ISO 27001 Implementation & Certification Support
End-to-end ISO 27001 implementation from Nairobi — gap analysis, ISMS build, risk assessment, Annex A controls, internal audit and certification support. Get certified with a partner who does the work, not just the checklist. Call +254 725 722 965.
From gap analysis to certification audit — we build the Information Security Management System, write the evidence, and stand beside you when the auditor arrives.
ISO 27001 is the international standard for information security management, and increasingly the price of entry for selling to banks, insurers, telcos, government and any enterprise with a serious vendor-risk process. Certification proves that your organisation identifies its information risks and manages them through a governed, continuously improving system — not that you bought a firewall.
Most failed certification attempts share one cause: the organisation treated ISO 27001 as a document-writing exercise. An auditor does not certify your policies; they certify that your Information Security Management System is genuinely operating, that risks are assessed and treated, that controls produce evidence, and that management reviews the results and acts on them. Neurobyte implements the system, not just the binder.
We take you from wherever you are — nothing in place, or a stalled internal attempt — through to a successful Stage 2 audit, working alongside your team rather than handing over a template pack. Certification itself is issued by an accredited certification body, independent of us; our role is to make certain that when they audit you, you pass.
What's included
- Gap analysis & readiness assessment — We measure your current state against all of ISO 27001 and the Annex A controls, then give you a costed, sequenced plan to close the distance to certification.
- ISMS design & documentation — Scope statement, information security policy, Statement of Applicability, and the supporting procedures — written for how your organisation actually works.
- Risk assessment & treatment — A defensible risk methodology, a populated risk register, and a risk treatment plan that maps each accepted risk to the Annex A controls that mitigate it.
- Annex A control implementation — Hands-on implementation of the technical and organisational controls — access control, cryptography, logging, supplier security, secure development and incident management.
- Internal audit & management review — We run the mandatory internal audit programme and facilitate the management review, generating the records the certification auditor will ask to see first.
- Certification audit support — We help you select a certification body, prepare your teams for interview, and attend Stage 1 and Stage 2 audits with you to handle findings as they arise.
How it works
- Scope & gap analysis — Define what the ISMS covers — entities, sites, systems, data — then assess every clause and Annex A control against your current reality.
- Risk assessment — Identify information assets and threats, evaluate risk against agreed criteria, and produce a risk register your leadership genuinely understands and owns.
- Build the ISMS — Author the policies, procedures and Statement of Applicability, and stand up the governance forum that will run the system after we leave.
- Implement controls — Close the gaps: technical hardening, access reviews, supplier assessments, secure SDLC, logging and monitoring, and staff awareness training.
- Operate, audit & review — Run the ISMS long enough to generate evidence, then complete an internal audit and a management review — both mandatory before certification.
- Certification audit — Stage 1 checks your documentation, Stage 2 tests whether the system truly operates. We prepare you for both and support you through any findings.
What you walk away with
- Gap analysis report with a costed, sequenced roadmap to certification
- Complete ISMS documentation set, including the Statement of Applicability
- Risk register and risk treatment plan owned by your leadership
- Evidence pack mapped control-by-control to Annex A
- Internal audit report and management review minutes
- On-site support through Stage 1 and Stage 2 certification audits
Frequently asked questions
How long does ISO 27001 certification take in Kenya?
For most small and mid-sized organisations, six to twelve months from kick-off to a Stage 2 audit is realistic. The variables are how much is already in place, how tightly you scope the ISMS, and how quickly your team can implement controls alongside their day jobs. Certification bodies also expect the ISMS to have been operating for a period before Stage 2, because they need records — internal audit results, management review minutes, incident logs — to audit against. Compressing the timeline below that is usually how organisations end up with major nonconformities.
How much does ISO 27001 certification cost?
There are two separate costs and they are often confused. The first is implementation: consultancy, staff time, and any tooling or remediation needed to close gaps. The second is certification itself, paid to an accredited certification body, which is priced on your headcount, scope and number of sites, and recurs as annual surveillance audits plus a recertification audit every three years. We are not a certification body, so we quote only the implementation, and we tell you honestly what to budget for the audit so nothing surprises you later. Request a scoping call for a figure based on your scope.
Can Neurobyte certify us to ISO 27001?
No — and no consultant legitimately can. Accreditation rules deliberately separate the party that implements a management system from the party that certifies it, precisely so the certificate means something. Certification is issued by an accredited certification body after they audit you independently. What we do is implement the ISMS, build the evidence, run the mandatory internal audit, help you select an appropriate certification body, and support you in the room through Stage 1 and Stage 2. Any firm offering to both implement and certify should be treated with real caution.
What is the difference between ISO 27001 and Kenya Data Protection Act compliance?
They overlap but answer different questions. ISO 27001 is a voluntary international standard about how you manage information security risk across an organisation, and it is certifiable. The Kenya Data Protection Act, 2019 is law — it governs how personal data specifically is collected, processed and protected, and it is enforced by the Office of the Data Protection Commissioner, not audited by a certification body. A functioning ISMS makes DPA compliance considerably easier because the security controls, the risk process and the incident management are already there, but it does not deliver it: the Act imposes obligations around lawful basis, data-subject rights and breach notification that ISO 27001 simply does not address. Most of our clients pursue both together.
Do we need a penetration test for ISO 27001?
The standard does not explicitly mandate one. However, Annex A requires you to manage technical vulnerabilities and to verify that your controls are effective, and in practice both certification auditors and enterprise customers treat an independent penetration test as the expected evidence for that. We commonly run a VAPT as part of an ISO 27001 implementation, and the findings feed straight into the risk register and the treatment plan.
Which version of ISO 27001 should we certify against?
ISO/IEC 27001:2022 is the current version, and it is the only one certification bodies now issue certificates against. Its Annex A restructured the controls into four themes — organisational, people, physical and technological — and introduced controls covering areas such as threat intelligence, cloud services and secure coding. If you hold an older certificate, or if an internal project was scoped against the 2013 version, we map your existing controls onto the 2022 structure as part of the gap analysis so nothing already implemented is wasted.