Ongoing support
For certified companies, the risk moves to the surveillance visit and the recertification year. These engagements keep the ISMS operated — not just documented — between cycles.
An internal audit that would satisfy a certification body, not a checkbox.
We help plan and run internal audits against your scope and SoA, with findings that lead to real corrective actions.
Independence note
If Kellwick performs remediation for an area, the internal audit of that area must be carefully scoped or excluded to preserve independence.
For certified companies — a lighter check ahead of the annual surveillance visit.
A focused review of what has drifted since certification: risk, evidence, access reviews, supplier oversight and management review discipline.
Third year of the cycle — more thorough than a surveillance check.
A fuller review before recertification, covering scope changes, control performance over the cycle and the evidence trail the auditor will resample.
ISO 27001 maintenance without hiring a full-time GRC manager.
Ongoing operating discipline across the ISMS lifecycle: risk updates, evidence review, supplier and access reviews, management review prep and corrective-action tracking.
Certification is performed by an accredited certification body through Stage 1 and Stage 2 audits. Kellwick prepares you for that process; it does not perform it and cannot guarantee its outcome.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.