ISO 27001
Enterprise customers and certification bodies increasingly demand ISO 27001. Kellwick finds what will block Stage 1 before the certification body does.
The blockers are almost never your technology. They are in the management system - the scope, the risk process, the Statement of Applicability, the internal audit and the evidence that controls actually operate.
CQI/IRCA ISO/IEC 27001:2022 Lead Auditor trained · IRCA Associate Auditor - ISMS · CQI Practitioner Member - PCQI
Why now
Enterprise buyers and their procurement teams increasingly make ISO 27001 a requirement, not a nice-to-have. Security questionnaires ask for the certificate by name, deals stall in vendor review without it, and certification bodies expect a real management system when you finally book the audit.
The risk is not that your infrastructure is insecure. Most teams that fail Stage 1 fail on the management system - a scope that does not hold together, a risk process that never ran, a Statement of Applicability that contradicts the risk register, an internal audit and management review that were never done. That is the ground a certification body checks first, and it is exactly where we look.
What ISO 27001 requires
You do not need to memorise the clauses. In practice a certification body wants to see these seven things working together - and evidence that they are more than documents.
A defined information security management system with a scope that matches your actual product, teams and infrastructure - not a copied template.
A repeatable way to identify, assess and treat information security risks, with a risk register that reflects real decisions rather than a one-off exercise.
A justified statement of which controls apply, which do not and why - the document that ties your risk decisions to the controls you actually run.
The relevant controls implemented and operating in practice: access, suppliers, change, incidents, secure development and the rest of your applicable set.
An internal audit programme that genuinely tests the management system, with findings and corrective actions - not a checkbox completed the week before Stage 1.
Leadership reviewing the ISMS on a cadence, with recorded decisions - the evidence a certification body checks first to see the system is actually governed.
Proof that the controls run continuously - access reviews, tested restores, incident records - not just policies that describe how they are supposed to work.
What actually blocks Stage 1
None of these are about your engineering. Each one can stop a Stage 1 audit on its own - better if we find them before the auditor does.
| The blocker | What it means for Stage 1 |
|---|---|
| No Statement of Applicability | Stage 1 stops here. Every time. |
| Internal audit never performed | You cannot proceed to Stage 2. |
| No management review record | Same. No exceptions. |
| Risk register that does not map to the SoA | The auditor sees the disconnect in ten minutes. |
| Access reviews that never happened | An evidence hole nothing can patch on audit day. |
| Backup exists, restore never tested | “We have backups” is not evidence of recovery. |
The engagements
Start with a snapshot, find the blockers, close them and organise the proof. Each engagement stands alone or sequences into the next.
1-2 days
Your certification body will find these gaps. Better if we find them first.
Start with a Gap Review5-10 days
We tell you what will block ISO 27001 certification before the certification body does.
Explore this engagement5-15 days
Readiness finds the blockers. The Remediation Sprint helps remove them.
Explore this engagement3-7 days
We organise your ISO 27001 evidence so your team can show the right proof, in the right order.
Explore this engagementFit
This is for you if
Not the right fit if
Regulated in the EU as well? See DORA readiness for what your licence adds on top of the certificate, or GDPR & privacy to extend the same ISMS into a defensible privacy programme.
ISO 27001 questions, answered
A clear, evidence-based view of where your ISMS stands and the one next step that matters most. Scoped on a short call.
Certification is issued by accredited certification bodies; DORA supervision is performed by regulators. Kellwick prepares you for these processes; it does not perform them and cannot guarantee their outcome.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.