4 simple steps to ISO 27001 compliance

Step 1 - Assessment


Our 27001 ISO consultants will carry out a detailed GAP analysis & risk assessment to determine your readiness and identify areas of improvement.

Step 2 - Planning


Our team of experts will work closely with your business' key stakeholders to build a detailed implementation plan with a requirement checklist, milestones and responsibilities.

Step 3 - Implementation


Your Bulletproof ISO Consultant will provide practical advice, guidance and documentation assistance during the implementation phase to ensure you‘re ISO audit ready.

Step 4 - Audit Support

Audit Support

We‘ll help you arrange an ISO audit with an appropriate certification body and will be on-hand to ensure it goes smoothly on the day.

Adzuna Logo

ISO 27001 compliance has helped us improve our security investment and build credibility with our global client base, as well as enabled us to successfully win UK Government procurement contracts.

Bulletproof made the whole process easy and effortless from start to finish, strengthening our information security and improving our position in the industry.

Martin Sutherland

Head of Finance, Adzuna

Gain global recognition with ISO 27001

Internationally recognised, the ISO/IEC 27001 certification is one of the most popular information security management standards (ISMS), and for good reason – implementing ISO 27001 helps you meet your legal and regulatory obligations under laws as such as EU GDPR, FCA and the NIS Regulations.

It’s a comprehensive standard that covers processes, technology and physical security resulting in credible improvements to your security.

Becoming ISO 27001 certified is proven to enhance the reputation of your company and lets your customers know you’re working to the highest security standard possible.

How Bulletproof can help you achieve ISO 27001 certification

Gap Analysis

Bulletproof ISO 27001 compliance starts with a gap analysis. This lays the foundation of your compliance journey and identifies exactly which areas need to improve and how best to go about it.

  • In-depth discovery process looks at all procedural, technical and physical security controls
  • A methodical approach ensures all aspects of 27001 rigorous compliance standard are met
  • Our ISO consultants use their years of experience to make the process as easy as possible
  • Whether you’re starting from scratch or part-way through the process, we work at every stage to help you get your ISO certificate
ISO 27001 Gap Analysis


Based on the learnings from the ISO 27001 gap analysis, Bulletproof creates a tailored implementation plan to make sure you get the most cost-effective compliance possible.

  • Your ISO lead implementer ensures your information security controls are being implemented efficiently and effectively
  • Bulletproof’s ISO 27001 resources can assist in creating missing policies & procedures, speeding up your ISO 27001 certification process
  • Our consultant’s deep knowledge of information security and their experience with a broad range of organisations means you get a fast, simple, cost-effective service that doesn’t compromise on security
iso 27001 Implementation


ISO 27001 certification involves multiple audits, both internal and external.

Bulletproof’s experienced ISO 27001 consultants work with several certification bodies and will be on-hand to help you through every stage of the certification process.


Internal Auditing

ISO 27001 requires companies to conduct internal audits at least annually, in addition to the audits conducted by the external certification body.

Often, conflicts of interest and a lack of the necessary skills and knowledge make it difficult for companies to do these themselves. That is where Bulletproof can help by providing:

  • Highly experienced ISO 27001 certified auditors
  • Comprehensive audit plans to ensure your audit runs smoothly and efficiently
  • Detailed ISO audit reports providing comprehensive information on non-conformities and opportunities for improvement
  • Flexible audit plans to work around your audit schedule
  • The opportunity to buy 3-year audit plans, with monthly payment options, making your internal audits more cost effective
Internal Auditing

Go beyond compliance

Being a leading cyber security provider, Bulletproof can also provide complimentary services outlined by ISO 27001. These include information security training, all types of penetration test, and even MDR/managed SIEM through our next-generation S.W.A.T. Defence® service. ISO 27001 can be a significant investment, but ultimately will make you much more secure. If ISO 27001 isn’t the right fit for you why not try Cyber Essentials instead?

Go beyond compliance

Book your 1-hour free consultation today

Have an ISO certified expert assess your readiness and provide you with guidance on next steps.

By submitting this form, I agree to the Bulletproof privacy policy.

ISO 27001 Frequently asked questions

What is ISO 27001 certification?

ISO 27001 certification, or ISO/IEC 27001:2013, is an internationally recognised information security management standard of best practices.

ISO 27001 covers a number of policies and procedures to review legal, physical and technical controls to determine the extent who which these meet the 10 clauses and 114 generic security controls grouped into 14 sections (called “Annex A”).

ISO 27001 clauses 4–10:

  • Context of the Organisation (Clause 4)
  • Leadership (Clause 5)
  • Planning (Clause 6)
  • Support (Clause 7)
  • Operations (Clause 8)
  • Performance evaluation (Clause 9)
  • Improvements (Clause 10)

This will cover the following 14 controls:

  • Information security policies
  • Organisation of information security
  • Human resource security
  • Asset management
  • Access control
  • Cryptography
  • Physical and environmental security
  • Operations security
  • Communications security
  • System acquisition, development and maintenance
  • Supplier relationships
  • Information security incident management
  • Information security aspects of business continuity
  • Compliance

Being ISO 27001 certified demonstrates a commitment to maintaining top levels of security.

What are the business benefits of ISO 27001?

According to IBM’s Security Report, the global average total cost of a data breach in 2020 was £2.69 million. With cyber and information security making headlines every day, and hackers targeting business of all sizes, being ISO 27001 compliant is crucial.

It also enhances your global reputation, helps you to avoid the financial (and reputational) penalties of a data breach and will also reduce the number of audits you’ll have to undergo.


Protects you from cyber attacks

Reduces the likelihood of security incidents.


Reduces breaches & incidents risks

Reduces the risks of fines/penalties/reputational damage resulting from breaches and incidents.


Drives new business

Worldwide recognised standard which can help drive new business opportunities and provide competitive advantage.



Can reduce costs through standardising processes and procedures, reduced cyber insurance costs and fines.


Enriches your security culture

Improves knowledge of information security across the business and helps build a security culture.


Refines your processes

Provides a framework for ensuring contractual, commercial and regulatory requirements of the business are met.


Improves your security posture

Improves the business response to incidents.


Gain a competitive advantage

Can help to simplify due diligence queries from customers, reduce the need for customer audits and speed up tender process.


Reinforces your reputation

Increases trust and assurance with customers, partners and the supply chain.


Spend smarter

Ensures that budgets for information are spent according to the risks to the business rather than based on what’s the latest and greatest.


Protects your data

Supports the protection of personal data and compliance with GDPR requirements.


Drives business growth

Provides a structure to help organisations scale for growth.

How much does ISO 27001 certification cost?

The cost of ISO 27001 certification depends on the size and nature of your business, as well as the gap between your current status and the desired, compliant state. By undertaking a gap analysis first, this journey can be accurately mapped, saving valuable time and money when it comes to implementation.

What’s an ISMS?

ISMS stands for Information Security Management System, and is the core component of ISO 27001. It’s the framework that outlines all security risks and your controls for them. It covers people, processes and technology and typically encompasses your entire organisation, securing your corporate information assets confidentiality, integrity and availability (CIA).

What is the ISO/IEC 27000-series standard?

ISO 27000 series is a family of information security management standards and documents covering all areas of the ISO standard for information management security. ISO 27001 is specifically the certification standard whereas ISO 27002 (and beyond) are controls, guidance and information documents, for the ISO 27001 certification standard.

What’s the difference between ISO 9001 and ISO 27001?

ISO 9001 is a standard for ensuring the quality of your services and is based on a QMS (Quality Management System), whereas ISO 27001 sets the standard for information security and uses an ISMS (Information Security Management System). There’s actually some overlap between the two standards, so gaining ISO 27001 compliance will give you a head start on ISO 9001, and vice versa.

What are the difference between ISO 27001 & Cyber Essentials Standards?

Comparing ISO 27001 and Cyber Essentials Standards
ISO 27001Cyber Essentials
What is itAn international standard that sets out the requirements of an Information Security Management System to manage information security risk in a systematic way. The standard isn’t mandatory however many contracts/tenders do stipulate it as a requirement.An NCSC backed UK assurance scheme addressing five technical security controls to help businesses address the most common vulnerabilities. Cyber Essentials is mandatory for government contracts.
RiskISO 27001 adopts a risk-based approach where organisations set their risk acceptance criteria and risk methodology. This determines how risks are addressed.Cyber Essentials aims to address the most common vulnerabilities found in organisations. It is not a risk-based approach
RecognitionISO 27001 is an international standard recognised around the worldCyber Essentials is a UK based scheme and is not well known worldwide
Time to implementMonthsDays–weeks
Certification processCertification is provided by a Certification Body. This involves a Stage 1 and Stage 2 audit, and annual surveillance audits. Certification lasts for 3 years, as long as the organisation passes the audits.Complete a self-assessment questionnaire (or undergo vulnerability scans and a workstation assessment if taking Cyber Essentials Plus) and be assessed by a IASME Cyber Essentials Assessor. Certification must be repeated annually.
ScopeScope is defined by the organisation but the standard encompasses the business and is not just focused on IT.Focuses on 5 key areas (shown below) and is more IT focused.
  • Secure internet connection
  • Secure devices and software
  • Access control
  • Malware protection
  • Security update management
ApplicabilityAimed at all businesses.Aimed at all businesses, but particularly targets smaller businesses that may have not previously considered cybersecurity.

What’s the difference between certification and accreditation?

When it comes to ISO 27001, the words certification and accreditation are often used interchangeably by companies who don’t know better. However, there is a difference. For ISO 27001 in the UK, a certification body tests organisations against the ISO 27001 standard, and gives them a registered certificate if they pass. The accreditation body on the other hand, is responsible for ensuring that the certification bodies all work to the same standard.

In the UK the accreditation body is UKAS and they’re recognised by the Government. So to sum up, end user companies are certified as ISO 27001 compliance by a certification body, who are in turn accredited by the accreditation body (UKAS).

Our experts are the ones to trust when it comes to your cyber security

  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre