Compliance Services

ISO 27001:2022 Implementation

Get certified in 3–6 months with a Lead Auditor on your side. Scope-based pricing, hands-on implementation — not just a pile of templates.

Our consultants are certified to audit and implement ISO 27001

Lead Auditor Certified India & UAE 3–6 Month Timeline
Let's Talk
Let's Talk

Why ISO 27001?

ISO 27001 is the international standard for information security. Certification demonstrates your commitment to protecting data.

+ Win More Business

Many enterprises and government entities require ISO 27001 from their vendors. Open doors to larger contracts.

+ Reduce Risk

Systematic approach to identifying, assessing, and treating information security risks across your organization.

+ Regulatory Alignment

Satisfies requirements of GDPR, HIPAA, PCI DSS, and UAE data protection regulations with a single framework.

+ Build Trust

Third-party certified proof that you take information security seriously. Builds confidence with customers and partners.

Our Process

Implementation Roadmap

A structured approach to get you from current state to certified — efficiently and without the chaos.

Typical timeline: 3–6 months from kickoff to certification
Phase 1 1–2 Weeks

Gap Assessment

Evaluate your current security posture against ISO 27001:2022 requirements. Identify gaps, prioritize actions, and create a realistic implementation roadmap.

Gap Analysis Report Priority Matrix Project Plan
Phase 2 3–4 Weeks

ISMS Design & Documentation

Develop your Information Security Management System — scope definition, risk assessment methodology, security policies, and procedures tailored to your business.

ISMS Scope Security Policies Procedures Manual SoA Draft
Phase 3 2–3 Weeks

Risk Assessment & Treatment

Comprehensive risk assessment covering all information assets. Develop risk treatment plans and select appropriate controls from Annex A.

Risk Register Risk Treatment Plan Controls Mapping
Phase 4 4–8 Weeks

Control Implementation

Implement technical and organizational controls. Configure security tools, train staff, and establish operational processes across all 93 Annex A controls.

Technical Controls Staff Training Process SOPs Evidence Collection
Phase 5 2–3 Weeks

Internal Audit & Management Review

Conduct internal audits to verify compliance. Perform management review to ensure ISMS effectiveness and readiness for certification.

Audit Reports NC Tracker Management Review Minutes
Phase 6 2–4 Weeks

Certification Audit Support

Prepare for and support you through Stage 1 (documentation review) and Stage 2 (implementation audit). Address any findings and achieve your ISO 27001 certificate.

Stage 1 Prep Stage 2 Prep Finding Resolution Certificate

Not sure where you stand?

Get a free gap assessment — we'll show you exactly what's needed to reach certification and how long it'll take.

Get Gap Assessment
Free Gap Assessment
One framework, multiple compliance wins:
PCI DSSSOC 2HIPAAGDPRUAE NESADPDP Act
ISO 27001:2022

93 Controls, 4 Themes

We implement the latest 2022 standard — restructured from 114 controls in 14 domains to a cleaner, more practical framework.

37

Organisational

Policies, roles, asset management, access control, supplier relationships, incident management

8

People

Screening, terms of employment, awareness, training, disciplinary process, remote working

14

Physical

Perimeters, entry controls, securing offices, equipment protection, clear desk & screen

34

Technological

Endpoint security, access rights, cryptography, secure development, vulnerability management, logging

Need vulnerability management to satisfy Annex A.8.8?

Explore our VAPT services →
Why Us

Why Choose Underwings

01

Lead Auditor on Staff

Your implementation is led by a certified ISO 27001 Lead Auditor — not junior consultants reading templates.

02

Startup-Friendly Approach

We right-size the ISMS for your organisation. No bloated documentation or enterprise-level overhead for a 30-person team.

03

Hands-On Implementation

We don't just hand you documents and leave. We implement controls, configure tools, and train your team alongside you.

04

Post-Certification Support

Annual surveillance audits, ISMS maintenance, and continuous improvement support to keep your certification valid.

Deliverables

Complete Documentation Package

ISMS Manual & Policies

Complete Information Security Management System documentation — scope definition, 20+ security policies, procedures, and work instructions tailored to your business.

ISMS Manual20+ PoliciesProceduresWork Instructions

Statement of Applicability

The auditor's most scrutinised document — every Annex A control justified, mapped to your risks, with implementation evidence and exclusion rationale.

93 Controls MappedRisk LinkedAudit Ready

Risk Assessment Report

Full threat and vulnerability inventory with risk scores, treatment decisions, and asset mapping.

Risk Treatment Plan

Prioritised action plan with owners, timelines, and budget for addressing identified risks.

Internal Audit Reports

Pre-certification audit findings with nonconformities, observations, and corrective action tracking.

Management Review Records

Executive review documentation with ISMS performance metrics, meeting audit evidence requirements.

Common Questions

Frequently Asked Questions

How long does ISO 27001 certification take?

Typically 3–6 months from kickoff to certification audit, depending on your organisation's size and current maturity. Startups with simpler scopes can move faster.

How much does ISO 27001 implementation cost?

We offer scope-based pricing with no hidden fees. Cost depends on company size, number of locations, and complexity. Contact us for a free scoping call and transparent quote.

Do we need a full-time CISO to get certified?

No. We can act as your virtual ISMS manager during implementation and help you assign internal responsibilities without hiring a dedicated CISO.

What's the difference between ISO 27001:2013 and 2022?

ISO 27001:2022 restructured Annex A from 114 controls in 14 domains to 93 controls across 4 themes (Organizational, People, Physical, Technological). We implement the latest 2022 version.

What happens after certification?

ISO 27001 requires annual surveillance audits and a full recertification every 3 years. We offer ongoing support packages to keep your ISMS maintained and audit-ready.

Explore Other Services

VAPT Services

Find vulnerabilities before attackers do — web, network, API & cloud testing.

Security Training

Turn employees into your strongest defence with awareness programs.

Consultation & Advisory

Virtual CISO, security architecture review & incident response retainer.

Free ISO 27001 Readiness Checklist

Assess your organisation's readiness for ISO 27001 certification with our 93-control checklist. Covers all Annex A controls from the 2022 standard with gap assessment scoring.

Excel Spreadsheet93 ControlsSelf-Assessment Scoring

No spam. Unsubscribe anytime.

Start Your ISO 27001 Journey

Get a free gap assessment to understand where you stand and what it takes to get certified.

Get Started
Request Gap Assessment