ISO 27001 & ISO 22301 Advisory Services
Whether you're responding to FINMA Circular 2023/1, preparing for an EU NIS2 supply-chain audit, or pursuing ISO 27001 certification for the first time, we provide structured, experienced advisory support from gap analysis through to certification — in English, with a team based in Switzerland.
We work as a genuine extension of your team. We don't produce documents and leave — we build your ISMS so your people can run it, audit it, and maintain it after certification.
Typical engagement: 6–12 months for ISO 27001 (first certification) · 3–4 months add-on for ISO 22301 · Concurrent programmes available.
SERVICES
Methodology
ISO 27001 Gap Analysis and Readiness Assessment
Before any implementation begins, we conduct a structured gap analysis against ISO 27001:2022 requirements. We review your existing policies, controls, processes, and documentation, then produce a prioritised findings report that maps your current state against all Annex A control domains. You leave with a clear picture of what is in place, what is missing, and a realistic roadmap to certification — including effort estimates and a proposed scope boundary.
ISMS Design and Risk Assessment
We design your Information Security Management System from the ground up, or restructure an existing one, around your organisation's context, risk appetite, and operational reality. This includes defining the ISMS scope, establishing your asset inventory, conducting the ISO 27001 risk assessment using a methodology aligned to ISO 31000, and producing the Statement of Applicability. We work with your team — not around them — so the ISMS reflects how your organisation actually operates.
ISO 22301 Business Continuity Management
We implement ISO 22301-compliant Business Continuity Management Systems as a standalone programme or integrated alongside your ISO 27001 ISMS. The engagement covers Business Impact Analysis, Recovery Time and Recovery Point Objectives, Business Continuity and Disaster Recovery Plan development. When implemented together with ISO 27001, a combined programme significantly reduces effort and cost — a single risk assessment, aligned documentation, and a unified internal audit cycle.
Internal Audit and Certification Readiness
We conduct your ISO 27001 and/or ISO 22301 internal audit as an independent, qualified lead auditor — reviewing control implementation, evidence quality, and nonconformity status against the standard's requirements. We produce a formal audit report with findings classified by severity and provide a corrective action plan your team can act on. Before your Stage 1 and Stage 2 certification audits with an accredited certification body, we run a dedicated readiness review so there are no surprises on audit day.
Ongoing Compliance and Surveillance Audit Support
ISO 27001 certification requires annual surveillance audits and a recertification audit every three years. We provide ongoing support to keep your ISMS current between audits: management review facilitation, control effectiveness reviews, policy update cycles, and preparation for surveillance visits. For organisations using Microsoft 365, we layer in PowerApps and Power Automate workflows that automate evidence collection and flag control gaps continuously — so your compliance posture is maintained year-round, not just in the weeks before an audit.
Annex A Controls Implementation
ISO 27001:2022 includes 93 controls across four domains: Organisational, People, Physical, and Technological. We guide your team through selecting, implementing, and evidencing each applicable control — from access management and asset classification to supplier relationships, incident response, and business continuity. Where controls overlap with your existing frameworks (NIST, SOC 2, GDPR/FADP), we map and reuse existing evidence to avoid duplication of effort.
Approach
Our Approach:
Structured. Practical.
Built to Last.
ISO 27001 and ISO 22301 implementation fails most often not because of a lack of documentation, but because the system is built around the consultant rather than the organisation. Policies get written, binders get produced, and six months after certification nobody can explain how the risk register works.
Our approach is different. We design every ISMS and BCM system around the people who will run it — your team, your processes, your existing tools. We use a structured five-phase methodology — Assess, Design, Implement, Audit, Certify — that builds internal capability at every stage. By the time your certification audit is complete, your team owns the system. We remain available for surveillance audits, management reviews, and continuous improvement — but you are never dependent on us for day-to-day compliance operations.
For organisations already on Microsoft 365, we integrate PowerApps, Power Automate, and Microsoft Purview directly into your tenant so that evidence collection, policy reviews, and risk register maintenance are automated — not a quarterly scramble.
SERVICES
Inteligio GRC: Compliance That Works Beyond Certification
Regulatory Intelligence & Compliance Scoping
Not every regulation points to the same solution, and not every organisation needs the same scope. Before committing to a framework, we help you map your specific regulatory exposure — FINMA Circular 2023/1, the Swiss Information Security Act, DORA, EU NIS2 supply-chain requirements, or revised FADP obligations — against your organisational context. The result is a compliance roadmap that prioritises the right frameworks in the right order, avoids duplication of effort, and gives your board or management a clear justification for the investment.
ISO 27701 Privacy Extension
ISO 27701 extends your ISO 27001 ISMS to cover privacy information management, directly addressing the requirements of the Swiss revised FADP and EU GDPR. For organisations that process personal data — particularly international organisations handling beneficiary data, HR systems, or donor information — ISO 27701 certification provides documented evidence of privacy governance to regulators, partners, and the individuals whose data you hold. We implement ISO 27701 as an integrated extension to an existing or concurrent ISO 27001 engagement, minimising additional effort and cost.
Microsoft Purview & M365 Compliance Automation
For organisations already operating on Microsoft 365, we deploy a suite of compliance automation tools directly inside your existing tenant — no new vendors, no additional subscriptions, no data leaving your environment. Microsoft Purview Compliance Manager provides a real-time compliance score mapped to ISO 27001 controls. PowerApps and Power Automate replace manual spreadsheet processes for risk registers, nonconformity tracking, supplier assessments, and policy review cycles. The outcome is a compliance programme your team can maintain continuously — not just in the six weeks before your annual surveillance audit.