top of page

ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS), which defines best practice to help companies of all sizes, in any industry and virtually any country, systematically secure their confidential and business critical data.


Each standard is created by a technical committee made up of subject matter experts, including industry representatives, research organisations, government departments and consumers. The outcome is a set of detailed criteria, definitions, and guidelines that provides a comprehensive framework to help organisations implement a coordinated approach to information security.

ISO/IEC 27001 Information Security Management

BSI_Associate_Consultant_badge (transparent background).png

Implementing a robust ISMS is a proactive and systematic approach to managing risk and securing confidential and commercially sensitive information to protecting it from potential cyber-attacks and data breaches.

Introducing controls across people (education and training), process (policies and procedures) and technology (systems and software), an ISMS enables organisations to effectively manage and mitigate risk; safeguard information assets; maintain data integrity and confidentiality; and ensure legal and regulatory compliance.

Peace of mind:

Certification ensures confidential data is secure, which may include financial records, intellectual property, personal data, and other commercially sensitive information, as well as employee and customer records.

Globally recognised:

With more than 165 member countries, ISO/IEC 27001 certification sets a benchmark for best practice and is recognised all around the world, quickly and easily demonstrating your organisation’s commitment to information security.


Enhances your company’s brand and builds trust and confidence. Certification reassures existing or potential customers and stakeholders that you are committed to industry best practice and continual improvement.

Enhances reputation:

Certification builds trust and confidence in your company and reassures existing or potential customers and stakeholders that you are committed to safeguarding data.

Competitive advantage:

Certification can increase commercial opportunities and enable your company win additional business and new customers from competitors who are not certified, or where certification is mandated for suppliers.

Security awareness and business continuity:

ISO/IEC 27001 certification promotes far greater information security awareness amongst staff and a culture of security throughout the business, which means greater vigilance. By reducing the number of incidents disruption to day-to-day operations is minimised.

Cost savings and efficiencies:

The cost of implementing ISO/IEC 27001 is likely to be minimal when compared to the potential financial impact of a breach. Business operations are also streamlined as policies and procedures are clearly defined and documented.


The framework helps your business to continually review potential risks and weaknesses and implement appropriate controls that improve the way you manage your organisation’s information security.


Complete the form below and request a short consultation to discuss how we can help your business to get certified.

Request a Consultation

By submitting this form, you are agreeing to Fortis's Privacy Policy and Terms of Service.

Thank you for submitting.


Implementation includes full gap analysis & review alongside regulatory compliance & industry standards. We assist with development of policies & processes and staff training.

Implement your ISO Management System

We will assist with internal audits and actively support you during the stage 1 and stage 2 certification audits.



Post certification we will help you to successfully maintain your certifications. With internal audits, management reviews, compliance for surveillance audits and re-certification. 



Table Blank_Purple Additional.png

We establish the size & scope of the project by working with you to understand your overall business needs, your expectations and how implementing the ISO standard can help you. We also take a look at your existing certifications to identify opportunities to integrate management systems & lower your total cost of ownership.



Fortis simulates the certification audit and performs a full review of your company’s scope, policies, processes, and procedures. Then reviews and remediates any gaps before your official UKAS certification body audit.


Award Cup.png

You are now a certified business!


UKAS ISO Certification Achieved and Formally Awarded for Certification

The breadth of the Fortis service portfolio enables us to offer a variety of information security and risk management solutions to help our clients achieve the information security compliance standard they need to operate with confidence.


From a simple one-off gap analysis against the ISO/IEC 27001 standard, through to complex multi-standard integrated management systems, Fortis offers comprehensive certification services that can be tailored to suit your organisation’s specific requirements.

Fortis can continue to work with your organisation beyond certification via the Fortis Stay Certified Service (SCS) which supports the ongoing maintenance and assurance of your ISMS and ensures that your certification is retained during annual surveillance and re-certification cycles.

City Center

Cyber Essentials

Cyber Essentials Plus

IASME Cyber Assurance

ISO/IEC 27001

Achieving ISO/IEC 27001 certification is a rigorous process and depending on the type and size of the business and amount of data processed, there may be a different cyber security standard that is better aligned to your organisation’s needs.

The highly experienced team at Fortis can advise which is the most appropriate certification to provide the right level of assurance for your business.

Business Meeting


Understanding your organisation and its context

Assessing the needs and expectations of stakeholders

Determining the scope of your ISMS


Establishing and communicating an information security policy and setting objectives

Ensuring roles and responsibilities are correctly assigned

Demonstrating leadership and commitment to your organisation’s ISMS​


Carrying out an information security risk assessment process

Reviewing risks and opportunities that need to be addressed in order to effectively implement, manage, and improve your organisation’s ISMS

Setting measurable and consistent information security objectives, alongside comprehensive plans on how to achieve them​


Reviewing the resources and competencies needed to effectively implement, manage, and improve your organisation’s ISMS

Plugging skills gaps and/or providing training where required

Ensuring awareness and communication relating to the information security policy, objectives, and ISMS

Creating, controlling, and updating documented information relating to the ISMS


Planning, implementing, and controlling the processes needed to meet the outcomes of the information security risk assessment

Implementing plans to achieve the organisation’s information security objectives

Conducting regular information security risk assessments, remediating identified risks, and documenting all results​

Performance evaluation

Monitoring, measuring, analysing, and evaluating the effectiveness of your organisation’s ISMS

Conducting internal audits at planned intervals to ensure the ISMS conforms the organisation’s own requirements and those of the International Standard

Carrying out a regular management review of your ISMS to determine its continuing suitability, adequacy, and effectiveness​


Identifying nonconformities and any associated corrective actions

Continually improving the suitability, adequacy, and effectiveness of your organisation’s ISMS

The information security controls to which your organisation needs to be compliant to achieve certification are broken down into the following four key areas:

Organisational controls e.g policies, roles and responsibilities, threat intelligence, access rights, identity management

People controls e.g. screening, remote working, employment terms and conditions, confidentiality

Physical controls e.g securing offices, storage media, security of assets off-premises, equipment maintenance

Technological controls e.g. configuration management, malware protection, network security, secure authentication

bottom of page