of contract.
2
You're pursuing UAE government or semi-government tenders that require ISO 27001.
3
Your board has mandated ISO 27001 as a strategic risk-management investment.
4
You're a SaaS or fintech selling to enterprise — ISO 27001 is the default procurement question.
5
You're aligning PDPL, NESA, and ISO 27001 into a single compliance program.

What you get

  • ISMS scope & context documentation — boundary definition, interested parties, internal/external issues.
  • Full policy set — information security policy, access control, cryptography, HR security, asset management, incident response, BCP, supplier security, plus sub-policies as scope requires (typically 12 – 18 documents).
  • Risk register — ISO 27005-aligned, with risk assessment, treatment decisions, residual risk, and owner accountability.
  • Statement of Applicability (SoA) — every Annex A:2022 control, applicable Y/N, implemented Y/N, justification.
  • Procedures & records templates — incident log, access review log, training records, supplier assessments, internal audit evidence, management review minutes.
  • Internal audit — full ISMS audit against Clause 4 – 10 and Annex A, with findings and corrective-action tracking.
  • Management review support — agenda, pre-reading pack, minutes template, decision log.
  • Stage 1 & Stage 2 audit support — we attend, translate auditor findings, and run remediation for any non-conformities.
  • Staff awareness training — ISMS kick-off session and annual awareness deck; optional add-on for ongoing training via our Awareness Training service.

How we deliver (4 – 6 month program)

M1
Scoping & gap assessment
Weeks 1 – 4
ISMS scope workshop, context analysis, Annex A:2022 gap assessment, risk methodology agreement, certification body shortlist.
M2
Risk & SoA
Weeks 5 – 8
Asset register, risk assessment against identified threats, risk treatment plan, Statement of Applicability authoring.
M3
Policies & procedures
Weeks 9 – 12
Policy authoring and review cycles, procedure development, record templates, supplier-security assessment framework.
M4
Control implementation
Weeks 13 – 16
Technical controls implementation with your team, awareness training delivery, access review cycles start, incident log operational.
M5
Internal audit & mgmt review
Weeks 17 – 20
Full internal ISMS audit, corrective actions, first management review, readiness assessment for external audit.
M6
Stage 1 & Stage 2 audit
Weeks 21 – 24
Stage 1 documentation review, remediation of any findings, Stage 2 implementation audit, certificate issued by accredited body.

Pricing

Published range

AED 50k – 120k

Our implementation fee. Certification body audit fees are separate and contracted directly with the certifier (typically AED 25k – 60k depending on body and scope).

What drives the price:

  • ISMS scope size (single site vs. multi-site, departments, subsidiaries)
  • Existing policy maturity (greenfield vs. partial)
  • Number of applicable Annex A controls
  • Technical control implementation complexity
  • Timeline (standard 4 – 6 mo vs. expedited)

Commercial terms

  • Deposit: 30% at signing (larger engagement)
  • Milestone invoicing: 30% M2, 30% M4, 10% on certificate
  • Net terms: Net-30
  • Quote validity: 30 days
  • Certification body: contracted separately
  • Post-cert support: optional retainer

Your cert-backed lead

Engagement Lead & ISO 27001 Lead Auditor

Manoj Prabhakaran

ISO 27001 Lead Auditor · GRC Mastery · CPTS · CDSA · Security+ · Azure Cloud Security

Focus: ISMS design, policy authoring, risk assessment, SoA, internal audit, certification-body liaison. Unique angle: offensive-security background means technical controls get implemented correctly — not just documented.

We practise what we deliver: Underwings is pursuing its own ISO 27001:2022 certification in 2026. The same program we run for clients, we're applying to ourselves first — because you shouldn't buy an ISMS implementation from a firm that doesn't run one.

Frequently asked questions

Who actually issues the ISO 27001 certificate?

Never us. A certificate can only be issued by an accredited certification body (e.g. BSI, TÜV, Intertek, SGS, Bureau Veritas, or a locally-accredited UAE body). We implement your ISMS and manage the entire implementation program; you contract the certification body independently. This separation is required — no firm is allowed to both implement and certify.

How long does a full implementation take?

Typical timeline is 4 – 6 months for a mid-market single-location organisation with a defined ISMS scope. Larger or more complex organisations extend to 8 – 12 months. We scope the timeline in writing during the scoping call.

What's included vs. what's your responsibility?

Our deliverables: policies, procedures, risk register, Statement of Applicability, mandatory Annex A control implementation guidance, internal audit, management review support, and audit-readiness sign-off. Your responsibility: executive sponsorship, control implementation resources, staff awareness training attendance, certification body fees.

Can you help us choose a certification body?

Yes. We have working relationships with multiple UAE and GCC-accredited bodies. We'll recommend based on your sector, budget, and the recognition of the certificate in your target markets.

Do you do internal audits?

Yes. We run a full internal audit against ISO 27001:2022 Annex A as part of the engagement, producing findings and corrective-action tracking before the Stage 1 external audit.

What if we already have policies in place?

Great — we start with a gap assessment against what you have versus ISO 27001:2022, identify what's reusable, what needs updating, and what needs authoring from scratch. No wasted effort re-creating what already works.

What happens after certification?

The certification body conducts annual surveillance audits (years 1 and 2) and a recertification audit in year 3. We offer post-certification support packages for ongoing ISMS maintenance, documentation updates, and audit preparation.

Do you cover ISO 27001:2022 or the old 2013 version?

ISO 27001:2022 — the current version. Annex A was restructured from 114 controls to 93 in 4 themed groups (Organisational, People, Physical, Technological). We implement the current version; migration from 2013 is handled as part of the gap assessment.

You might also need

ISO 27001 Gap Assessment

Start with a gap assessment if you're not sure you're ready for full implementation yet.

Contact to scope

Risk Assessment & Register

Required as ISO 27001 sub-deliverable; also sold standalone to clients not ready for full cert.

Contact to scope

Network Penetration Testing

Most ISO 27001 programs require pen-test evidence — we deliver it under the same engagement.

Read full details

UAE PDPL Compliance Advisory

PDPL and ISO 27001 share ~60% of control ground — align programs from day one.

Contact to scope

Audit demand, board mandate, or tender gate pushing you toward ISO 27001?

Book a 30-minute scoping call. We'll map your current state, scope the program, and send a written quote within 48 hours — plus recommend 2 – 3 suitable accredited certification bodies.

Book a Scoping Call →
Book a Scoping Call →