ISO 27001 Information Security Management System

ISO 27001 is an international standard for Information Security Management Systems. The standard provides a framework that organisations of all sizes can follow to manage information security within a work place as well as fulfilling legal compliance obligations, and identify risks and opportunities along with treatment controls.

There are many industries where ISO 27001 certification is a contractual requirement. For some it can be an essential tool for gaining the advantage over competitors and demonstrating enhanced credibility in relation to environmental performance.


Candy Management ISO 27001 Information Security
Contact us to find out more

Start now and achieve ISO 27001 certification in a matter of months.

Implementing an ISO 27001 ISMS (Information Security Management System) with Candy Management will enhance Information Security awareness and performance from top management across your entire organisation, and if done right will achieve cost savings through improved security and a reduction in ISMS issue or Breaches. 

A Candy ISMS will also enable you to identify risk and develop controls and initiatives which will result in a safety culture. This can open doors to new business, especially when completing PQQ and Tenders for new contacts.

Candy Managements ISO 27001 Consultancy Service

Our management systems have been implemented across all sectors and have been certified by UKAS Accredited bodies multiple times. Every customer has unique need and we tailor our services to meed those needs. Whether your seeking full implementation support or a hand holding we will be there for you until you get your ISO 27001 certificate, and beyond. 

  • We offer a free no obligation initial assessment to establish what level of support you need and identify how we can work together to ensure your success.
  • We have fixed pricing for consultancy days. We do not charge management fees and only invoice as each consultancy day is completed.
  • Our implementation approach is tailored to your needs and takes into consideration exiting processes to avoid unnecessary disruptive changes. 
  • We work with your team and encourage their buy in and participation.
  • We will ensure Our consultant explain everything we do and how it is completed so you and your team can continue meeting compliance targets after the initial implementation period ends.
  • We are a one-stop shop with comprehensive and integrated ISO 27001 resources:
    • Industry experienced consultants.
    • Environmental management expertise across all sectors.
    • Project management expertise.
    • Train as you go approach.
    • Hands on support with management reviews and internal audits. 
    • Certification services both UKAS and none UKAS.
  • We help tailor your Information Security Management System so that it suits your requirements and is cost-effective to operate and still continues to meet ISO 27001 requirements.
  • All our management systems are built around Annex SL and can be fully integrated with other systems including ISO 9001, 14001 and ISO 22301.
  • Our simple, ‘no quibble’ 100% guarantee of successful certification removes all worry.

ISO 27001 Requirements explained

Clause 4 Context of the organisation

Clause 4 Context addresses the “context” of the organisation. Before proceeding with developing processes or procedures we need to understand the business in regards to how the business is run and what factors can hinder or contribute to the running of the business. In other words what does the business do. In determining the context we will identify internal and external issues, interested parties and the scope of the ISMS.   

Clause 5 Leadership

Clause 5 Leadership requires the company’s top management to actively lead the Information Security Management System and be able to demonstrate this through policies and responsibilities. Leadership has emphasis on prevention specific applications ranging from identifying hazards and risk and any regulatory requirements. The top management’s responsibilities include establishing an Information Security policy, communication of the policy and the importance of the ISMS and assigning responsibilities to ensure the effectiveness of the Information Security Management System. 

Clause 6 Planning

Clause 6 Planning addresses the process of determining the activities required to achieve a desired goal. Planning also involves thinking about the risks that may occur in future and addressing these through adequate control measures. Clause 6 of ISO 27001 deals with this highly critical activity and requires an organisation to identify its Incidents, events and risk and plan for uncertainties and pro-actively prevent undesired Incidents, events. Another aspect of planning is to identify ISMS objectives which can be used to monitor and track our progress. Additionally, this clause requires an organisation to plan for changes and follow a structured approach for any changes required in the management system.

Clause 7 Support

Clause 7 Support requires the organisation to determine and provide the resources needed for the establishment, implementation, maintenance, and continual improvement of the Information Security Management System. In doing so the organisation should consider the capabilities of, and constraints on, existing internal resources and what needs to be obtained from external providers. This will include people, infrastructure, the working environment, monitoring and measuring resources, organisational knowledge, competence & awareness, communication, documented information.

Clause 8 Operation

Clause 8 Operation requires the organisation to plan, implement and control the processes needed to meet the requirements of the ISMS and legal requirements. These include controls to ensure Information Security performance is maintained and preparing and testing emergency plans including BCP.

Clause 9 Performance evaluation

Clause 9 Performance Evaluation require an organisation assess its own performance in meeting regularity requirements as well as its performance in meeting the requirements of its own ISMS and the requirements of the ISO 27001 standard. These will include activities such as, establishing what needs to be monitored and measured, analysis and evaluation of data, completing internal audits and top management carrying out a formal review on the performance of the ISMS.

Clause 10 Improvement

Clause 10 Improvement requires and organisation to determine and select opportunities for improvement and implement any necessary actions to meet customer requirements and enhance Information Security performance. These activities include improving your IT system as well as to address future needs and expectations of interested parties. Correcting, preventing, or reducing undesired effects and improving the performance and effectiveness of the Information Security management system and investigating and correcting ISMS risks, Events and incidents.  

ISO 27001 GAP Analysis

A Candy Management lead consultant can carry out a no obligation fully detailed GAP analysis on your existing systems to identify what work is needed to meet the requirements of all the ISO 27001 clauses and the Annex A requirements. Or you can give us a call and speak to one of our advisers for free.    

Want to talk about a GAP Analysis?
ISO 9001 Gap Analysis

Candy offer consultancy services for all the major ISO standards

Business Continuity Management 

Quality Management Systems

Environmental Management Systems 

Occupational Health and Safety