Case Studies

Over the past three years, we have supported organisations across multiple sectors with the design, operation, and improvement of their information security and governance frameworks.
Our work focuses on building practical, audit-ready systems that reflect how organisations actually operate — not template-driven compliance or documentation created purely for certification.
We work closely with leadership and operational teams to assess risk, strengthen governance, and embed sustainable security practices, whether through ISO 27001 certification, ISMS uplift, or ongoing fractional Information Security Manager support.

Below are selected examples of recent engagements, demonstrating how we help organisations achieve measurable, defensible outcomes under audit and scrutiny.

ISO 27001 Recertification & ISMS Refresh (UKAS-aligned)

The Challenge
The organisation had held ISO 27001 certification for approximately ten years, but the Information Security Management System (ISMS) had evolved organically over time. Documentation was largely aligned to the 2017 version of the standard, with limited structured review as requirements and business operations changed.
Midway through the certification cycle, it became clear that the ISMS required a comprehensive refresh to ensure continued compliance, relevance, and audit readiness — particularly ahead of a full three-year recertification audit.

Key challenges included:
– Out-of-date documentation aligned to the 2017 standard
– Accumulated legacy policies and procedures with unclear relevance
– Limited recent internal audit coverage
– Risk documentation that no longer fully reflected how the organisation operated

What We Found
Following an initial gap analysis, we identified that while the organisation had a mature ISMS in principle, it required consolidation and alignment to the ISO 27001:2022 standard.
Specific findings included:
– Policies and procedures that referenced superseded controls
– A Statement of Applicability (SoA) that required review and restructuring
– Risk assessments that needed stakeholder validation to ensure continued relevance
– Historic documentation retained without clear ownership or purpose
– An internal audit programme that needed refreshing to reflect current scope and risk
– The ISMS itself was sound, but needed active ownership, rationalisation, and evidence-led governance to withstand recertification scrutiny.

The Solution
We assumed responsibility as Fractional Information Security Manager, providing continuity and ownership through the remainder of the certification cycle.
Our work included:
– Conducting a structured ISO 27001:2022 gap analysis
– Updating existing documentation and creating new policies where required by the updated standard
– Reviewing and updating the Statement of Applicability
– Reviewing the risk register with stakeholders to confirm accuracy, relevance, and treatment decisions
– Auditing the full document set, archiving obsolete material, and clarifying document ownership
– Re-establishing and executing the internal audit programme, including updating the audit schedule
– Acting as the organisation’s ISM throughout the three-year UKAS-aligned recertification audit with British Assessment Bureau (BAB)
– Throughout the process, we worked closely with leadership and operational teams to ensure the ISMS reflected how the organisation actually operated, rather than becoming a paper exercise.

The Result
The organisation successfully completed its three-year ISO 27001 recertification audit with no major nonconformities, no minor nonconformities, and no observations or opportunities for improvement.
The outcome was:
– Continued UKAS-aligned ISO 27001 certification
– A streamlined, current, and defensible ISMS
– Clear ownership of policies, risks, and controls
– An internal audit programme aligned to real organisational risk
– Increased confidence in the ISMS as a living management system rather than static documentation

ISO 27001:2017 to ISO 27001:2022 Transition & Uplift

The Challenge
The organisation was operating an established ISO 27001 ISMS aligned to the 2017 standard, but needed to transition to the ISO 27001:2022 revision to maintain certification and meet evolving customer and regulatory expectations.
The challenge was to uplift the ISMS without disrupting day-to-day operations, while ensuring leadership engagement and full compliance with the updated standard.

What We Found
A detailed gap analysis against ISO 27001:2022 identified that while the ISMS foundations were strong, updates were required to:
– Address new and revised control requirements
– Update policy language and structure
– Ensure governance documentation reflected current operational reality
– Refresh the internal audit approach to reflect the updated scope and controls
– The organisation required structured support to manage the transition efficiently and confidently.

The Solution
We conducted a full ISO 27001:2022 gap analysis, reviewing all existing ISMS documentation and identifying required changes.
Our work included:
– Updating and reissuing all affected ISMS documentation
– Aligning policies, procedures, and records to the 2022 control framework
– Reviewing the ISMS holistically to ensure consistency and completeness
– Recommending updates to the internal audit schedule and audit approach
– Working directly with the leadership team to review, approve, and formally adopt updated documentation
– Acting as Fractional Information Security Manager throughout the ISO 27001 uplift audit
– We ensured that changes were proportionate, clearly justified, and embedded into normal business operations rather than introduced as standalone compliance artefacts.

The Result
The organisation successfully completed its ISO 27001:2022 uplift audit, maintaining certification and demonstrating clear alignment with the updated standard.

Key outcomes included:
– Successful transition from ISO 27001:2017 to ISO 27001:2022
– An ISMS updated in line with current risks and operational practices
– Leadership-approved governance documentation
– Improved audit readiness and clarity of control ownership
– Confidence that the ISMS could be maintained sustainably going forward

All engagements were delivered in alignment with UKAS-accredited ISO 27001 certification requirements.