Bergsonscrolled

Compliance & audit readiness

ISO 27001 readiness, without the binder of unread policies.

We design ISMSs that match how the business actually runs. The deliverables are a defensible scope, a real risk register, a Statement of Applicability with clear rationale and traceable evidence, and an operating cycle your team can keep producing after we leave.

When this matters

ISO 27001 becomes urgent when an enterprise customer, board, investor or procurement process needs assurance that your security controls are real, owned and evidenced — not a downloaded policy pack.

Scope

What we cover.

01

Discovery & gap assessment

  • Current-state review against ISO 27001:2022
  • Annex A control coverage gap
  • Stakeholder interviews and architecture walk-through
  • Prioritised readiness roadmap
02

ISMS design

  • Scope definition and boundary statement
  • Information security objectives
  • Roles, responsibilities and committees
  • Document and record management approach
03

Risk assessment & treatment

  • Asset and threat model aligned to architecture
  • Risk register with owners and treatment plans
  • Statement of Applicability with rationale
  • Residual risk acceptance workflow
04

Policies & procedures

  • Right-sized policy suite (not 80 pages of templates)
  • Operational procedures teams can actually follow
  • Supplier and third-party management
  • Incident, change and access management
05

Internal audit & evidence

  • Internal audit programme and execution
  • Evidence collection and traceability
  • Findings and corrective action tracking
  • Management review preparation
06

Certification readiness

  • Stage 1 readiness checklist
  • Auditor-facing evidence walkthroughs
  • Stage 2 support and follow-up
  • Surveillance audit operating rhythm

What good looks like

An ISMS your team can operate.

  • 01An ISMS the team understands and uses
  • 02Stage 1 and Stage 2 evidence ready, traceable to controls
  • 03Customer questionnaire answers grounded in real artefacts
  • 04A risk, audit and management-review cycle that runs itself

Common triggers

Why teams typically bring us in.

  • Scope is unclear or undocumented
  • Policies are generic and unread
  • Risk register is not linked to systems
  • Statement of Applicability rationale is weak
  • Supplier risk is not evidenced
  • Management review is a formality

Related services

Adjacent work teams often pair this with.

Have a deadline pressing on you?
Tell us the gap.

Most engagements start with a short call to understand the deadline, the team and the constraints.

Book a consultation

Bergson Limited is registered in Ireland. We are not auditors, QSAs, or legal advisers. We help technology teams produce the evidence those stakeholders need.