ISO/IEC 27001 · Information Security Management
Information security customers can trust.
ISO/IEC 27001 is an organisational management system, not merely an IT checklist. We help you protect information, manage security risk and answer customer assurance questions credibly.
What it is
A brief introduction to ISO/IEC 27001
ISO/IEC 27001 sets out requirements for an information security management system. It addresses leadership, planning, support, operation, performance evaluation and improvement, and is supported by a structured approach to information security risk and controls.
CroftSpurr summaries are written in our own words. We do not reproduce copyrighted clauses from ISO standards.
Why organisations pursue it
Common business drivers.
Enterprise customers require evidence of security maturity.
Security questionnaires are taking weeks to complete.
You handle sensitive client, employee or regulated information.
You sell into SaaS and B2B procurement processes.
Cyber risk is becoming a board-level concern.
Business benefits
Outcomes a well-built system can support.
Credible answer to customer assurance
Structured view of risk, not point-in-time fire-fighting
Clear accountability across leadership, IT and the business
Better incident readiness and response
Stronger supplier and access management
Continual improvement built in
Common triggers
What usually prompts a project.
- An enterprise customer or framework requires ISO/IEC 27001.
- A near-miss or incident has exposed weak controls.
- Rapid hiring has stretched access and onboarding processes.
- Cyber insurance renewal is putting pressure on controls.
- Investors or acquirers want security maturity evidence.
What implementation involves
The core building blocks.
- 01
Defining scope, leadership and roles.
- 02
Identifying information assets and applicable risks.
- 03
Selecting and implementing appropriate controls.
- 04
Managing access, suppliers, change and incidents.
- 05
Monitoring, internal audit and management review.
- 06
Preparing for independent certification.
How CroftSpurr helps
A focused, hands-on approach.
Relationship with other standards
How it fits the wider picture.
- ISO/IEC 27701Privacy information management extension to ISO/IEC 27001.
- ISO 22301Business continuity controls complement information security.
- ISO/IEC 42001AI management interacts heavily with information security.
Typical project journey
What a project usually looks like.
- 01Scoping and stakeholder workshops
- 02Risk assessment and treatment
- 03Control implementation
- 04Awareness and competence
- 05Internal audit and management review
- 06Stage 1 and 2 certification audits
Certification
Consultancy and certification are different.
CroftSpurr helps you understand requirements, implement your management system and prepare for the certification audit. Independent certification is carried out by a separate certification body. We do not sell or issue ISO certificates.
FAQs
Common questions.
Is ISO/IEC 27001 only an IT concern?+
No. It is an organisational management system. IT plays a major role, but leadership, HR, legal, suppliers and product all matter.
Do we need to implement every Annex A control?+
No. You select controls based on risk and document this in the Statement of Applicability with justification for exclusions.
How does this compare with SOC 2?+
They overlap significantly but are different frameworks. We can advise on which combination suits your customers.
Fact check or approval required — verify implementation timeframes against client-specific scope