Service

ISO 27001 Implementation

ISO 27001 certification in six months — a real ISMS, not a policy library nobody follows.

For organizations expanding into EU/UK markets, under regulatory pressure, or operating to global enterprise procurement standards.

Book an ISO 27001 readiness call

You're probably here because:

Your customers in Europe or the UK are asking for ISO 27001 certification — or your board is, or your industry regulator is. The quotes you're getting from traditional consultancies suggest a 12-18 month engagement and a deliverable that's mostly paperwork. Your operational teams will be expected to attend dozens of workshops and produce evidence on demand.

We design ISMS implementations that actually run inside the business. The certificate at the end is real — but so is the operating model underneath it. Both auditors and your own teams should be able to see how your security programme actually works, not just how it's documented.

What's included

An ISO 27001 implementation engagement with Qhalent delivers:

  • · ISMS scope definition — clear boundaries on what's certified, appropriate to your business model
  • · Information security risk assessment and treatment plan — built from your actual threat model, not generic templates
  • · Statement of Applicability (SoA) — control selection justified against your risk landscape
  • · Annex A control implementation — every applicable control, with operational ownership and evidence pathways defined
  • · Policy and procedure library — concise, role-specific, and designed for daily use rather than annual review
  • · Internal audit programme — established and ready to run on an ongoing basis
  • · Management review structure — quarterly or semi-annual cadence with defined inputs and outputs
  • · Stage 1 and Stage 2 audit support — including certification body selection guidance and preparation through both audit stages

How we deliver

A typical ISO 27001 engagement runs in four phases over six months:

Phase 1 · Weeks 1-4

Scope and risk assessment

We define the ISMS scope, build your risk register from the actual threat landscape your business faces, and produce the Statement of Applicability.

Phase 2 · Weeks 5-16

Control implementation

Annex A controls implemented across your environment. Policy library written, reviewed, and operationalized. Evidence mechanisms in place from day one — not retrofitted before audit.

Phase 3 · Weeks 17-22

Internal audit and management review

The internal audit programme runs its first cycle. Findings addressed. Management review held and documented. Your ISMS is now operating, not just documented.

Phase 4 · Weeks 23-26

Certification audit support

Stage 1 audit (documentation review) and Stage 2 audit (operational verification) supported. Findings addressed in real time.

Throughout: weekly working sessions during peak implementation phases, fortnightly cadence during lower-intensity phases, and a single partner-level point of contact. Your team's time typically stays under 5%, with peaks during scope definition and audit support.

What we don't do

We don't perform the certification audit. Certification must be done by a body accredited by your national accreditation authority (UKAS, ANAB, EIAC, or equivalent). We'll recommend two or three based on your geography and industry.

We don't sell certification body relationships. We have no financial relationship with any audit body — our recommendations are based on fit, not commission.

We don't build paper ISMSes. If your operational reality is that a control can't be implemented as written in Annex A, we'll work with you to design a compensating approach that satisfies the standard's intent rather than performing a control nobody actually does.

Engagement and pricing

ISO 27001 Implementation is a fixed-fee project engagement.

The fee depends on four factors: your organization's size, the scope of the ISMS, the complexity of your operating environment, and your existing control maturity. We'll give you a defined price after a 30-minute discovery call — typically within 48 hours.

What's included in the fee

Every phase listed above, weekly or fortnightly status reviews, async support throughout, the ISMS documentation suite, control implementation guidance, internal audit programme setup, and Stage 1/Stage 2 audit support.

What's not included

The certification body's audit fees (paid directly to the audit body), ongoing surveillance audit support after year one (available under separate retainer), and any tooling licenses you choose to adopt.

Why Qhalent for ISO 27001

ISO 27001 implementation is fundamentally about building a management system that works — not collecting documents that satisfy a checklist. The standard is deliberately principles-based; how you implement it matters more than which controls you select.

We've designed and operated security programmes inside organizations subject to regulatory regimes that demand operational substance, not just documentation. GRC programmes in UAE critical infrastructure, OT security in regulated industries, vulnerability management at enterprise scale — the work that ISO 27001 ultimately codifies.

Our team holds CISSP, CCSP, and CISM credentials. More importantly, we've spent years inside the operational disciplines that make an ISMS real: incident response, access governance, change management, supplier risk, business continuity.

Ready to talk?

Thirty minutes is enough to know whether we're the right fit. Bring your timeline, the geographies or customers driving the certification need, and your current state. We'll bring a sketch of your fastest realistic path to certification.

Book an ISO 27001 readiness call Email us instead