Global Trust Index99.8%|
EU Regulatory SyncActive|
Network Latency12ms|
Uptime (90d)99.997%|
Threat PostureNominal|
DORA ReadinessCompliant|
Edge Nodes47 / 47|
Global Trust Index99.8%|
EU Regulatory SyncActive|
Network Latency12ms|
Uptime (90d)99.997%|
Threat PostureNominal|
DORA ReadinessCompliant|
Edge Nodes47 / 47|
Bergson

Compliance & audit readiness

ISO 27001 readiness, without the binder of unread policies.

We design ISMSs that match how the business actually runs. The deliverables are a defensible scope, a real risk register, a Statement of Applicability with clear rationale and traceable evidence, and an operating cycle your team can keep producing after we leave.

When this matters

ISO 27001 becomes urgent when an enterprise customer, board, investor or procurement process needs assurance that your security controls are real, owned and evidenced — not a downloaded policy pack.

What we cover

Scope of work

Discovery & gap assessment

  • Current-state review against ISO 27001:2022
  • Annex A control coverage gap
  • Stakeholder interviews and architecture walk-through
  • Prioritised readiness roadmap

ISMS design

  • Scope definition and boundary statement
  • Information security objectives
  • Roles, responsibilities and committees
  • Document and record management approach

Risk assessment & treatment

  • Asset and threat model aligned to architecture
  • Risk register with owners and treatment plans
  • Statement of Applicability with rationale
  • Residual risk acceptance workflow

Policies & procedures

  • Right-sized policy suite (not 80 pages of templates)
  • Operational procedures teams can actually follow
  • Supplier and third-party management
  • Incident, change and access management

Internal audit & evidence

  • Internal audit programme and execution
  • Evidence collection and traceability
  • Findings and corrective action tracking
  • Management review preparation

Certification readiness

  • Stage 1 readiness checklist
  • Auditor-facing evidence walkthroughs
  • Stage 2 support and follow-up
  • Surveillance audit operating rhythm

What good looks like

An ISMS your team can operate.

  • An ISMS the team understands and uses
  • Stage 1 and Stage 2 evidence ready, traceable to controls
  • Customer questionnaire answers grounded in real artefacts
  • A risk, audit and management-review cycle that runs itself

Common red flags

Patterns we see most often.

  • Scope is unclear or undocumented
  • Policies are generic and unread
  • Risk register is not linked to systems
  • Statement of Applicability rationale is weak
  • Supplier risk is not evidenced
  • Management review is a formality
  • Evidence lives in people’s heads

Next step

Talk to Bergson about this work

Most engagements start with a short call to understand the deadline, the team and the constraints.

Start the conversation