Contact Us

Contact Us

Please get in touch using the form below

1000 characters left
View our privacy policy


Helping you achieve ISO/IEC 27001 compliance

Achieving ISO/IEC 27001 certification demonstrates to customers, partners and other stakeholders that an organisation is committed to managing information safely and securely.

The long road to an ISMS and ISO 27001 compliance can be daunting for any business. It can be difficult to understand and effectively prioritise the required compliance measures, particularly if in-house resources are stretched.

As an award-winning provider of cyber security and consultancy services, Redscan is well placed to help your organisation assess and improve its information security in line with ISO 27001 controls and demonstrate compliance with the GDPR and other regulatory requirements.

ISO 27001

What is ISO 27001?

A montage of compliance related security images

ISO 27001 is an international security standard that outlines a framework of technical risk management controls required for an Information Security Management System (ISMS).

ISO 27001 is part of the ISO/IEC 27000 series of standards published jointly by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC). The ISO framework is designed to help organisations establish, implement, operate, monitor, review, maintain and improve their ISMS.

The ISO 27001 standard adopts a risk-based, technology-neutral approach, requiring organisations to apply controls in line with their own specific security risks. Rather than mandating a set list of controls, the standard outlines a checklist of measures that should be considered, as well as a set of best practice recommendations which are highlighted in ISO 27002.

Even if your organisation is not looking to become fully certified at this time, it is advisable to understand the controls outlined within the standard to ensure that security best practices are being followed.

ISO 27001 requirements

ISO/IEC 27001 requirements

Systematically examine information security risks by identifying threats and vulnerabilities and quantifying impacts
Design and implement a comprehensive suite of security controls to address identified security risks
Adopt an ongoing management process that ensures controls meet information security needs as risks evolve over time


ISO 27001 Annex A controls

To build an effective Information Security Management System (ISMS), choosing appropriate controls is vital. ISO 27001 Annex A lists a set of 114 best practice ISO controls, divided across 14 clauses.

Since ISO 27001 was updated in 2013, these controls have not been mandatory. They merely provide guidance for risk assessments, allowing organisations to select of the controls that they can identify and justify as being most relevant and meaningful for their organisation.

The 14 control clauses of Annex A:

ISO 27001 certification

The ISO 27001 certification process

To achieve ISO 27001 certification, an organisation’s ISMS must be assessed by an accredited registrar, who will undertake a three-stage external audit process defined by ISO 27006. The process is likely to include the following:

01. Stage 1
02. Stage 2
03. Stage 3

Stage 1

Stage 1 consists of a preliminary assessment of an organisation’s ISMS, including collation of security policy documentation. Two key documents are the Statement of Applicability (SoA) and Risk Treatment Plan (RTP).


Stage 2

Stage 2 includes a formal compliance audit where the ISMS is tested against ISO 27001 requirements. Organisations being assessed need to ensure they are able to produce documentation on the ISMS’s design and implementation, as well as evidence that it is being actively operated and maintained.


Stage 3

Organisations that pass Stage 2 are deemed ISO 27001 certified, but they must also go through a series of follow-up reviews and audits to confirm they remain compliant. This is recommended to happen at least annually, but typically takes place much more regularly while the ISMS is in its infancy.

A range of security assessment services

ISO 27001 penetration testing

ISO 27001 pen testing

ISO 27001 certification is not an overnight process and most organisations will struggle to prepare for an audit without external assistance. The ability to identify and address vulnerabilities is critical to an ISMS, and the most effective way to do this is to implement a programme of regular security testing.

Objective A.12.6.1 of ISO 27001 states that information about technical security vulnerabilities should be obtained in a timely fashion, exposure to these vulnerabilities evaluated and appropriate measures taken to address the associated risks.

Redscan’s CREST-approved team of pen testing experts have extensive experience helping organisations across a range of sectors build security testing programmes. We provide in-depth risk analysis and complete post-test care to ensure identified vulnerabilities can be remediated in a timely fashion. Whether you’re looking for an internal/external network assessment, web app/mobile app test or custom phishing and social engineering simulation, our friendly team is here to help.


More about ISO 27001 penetration testing

ISO 27001 incident management

ISO 27001 threat and incident management

One of the overarching requirements of an Information Security Management System is the development of a comprehensive suite of threat management controls that is monitored on an ongoing basis. Objective A.16.1 covers security incident management, including detection, response, and reporting.

Unless you have a large in-house security team dedicated to the task, it can be difficult to build the necessary capabilities to detect and respond to threats on an ongoing basis. Kroll Responder is our outcome-focused Managed Detection and Response service that supplies the people, technology and cyberoffensive intelligence required to proactively hunt for threats and shut them down as quickly as possible.

We work closely with our clients to identify their specific security risks and implement a solution that provides the tangible security outcomes needed to satisfy a wide range of use cases.

ThreatDetect MDR

Why us?

Why choose Redscan?

  • A leading UK-based MDR and testing company
  • An outcome-focused approach
  • CREST-accredited SOC and red team
  • In-depth threat analysis and remediation guidance
  • Multi award-winning security services
  • Avg. >9/10 customer service, 95% retention rate

Our Services

Our award-winning services

Redscan’s security services are designed to provide the vital assistance needed to make tangible improvements to your organisation’s cyber security posture.

ThreatDetect MDR

Managed Detection and Response

Award-winning support to rapidly detect and respond to the latest threats 24/7

Read more
Specialist engagements to uncover and address hidden cyber security risks

Assessment Services

Specialist engagements to uncover and address hidden cyber security risks

Read more
A person choosing from a range of Managed Security Services

Managed Security Services

Expert help to manage and monitor your choice of security technologies

Read more

Get in touch

Complete the form for a prompt response from our team.

Two Redscan team members analysing cyber security intelligence

1000 characters left
View our privacy policy


Discover our latest content and resources

From the blog
From the blog Case studies Latest news
22nd April 2024
Quishing attacks increase tenfold
According to new research, quishing attacks, a type of phishing that leverages QR codes, have significantly increased, rising from 0.8% in 2021 to 10.8% in 2024.
15th April 2024
Half of UK businesses affected by cyber-incident in the past year
According to a new report by the UK government, half of UK businesses have reported a cyber incident or data breach in the past 12 months.  
8th April 2024
Infostealers prominent in retail cyber-attacks
New research has highlighted that the use of infostealers dominated in cyber-attacks on retailers over the past year.  
2nd April 2024
Zero-day vulnerabilities soared by over 50% between 2022 and 2023
In a new report Google has revealed that the volume of zero-day vulnerabilities it detected rose by over 50% from 2022 to 2023, with bugs in third-party components on the increase.