Overview
When enterprise customers ask for ISO 27001, investors raise it in due diligence, or contracts require it, you need the certificate that proves your security posture. Oxford Infosec takes small, fast-moving companies from initial scoping all the way to certification, then maintains the controls and evidence that keep you certified through surveillance and recertification audits, year after year.
Our approach is pragmatic and risk-driven, built for small businesses so that every recommended control is proportionate to real-world risk, ISO 27001 requirements, and ICO expectations. We optionally pair our consultants with a compliance automation platform for continuous evidence collection, real-time dashboards, and automated alerts instead of periodic checklists.
Phase 1 - Implementation (3-6 months): We agree scope and accountability, build your asset inventory and risk register, write core policies, deploy controls (MFA, logging, backup, supplier due diligence), conduct your first internal audit and management review, and prepare you for the certification audit.
Phase 2 - Maintenance (12-month minimum, renewable annually): We operate continuous monitoring, maintain your risk register and policies, execute internal audits, coordinate with the certification body for surveillance and recertification audits, deliver security awareness training, and provide incident and change advisory.
Designed for organisations with 2-250 employees handling sensitive data in the UK or Europe, facing procurement questionnaires, investor due diligence, or contractual certification requirements. Our Lead Consultants hold internationally recognised ISO 27001 implementation and audit qualifications along with data protection credentials (CIPP/E, CIPM), serving as your single point of contact accountable for delivery.
Controls are scoped to how you actually operate. If something genuinely does not apply, we mark it out of scope rather than inventing work. The service combines well with SOC 2, vCISO, DPO as a Service, or Security Foundations for organisations needing broader coverage.
Highlights
- Achieve ISO 27001 certification in 3-6 months with a named Lead Consultant holding recognised ISO 27001 implementation, audit, and data protection qualifications (CIPP/E, CIPM)
- Stay certified year after year with ongoing maintenance covering continuous monitoring, internal audits, policy updates, supplier security oversight, and certification body liaison for surveillance and recertification audits
- Built for small businesses with 2-250 employees: pragmatic, risk-driven controls scoped to how you actually operate, with optional compliance automation platform integration for continuous evidence collection and live dashboards
Details
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Pricing
Custom pricing options
How can we make this page better?
Legal
Content disclaimer
Support
Vendor support
You work with a named Lead Consultant who serves as your single point of contact and is accountable for delivery throughout both the implementation and maintenance phases. Monthly check-in calls track open actions, new risks, and control performance issues. Quarterly risk reviews refresh your asset list and risk register, while semi-annual management reviews present summaries of objectives, incidents, and audit results to leadership. For general enquiries, contact Oxford Infosec at hello@oxfordinfosec.com .