ISMS Review, Audit and Advisory
67% of companies fail their first ISO 27001 audit due to poorly prepared ISMS. Gap analysis identifies gaps, we deliver a roadmap to certification and support implementation. Increase credibility with customers and gain access to new markets.
What is ISMS Review, Audit and Advisory?
ISMS Review, Audit and Advisory is a gap analysis of your Information Security Management System against all 93 ISO/IEC 27001:2022 Annex A controls, followed by a maturity assessment, a certification roadmap, and hands-on support through to a successful Stage 2 audit. nFlo's ISO 27001 Lead Auditors minimize the risk that companies face when attempting certification unprepared — 67% fail their first audit — and also deliver independent internal audits required by clause 9.2 of the standard.
67% of companies fail their first ISO 27001 certification audit
From gap analysis to successful certification
ISMS Audit
ISO 27001 and Annex A compliance assessment
Roadmap
Implementation plan with priorities and timeline
Implementation Support
Assistance through to certification
Company Invested €50,000 - Certification Audit Failed
IT company prepared for ISO 27001 independently for a year. Hired a consultant who delivered documentation (policies, procedures). On certification audit day it turned out: (1) no implementation evidence (records), (2) Annex A controls inadequate to risk, (3) ISMS monitoring not working. Auditor: “Major non-conformities - recommendation: no certification”. Lost: 12 months + €50,000.
Without professional ISMS audit:
- You fail certification audit (67% of companies don’t pass first time)
- You lose contracts requiring ISO 27001 (e.g., public sector, finance)
- You invest in wrong controls (not matched to risk)
- You don’t know how mature your ISMS is (ad-hoc vs. optimized)
Complete Path to ISO 27001 Certification
We don’t leave you with a gap report. We guide you from gap analysis through Annex A control implementation to successful certification audit. You’re confident you’re investing in the right areas and will pass certification first time.
What you get:
- Gap analysis against ISO/IEC 27001:2022 and Annex A requirements (93 controls)
- ISMS maturity assessment using maturity model (5 levels)
- ISMS documentation review (policy, SOA, procedures, registers)
- Implemented controls effectiveness verification (evidence-based)
- Risk management assessment (ISO 27005 / NIST RMF)
- Roadmap to certification - prioritized action plan with timeline
- Ready documentation templates (Annex A controls, procedures, records)
- Support selecting certification body
- Pre-audit before stage 1 audit - readiness verification
- Optionally: presence during certification audit
Who Is It For?
This service is for you if:
- You’re preparing for ISO 27001 certification for the first time
- You have ISO 27001 but need surveillance audit / recertification
- You want to check ISMS maturity before deciding on certification
- Customers or regulators require ISO 27001 from you
- You want to organize your security management system
ISO/IEC 27001:2022 Standard
Standard Structure
ISO 27001 consists of two parts:
- Clauses 4-10 - ISMS requirements (management system)
- Annex A - 93 security controls to choose from
Main Clauses (mandatory requirements)
| Clause | Name | Key Requirements |
|---|---|---|
| 4 | Organization Context | Understanding organization, interested parties, ISMS scope |
| 5 | Leadership | Management commitment, policy, roles and responsibilities |
| 6 | Planning | Risk and opportunity management, security objectives |
| 7 | Support | Resources, competencies, awareness, communication, documentation |
| 8 | Operation | Operational planning and control, risk assessment |
| 9 | Performance Evaluation | Monitoring, internal audit, management review |
| 10 | Improvement | Non-conformities, corrective actions, continuous improvement |
Annex A - 93 Controls
Annex A divided into 4 themes:
Organizational controls (37 controls)
- Information security policies
- Roles and responsibilities
- Segregation of duties
- Asset management
- Access control
- etc.
People controls (8 controls)
- Screening during hiring
- Confidentiality agreements
- Awareness training
- Disciplinary process
Physical controls (14 controls)
- Security zones
- Physical access control
- Threat protection
- Secure disposal
Technological controls (34 controls)
- User access control
- Cryptography
- Network security
- Vulnerability management
- Backup
- Logging and monitoring
- etc.
Statement of Applicability (SOA)
For each of the 93 Annex A controls you must determine:
- Applicable - control is implemented (how? where? evidence?)
- Not applicable - control not needed (justification)
SOA is the most important ISMS document - auditor checks this first!
ISO 27001 Certification Process
Phase 1: Preparation (3-9 months)
- Gap analysis - current state assessment
- Risk assessment & treatment
- ISMS documentation development (policy, SOA, procedures)
- Annex A controls implementation
- Training and awareness building
- Monitoring and metrics launch
Phase 2: Certification Audit Stage 1 (1 day)
- ISMS documentation review
- Stage 2 readiness verification
- Potential NC (non-conformities) identification
Result: GO / NO-GO to Stage 2
Phase 3: Certification Audit Stage 2 (2-3 days)
- On-site audit of all locations in scope
- Controls implementation verification
- Evidence review (records, logs, tickets)
- Personnel interviews
Result: Certificate (3 years) / Major NC (no certificate) / Minor NC (conditional certificate)
Phase 4: Surveillance (every 12 months)
- Annual surveillance audits
- Selected ISMS areas review
- Corrective actions verification
Phase 5: Recertification (after 3 years)
- Full audit again
- Certificate extension for another 3 years
ISMS Maturity Levels
We assess ISMS maturity using 5-level model:
Level 1 - Initial (Ad-hoc)
- No formal processes
- Reactive, chaotic actions
- Success depends on individual heroes
- Risk: High - certification audit failure
Level 2 - Managed (Repeatable)
- Basic processes established
- Project-level management
- Some processes documented
- Risk: Medium - possible minor NC
Level 3 - Defined
- Standard processes for entire organization
- Documented and communicated
- Proactive risk management
- Readiness: Certification possible
Level 4 - Quantitatively Managed (Measured)
- Processes measured and controlled
- Metrics and KPI utilization
- Data-driven management
- Certification: Easy audit pass
Level 5 - Optimizing
- Continuous process improvement
- New technology utilization
- Security culture in organization DNA
- Best-in-class: Role model
How Much Does ISO 27001 Cost?
Preparation Costs
- Gap analysis + roadmap: €7,500-15,000
- ISMS implementation (advisory): €25,000-75,000 (6-12 months)
- ISMS implementation (full service): €50,000-150,000
- Technical controls: €12,500-50,000 (SIEM, VM, backup, DR)
Certification Costs
- Certification audit (Stage 1 + 2): €7,500-20,000 (depending on scope)
- Surveillance audits (annually): €3,750-10,000
- Recertification (every 3 years): €6,250-17,500
Typical TCO for 3 Years
For a 200-person company, 2 locations:
- Preparation: €62,500
- Certification: €12,500
- Surveillance 2x: €15,000
- Recertification: €10,000
- TOTAL: €100,000 (€33k/year)
Related Glossary Terms
Learn more about key concepts related to this service:
Contact your account manager
Discuss ISMS Review, Audit and Advisory with your dedicated account manager.
How we work
Our proven service delivery process.
Gap Analysis
ISMS assessment against ISO 27001 requirements
Maturity Assessment
Maturity assessment using CMMI or ISO 21827
Roadmap
Action plan to certification with timeline
Implementation Support
Assistance with Annex A and documentation
Pre-audit
Preparation for certification audit
Benefits for your business
What you gain by choosing this service.
Access to Tenders
Many contracts require ISO 27001
Partner Trust
International certificate recognition
NIS2 Compliance
ISO 27001 facilitates NIS2 compliance
Organized Processes
Security management system
Related Articles
Expand your knowledge with our resources.
CVE-2026-6350: MailGates/MailAudit developed by Openfind has a Stack-based Buffer Overflow vulnerability,...
MailGates/MailAudit developed by Openfind has a Stack-based Buffer Overflow vulnerability, allowing unauthenticated remote attackers to control the program's execution flow and execute arbitrary code....
Read more →CVE-2026-0233 and CVE-2026-0234: Critical Vulnerabilities in Palo Alto Networks Cortex XSOAR, XSIAM and ADEM - Immediate Update Required
Two high severity vulnerabilities have been identified in Palo Alto Networks Cortex XSOAR, Cortex XSIAM, and ADEM. CVE-2026-0233 and CVE-2026-0234 could allow an unauthenticated attacker to bypass security mechanisms and execute arbitrary code on affected systems.
Read more →CIS Controls and CIS Benchmarks — What They Are and How to Implement
CIS Controls are a prioritized set of 18 cybersecurity safeguards, while CIS Benchmarks provide hardening guidelines for specific technologies. Learn what they are, how they differ from ISO 27001 and NIST CSF, and how to implement them.
Read more →Frequently Asked Questions
Common questions about ISMS Review, Audit and Advisory.
How long does it take to prepare for ISO 27001 certification from scratch?
Typically 6-12 months, depending on the organization's maturity. The gap analysis takes 3-7 business days and shows the exact scope of work. Companies with existing security policies can be ready in 3-4 months.
How much does the entire ISO 27001 certification process cost?
For a 200-person company, typical TCO over 3 years is approximately €100,000: preparation (€62,500), certification audit (€12,500), two surveillance audits (€15,000) and recertification (€10,000). The gap analysis with roadmap alone starts from €7,500.
What if we fail the certification audit?
That is why we conduct a pre-audit before the actual certification audit. We identify potential non-conformities and help resolve them. 67% of companies fail their first audit without professional preparation - with our support we minimize this risk.
Does ISO 27001 help with NIS2 compliance?
Yes - ISO 27001 covers a significant portion of NIS2 requirements (risk management, incidents, business continuity, access control). Companies with the certificate have a simpler path to NIS2 compliance, although it is not a 1:1 mapping.
Can you conduct the internal ISMS audit required by the standard?
Yes. As external auditors with ISO 27001 Lead Auditor certification, we conduct independent internal audits required by clause 9.2 of the standard. The internal audit report is one of the documents reviewed during certification.