This service covers the necessary steps for your business to maintain its ISO27001 certification, prepare for the annual external continuous assessment visit, and ensure the efficiency and effectiveness of the Information Security Management System (ISMS). Below is the tiered list offered to support the ongoing maintenance of your system.
Internal Audits
As part of the ongoing certification, it is essential to continually assess the effectiveness of your ISMS. An internal audit program will be designed and carried out over a 12 month period. We offer support in setting up internal audits and addressing any findings, including corrective actions.
Additionally, we assist with monthly Security Committee meetings and quarterly Management Review meetings, offering consultation and advice to ensure processes are being followed correctly. We also provide guidance on ISMS reviews to ensure compliance and effectiveness.
Risk Management
We will ensure that the risk submissions form entries are properly linked to the corresponding risk assessments and associated assets. This service involves reviewing submitted risks to confirm they are accurately tied to relevant assets. The risk assessment will then be evaluated to verify whether the current controls are sufficient. If not, a recommendation will be made to the asset owner.
We will review risks in alignment with existing policies and processes to ensure compliance, and each risk submission will be addressed accordingly. The ISMS team will review the output of this report, reducing overhead on the team.
Ongoing Competency
This service involves running quarterly training sessions to assess user competence and awareness. Each session will introduce new training material, followed by a Q&A segment to ensure understanding, with feedback provided to managers.
Each quarter a 30-minute session will be offered on two separate dates to maximise in-person attendance. For those unable to attend, one session can be recorded. These sessions are designed to reinforce key information and evaluate user comprehension.
Outsourced DPO
UK GDPR requires you to appoint a data protection officer if you are a public authority or body, or if you carry out certain types of processing activities. If you are unsure if your organisation requires a DPO, the ICO provide a questionnaire here:
This offering includes up to 6 days of annual support for handling Subject Access Requests (SARs), security incidents, and Data Protection Impact Assessments (DPIA) reviews. We will also track progress against GDPR compliance and can provide an action plan for any necessary improvements.