Gap assessment
Where you stand today against ISO 27001 requirements and Annex A controls, with a prioritized list of what is missing and what it takes to close it.
ISO 27001 consulting and readiness
ISO 27001 consulting and readiness
ISO 27001 is the international standard for an information security management system (ISMS). Getting certified means building that system, proving it works, and passing an audit by an accredited certification body.
CloudKey takes you from where you are to certification-ready: a gap assessment against the standard, a practical plan to close what is missing, and hands-on support through the certification audit. We prepare you; an accredited registrar issues the certificate.
- Gap assessment
- ISMS build support
- Internal audit
- Certification-ready
71/93
Annex A implemented
- A.5.1 Policies for information security Implemented
- A.5.15 Access control Implemented
- A.6.3 Security awareness training In progress
- A.8.8 Management of technical vulnerabilities In progress
Illustrative control set. Status maps to implemented, in progress and open gap. Your Statement of Applicability lists the controls in scope for your organization.
ISO 27001, by the framework
What the standard actually asks of you
Overview
From gap assessment to certification-ready, without the theatre
ISO 27001 certification opens doors: enterprise buyers ask for it, and it signals that security is managed, not improvised. But the path there is where most teams stall, buried in policy templates that do not match how they actually work. CloudKey ISO 27001 consulting keeps it practical.
We start with a gap assessment: where your current controls and documentation stand against the ISO 27001 requirements and the Annex A controls. From there you get a clear, prioritized plan to scope your ISMS, write only the policies you need, implement the controls, and run the internal audit and management review the standard requires.
One thing to be clear about: CloudKey is a consultancy, not a certification body. We get you certification-ready and support you through the audit. The certificate itself is issued by an accredited registrar you engage separately. That separation is how the standard is meant to work.
How we help
What does CloudKey ISO 27001 consulting include?
Support across the whole path, or just the stage you are stuck on.
ISMS scoping and documentation
Define the scope, the statement of applicability and the policies the standard requires, written to fit how your organization actually operates.
Control implementation support
Practical help implementing the technical and organizational controls, drawing on our security audit and testing work where it fits.
Internal audit and readiness review
We run the internal audit the standard requires and a readiness review before your certification audit, so there are no surprises in front of the auditor.
The artifacts that pass an audit
The documents the auditor will ask for
Certification turns on a handful of core artifacts. We build them with you and keep them current. The panels below are stylized illustrations, not screenshots of a real ISMS.
Risk register
A living record of information security risks, their owners, treatment decisions and residual rating. The standard wants risk managed on purpose, so this is where the ISMS earns its keep.
- Each risk scored and assigned an owner
- Treatment decision linked to Annex A controls
- Residual risk reviewed at the management review
- Phishing leads to credential theft Treat - high
- Unpatched edge service exploited Treat - high
- Laptop loss exposes local data Treat - medium
- Third-party processor breach Treat - medium
- Privileged access not reviewed Accept - low
Illustrative risks. Your register reflects the assets and threats in your scope.
Statement of Applicability
The Statement of Applicability records every Annex A control, whether it applies to you, and why. It is the spine of the ISMS and the first thing the auditor reads.
- Every Annex A control marked applicable or excluded
- A short justification recorded for each decision
- Mapped to the policy or evidence that satisfies it
- A.5.1 Policies for information security Applicable
- A.7.4 Physical security monitoring Applicable
- A.8.12 Data leakage prevention Applicable
- A.7.9 Security of assets off-premises Excluded - no off-site assets
Illustrative entries. Inclusion or exclusion is justified control by control.
Evidence tracker
Auditors do not take your word for it; they sample evidence. We track which artifact proves each control operates, so the Stage 2 audit is a walkthrough rather than a scramble.
- Each control linked to the evidence that demonstrates it
- Owners and review dates kept current
- Gaps surfaced in the readiness review, before the auditor finds them
71 Controls with evidence
14 Evidence in progress
8 Awaiting evidence
- Access reviews - quarterly export Current
- Backup restore test - last run Current
- Supplier reviews - annual Due soon
- Incident drill - tabletop Not yet run
Illustrative readiness view. We keep the real tracker with you through the audit.
Why it matters
Why pursue ISO 27001?
The certificate is the visible part. The managed system underneath is the real value.
Win enterprise deals
Larger customers increasingly require ISO 27001 before they sign. Certification removes a recurring blocker from your sales cycle.
Manage risk on purpose
The standard forces a repeatable risk-management cycle, so security decisions are deliberate and documented rather than ad hoc.
Reuse the work
An ISO 27001 ISMS overlaps heavily with SOC 2 and other frameworks, so the effort pays off across more than one requirement.
How it works
The path to certification
Five stages. We can join at any of them.
- 01
Gap assessment
Measure current state against the standard and produce a prioritized remediation plan.
- 02
Scope the ISMS
Define scope, risk methodology and the statement of applicability for the controls that apply to you.
- 03
Risk treatment
Treat the risks the assessment found: policies, technical controls and the evidence that shows each one operates.
- 04
Internal audit
Run the internal audit and management review the standard requires, and fix anything they surface.
- 05
Certification audit
Support you through the Stage 1 and Stage 2 audit conducted by your chosen accredited certification body.
We prepare you. An accredited body certifies you.
This separation is not a limitation; it is how ISO 27001 is designed to stay credible. The consultant who builds the ISMS cannot also be the one who certifies it.
- CloudKey runs the gap assessment, builds the ISMS and supports you through the audit.
- An accredited certification body, engaged separately by you, conducts the Stage 1 and Stage 2 audit and issues the certificate.
- We brief you on what the auditor will sample so the readiness review removes the surprises.
FAQ
ISO 27001, answered
ISO 27001 is the international standard for an information security management system, or ISMS. It sets out how to manage information security risk through a defined set of requirements and the Annex A control set, verified by an external certification audit.
No, and that is by design. ISO 27001 certificates are issued only by accredited certification bodies, kept independent from the consultants who help you prepare. CloudKey gets you certification-ready and supports you through the audit; you engage an accredited registrar to issue the certificate.
Total cost has two parts: the preparation work to build and run the ISMS, and the certification body's audit fees, which they quote separately based on your size and scope. We give a fixed price for the consulting and readiness work after a short scoping call.
For a mid-sized organization starting from a reasonable baseline, typically three to nine months to certification-ready, depending on how many gaps the assessment finds and how quickly the controls can be implemented.
ISO 27001 certifies a management system against an international standard. SOC 2 is a US attestation report on your controls produced by a CPA firm. They overlap heavily, so much of the work for one supports the other. Which you need usually depends on what your customers ask for.
Next step
Start with a gap assessment
A short scoping call, then a gap assessment that tells you exactly how far you are from certification-ready and what it takes to get there. Fixed price, no red tape.