COMPLIANCE / ISO 27001:2022
COMPLIANCE, ISO 27001:2022
ISO 27001. The procurement gate.
ISO 27001:2022 is the international standard for Information Security Management Systems. Increasingly demanded by enterprise customers, government tenders and overseas buyers. The standard sits on an Information Security Management System that belongs to you. BaseHost builds and operates the technical controls underneath: M365 hardening, monitoring, evidence automation, access governance. We work alongside your ISMS lead and a certified auditor partner.
WHAT'S INVOLVED
Underpin the ISMS, capture the evidence, sustain the operation
CLAUSES
Clauses 4-10 (the ISMS)
Scope, leadership, planning, support, operation, performance evaluation, improvement. The management-system core, documented and operated.
ANNEX A
93 Annex A controls
Organisational (37), people (8), physical (14), technological (34). Statement of Applicability documenting which apply and why.
RISK
Risk management cycle
Risk identification, analysis, evaluation, treatment. Documented methodology, risk register kept current, treatment plans tracked to closure.
EVIDENCE
Continuous evidence capture
Control evidence captured continuously rather than scrambled in the month before audit. SharePoint-based evidence library.
AUDIT
Internal audit + management review
Annual internal audit cycle, periodic management reviews, corrective action management. Run by us or trained internally.
CERT
Certification body engagement
We work alongside JAS-ANZ accredited certification bodies. Stage 1 (documentation) to Stage 2 (operation) to surveillance audits annually.
THE PATH TO CERTIFICATION
Typical 6-12 month engagement
01
Gap analysis
Current-state inventory against the 93 controls. Output: prioritised gap register and roadmap. 3-4 weeks.
02
ISMS build
Policies, procedures, Statement of Applicability, risk register. Document set ready for Stage 1. 8-12 weeks.
03
Control implementation
Technology and process controls deployed and evidenced. 8-16 weeks (depending on starting position).
04
Internal audit
Mock audit cycle, corrective action close-out, management review. 4 weeks.
05
Certification audit
External Stage 1 + Stage 2 audit. We support throughout, interviews, evidence presentation, finding response.
HOW WE SUPPORT ISO 27001
ISO 27001 prep that ends in an operational ISMS, not a binder.
Statement of Applicability drafted against your scope and business context, risk assessment that an auditor will actually accept, control implementation aligned to the Annex A reference, internal audit support, and evidence collection for the stage 1 and stage 2 audits. We work alongside your chosen certification body, not in place of them, and we build the controls into operations so the Information Security Management System lives in the systems rather than in a binder.
An ISMS that exists only in a document is a fail waiting to happen at recertification. We make the controls part of how the systems actually run, so the management review meeting is a discussion of operating data, not a document-update workshop. Surveillance audits become predictable rather than stressful.
SCOPE OF SERVICE
What BaseHost owns. What we don’t.
ISO 27001 is an ISMS framework, and the ISMS belongs to you. The technical controls underneath it are ours to build and run.
What BaseHost owns
- Build the Annex A technical controls: access, cryptography, logging, network security, secure-development support.
- Operate the M365, Entra and endpoint platforms that produce the evidence the auditor will sample.
- Automate evidence collection for stage 1 and stage 2 audits, and keep the library current between surveillance audits.
- Support internal audit cycles with technical walkthroughs and remediation.
- Coordinate with your certification body on technical scope questions.
What we don’t
- Write your ISMS, statement of applicability, risk methodology or risk register.
- Act as your internal auditor or your certification body.
- Issue or maintain your certificate.
- Own the management review, leadership commitment or organisational scope decisions.
Working toward ISO 27001? Or already certified and looking for a better partner?
Free 30-minute scoping call. We'll discuss your target timeline, certification body preference, and the realistic engagement model, then send a written proposal within five business days.
RELATED READING