ISO 27001 Certification Support
We lead you to certification. We don't sell it.
End-to-end support through certification — never as both judge and jury.
ISO 27001 certification support is a structured engagement that takes your organization from starting point to certification recommendation by an accredited third-party body. Factero leads the process: gap analysis, building the Information Security Management System (ISMS), drafting policies, implementing the 93 Annex A controls, internal audit, and management review. We prepare — we don't certify. The certification body (BSI, DNV, Bureau Veritas, SGS, Intertek, etc.) remains an independent accredited third party, as it must be. Engagement led by a CISA-certified principal associate, grounded in ISO 27001:2022, ISO 27002:2022, and NIST-CSF frameworks.
Who is it for?
SMEs and technology service providers that need to demonstrate information security maturity to access new markets.
SaaS vendors, cloud providers, and integrators receiving increasing numbers of client security questionnaires — who want to answer them with a recognized framework rather than case by case.
Organizations that have just lost — or risk losing — a bid due to lack of certification, and want to structure the process once and for all.
Growing companies that need to demonstrate cyber maturity to investors, potential acquirers, or a foreign parent company.
Organizations already compliant with other frameworks (SOC 2, Law 25, NIST-CSF) that want to leverage existing work to achieve ISO 27001 without starting over.
When does it help?
If you recognize yourself in any of these situations, this service is designed for you.
- A strategic client, a bid, or an international partner requires ISO 27001 — with a firm deadline.
- You've read the standard, downloaded templates, started drafting policies — and realized the gap between theory and implementation is larger than expected.
- You've previously attempted an internal effort that ran out of steam for lack of time, method, or a clear project owner.
- Your IT provider or MSP offers to "handle ISO 27001" — and you want to keep the verification independent from the implementation.
- You're already compliant with Law 25 or another framework, and want to know what really remains to be done for ISO 27001 — without redoing all the work.
- You want a realistic estimate of effort, cost, and timeline before committing — not a "6 months" promise pulled from a brochure.
- The ISO 27001:2022 standard introduced changes (new controls, restructured Annex A) and you want to start with the right version.
What will you receive?
A complete gap analysis between your current posture and ISO 27001:2022 requirements, with a plan prioritized by risk level.
A documented Information Security Management System (ISMS), sized to your organization — not a 500-page ISMS that ends up in a drawer.
The Statement of Applicability (SoA) justifying the inclusion or exclusion of each of the 93 Annex A controls.
The required policies and procedures, drafted, reviewed with your teams, and adapted to your operational reality.
A documented formal internal audit and management review, as required by the standard — conducted ahead of the certification audit to maximize your chances on the first attempt.
An organized evidence file ready for the certification auditor — no scrambling for documents on the day of.
Support during the certification body's audits (Stage 1 and Stage 2), translating the auditor's questions and structuring your team's responses.
A post-certification maintenance plan: annual internal audit, management review, monitoring of standard changes — to avoid losing certification at the next cycle.
Not a good fit?
- ISO 27001 support is a demanding engagement — for us and for you. It requires an internal owner (often the CEO, CFO, or a designated lead) with a clear mandate to obtain certification and the resources to mobilize teams. Without that anchor, even the best external support can't go the distance.
- If your real goal is to demonstrate security to a single client, without targeting formal certification, an independent Factero audit or a targeted attestation may suffice — at significantly lower cost and timeline. We'll discuss this openly at the discovery call.
- If the request comes from your IT provider wanting to "be compliant" without a clear mandate from leadership, the SME offer is often the right starting point to clarify the stakes before committing the organization to a full certification process.
- And if the urgency is real but maturity is too low to target certification within the next 12 months, we'll say so — and propose a phased plan that builds the foundations before targeting the standard.
How does the process work?
A rigorous and transparent approach, step by step.
Gap analysis
We map your current posture against ISO 27001:2022 requirements and the 93 Annex A controls. We identify what's already in place (and documentable), what's missing, and what needs realignment. Deliverable: prioritized gap report, realistic estimate of the path ahead, and clear recommendation on achievable timeline.
Scope and ISMS
We define the certification scope with you (which entities, services, sites) — a strategic choice directly influencing cost, timeline, and the value of certification to your clients. We structure the ISMS around your operational reality, not a generic template.
Controls and documentation
We implement missing controls with your IT, HR, legal, and operational teams. We draft required policies, procedures, and records — with a guiding principle: every document must be usable, not just compliant. The ISO 27002:2022 and NIST-CSF frameworks are used to translate requirements into concrete practices.
Internal audit and review
We conduct the formal internal audit required by the standard, with an independent external eye — giving credibility that self-audit cannot offer. We prepare and document the management review. These two milestones are prerequisites to certification — if one is missing, the certification auditor will flag it.
Audit support
We support you through Stage 1 (documentation review) and Stage 2 (implementation audit) conducted by the accredited certification body of your choice. Our role: translate, structure responses, manage any non-conformities and action plans. The choice of certification body remains yours — we can present options (BSI, DNV, Bureau Veritas, SGS, Intertek, others), but we have no commercial ties with any of them.
Post-certification maintenance
An ISO 27001 certification isn't a frozen trophy — it's maintained through an annual internal audit, management review, and monitoring of standard changes. We remain available for this maintenance cadence without locking you into a recurring contract: if your team can take over after the first cycle, that's a good outcome.
Frequently Asked Questions
Answers to the questions our clients ask before reaching out.
How long does it really take?
The honest answer: 9 to 18 months for most SMEs. Timelines advertised at "6 months" are realistic only for organizations with advanced security maturity — typically those already compliant with SOC 2 or a comparable framework. For an SME starting without an existing ISMS, targeting certification in under 9 months creates more risk than anything else: superficial implementation, policies no one lives by, non-conformities at audit. Factero gives a realistic estimate from the gap analysis onward — not a range pulled from a brochure. If your business constraint is shorter, we'll say so, and look together at whether an alternative (targeted attestation, reduced scope) meets your actual need.
What does it cost — and what's not included in the engagement?
Factero's engagement covers the entire preparation through certification — gap analysis, ISMS, policies, control implementation, internal audit, management review, support through Stage 1 and Stage 2 audits. Costs not included in our mandate and paid directly by you: certification body fees (Stage 1, Stage 2, annual surveillance audits), any technical investments identified along the way (tools, licenses, infrastructure upgrades), and your internal team's time — always the biggest investment. We provide a full estimate of all three from the gap analysis onward, so there are no budget surprises.
Do you deliver the certification?
No — and this is an absolute rule in ISO 27001. Certification is delivered exclusively by a certification body accredited by a national accreditation body (UKAS, ANAB, SCC, etc.). No consultant can "deliver" the certification — it would be a conflict of interest that the standard explicitly prohibits. Factero prepares you up to the point where the certification body confirms your conformity. We help you choose the most appropriate certification body for your sector and size, but the choice is yours, and we have no commercial ties or commissions with any of them. Our Charter of Independence explicitly excludes this type of arrangement.
We're already compliant with Law 25. Does that accelerate ISO 27001?
Yes, Law 25 compliance already covers a significant portion of ISO 27001 controls — particularly around personal data protection, incident management, and the designation of a Privacy Protection Officer. Based on our recent engagements, a solid Law 25 starting point can cover 20% to 35% of ISO 27001:2022 requirements. The gap analysis identifies precisely what's already transferable, what needs adaptation (a Law 25 control isn't always worded as ISO requires), and what remains to be built from scratch. You're not starting from zero — and that's exactly why the gap analysis is the first step of the engagement.
Our MSP already manages our infrastructure. Can they also drive our ISO 27001 certification?
Your MSP is a key player in technical implementation — but driving the certification is a separate role. ISO 27001 requires an internal audit — if your MSP manages your infrastructure and drives your certification, they'll be auditing their own delivery. The certification auditor may raise an independence non-conformity on this, and some certification bodies refuse to begin the audit under these conditions. Factero has no commercial ties to your MSP: we audit the reality, not the vendor's official version. That said, the MSP relationship remains essential — they are a key actor in technical implementation. We work with them, not in their place, exactly as in an independent audit.
What changed between ISO 27001:2013 and ISO 27001:2022?
The 2022 version is the one in force — 2013 has been retired since October 2025. Key changes: Annex A went from 114 controls across 14 domains to 93 controls grouped into 4 themes (organizational, people, physical, technological); 11 new controls were added (notably threat intelligence, cloud security, configuration management, data leakage prevention); and the ISMS structure was aligned with the common structure of other ISO standards (Annex SL). Organizations certified under 2013 had to migrate to 2022. Factero works exclusively on the 2022 version — no reason to build an ISMS on a retired version.
Can we reduce scope to certify faster — for example a single SaaS product?
Yes, and it's often the right strategy — but there's a trap to avoid. A restricted scope (single product, single entity, single site) reduces cost, timeline, and internal effort. It's fully aligned with the standard, which requires scope to be clearly defined and defensible. The trap: a scope that's too narrow may not answer the question your client actually has. A certificate covering "the development team for Product X at the Montreal headquarters" doesn't reassure a client wondering whether their data is protected when transiting through your overseas support center. We define scope with you, taking into account both your technical reality and the commercial promise the certificate needs to hold.
What methodology do you use?
Factero draws on three primary frameworks: ISO 27001:2022 as the target standard, ISO 27002:2022 for control implementation guidance, and the NIST Cybersecurity Framework (NIST-CSF) to structure risk assessment and recommendation prioritization. The principal associate holds the CISA certification (Certified Information Systems Auditor) from ISACA — the international reference in information systems auditing. In practice, the approach is adapted to each organization's size and complexity: we don't build the same ISMS for a 25-employee SaaS vendor and a 300-employee financial services firm. Each control is evaluated on actual applicability — which is the whole point of the Statement of Applicability (SoA).
What if we fail the certification audit?
A complete failure at the first audit is rare when preparation has been rigorous. What happens more frequently, and isn't a failure: minor non-conformities identified by the auditor, to be corrected within an agreed timeframe (typically 90 days) before the certificate is issued. That's a normal part of the process. Major non-conformities — rare with solid preparation — require a formal action plan and a follow-up audit. Factero supports you through Stage 1 and Stage 2 audits and stays with you to resolve any non-conformity. Our goal from the start: bring you to audit when you're actually ready, not when the calendar dictates. If during the engagement we determine you're not ready, we'll tell you clearly — even if it means postponing the audit date.
Is it confidential?
Yes, every support engagement conducted by Factero is governed by a formal confidentiality agreement in favor of the client, signed before any work begins. No information — findings, analyzed documents, drafted policies, internal audit results — is shared with any third party, provider, or partner without your explicit written authorization, in accordance with our privacy protection policy and Law 25 requirements. Materials provided to the certification body are shared under your control and with your approval. This standard applies across all our engagements, without exception.
Does this commit us to ongoing work?
No. The ISO 27001 engagement ends naturally with certification. For maintenance (annual internal audit, management review, surveillance audit preparation), some organizations prefer to internalize — often the right choice when a team is in place. Others prefer to keep us on a light cadence to guarantee the rigor of the annual cycle. Our Charter of Independence prohibits creating artificial dependency — we never recommend follow-up you don't need. If your team can take over, that's a good outcome.
Why Factero for this engagement — what sets you apart?
Before signing with a support firm, verify a few fundamental elements. A serious firm demonstrates them without hesitation and in writing.
The firm itself is certified — Factero holds the CyberSecure Canada (CAN/DGSI 104:2021 / Rev 1:2024) certification, publicly verifiable through the IAF CertSearch registry and through our Trust Center. We apply to our own organization the same standards we support for our clients. A firm guiding you toward a recognized certification should, by consistency, hold one itself.
Incorporated and established since 2022 — Factero Service Conseil is duly incorporated with the Quebec Enterprise Registrar (REQ) since 2022, with no insolvency or bankruptcy proceedings on record. The legal status of any candidate firm can be verified free of charge through the REQ; insolvency and bankruptcy proceedings appear in the registry of the Office of the Superintendent of Bankruptcy Canada (osb-bsf.ic.gc.ca).
Complete team and operational continuity — Factero relies on an interdisciplinary team covering information technology, human resources, and accounting — the three dimensions that intersect in most governance engagements. A certification engagement extends over 6 to 18 months; the firm supporting you must have the team depth to go the distance, not just the availability of a single person.
Professional liability and cyber insurance — Factero maintains active professional liability (E&O) and cyber insurance coverage, adapted to its IT governance and cybersecurity consulting activities. A firm that recommends cyber insurance to you should, by consistency, hold one itself. Ask for the certificate before signing.
Written and public independence — Our engagements are governed by a public Charter of Independence that prohibits commissions, rebates, and commercial arrangements with vendors, brokers, or markets.
Public procurement registration — Factero is registered with the SEAO (Quebec) and the Ontario Tenders Portal — a process that involves regulatory verifications and up-to-date tax attestations.
These criteria are not commercial arguments. They are the minimum conditions to require of any candidate firm. The absence of a clear answer to any of these questions is, in itself, an answer.
Need to move forward on this?
Let's discuss your specific situation. No commitment, just expert advice.