ISO 27001 Managed Services for London Businesses
The international standard for information security management is the foundation that DORA, NIS2, and Cyber Essentials build upon. We help you implement it properly and maintain it continuously.
Key Requirements
Information Security Management System
You must establish, implement, maintain, and continually improve an ISMS — a systematic approach to managing sensitive information. This includes defined scope, documented policies, assigned roles, and a management review cycle.
Risk Assessment and Treatment
A formal risk assessment methodology must identify threats to your information assets, evaluate their likelihood and impact, and produce a risk treatment plan. Residual risks must be accepted by management with documented justification.
Annex A Controls
The 2022 revision organises 93 controls across four themes: organisational, people, physical, and technological. You must produce a Statement of Applicability documenting which controls are implemented, which are excluded, and why.
Internal Audit Programme
Regular internal audits must assess whether the ISMS conforms to the standard and your own policies. Audits must be planned, conducted by competent auditors independent of the areas being reviewed, and produce actionable findings.
Management Review
Top management must review the ISMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness. Reviews must consider audit results, incident trends, risk assessment updates, and stakeholder feedback.
Continuous Improvement
The ISMS must improve over time. Nonconformities must be addressed through corrective actions. Preventive measures must be informed by monitoring, measurement, and analysis of security performance data.
The Framework That Underpins Everything Else
If you are navigating DORA, preparing for Cyber Essentials Plus, responding to FCA operational resilience requirements, or trying to satisfy NIS2 obligations, you will find the same foundation underneath all of them: a systematic approach to information security management.
ISO 27001 is that foundation. It is the international standard for establishing, implementing, maintaining, and continually improving an information security management system. It does not prescribe specific technologies. It provides the framework within which your technology choices, security controls, risk decisions, and operational processes fit together coherently.
For London financial services firms, ISO 27001 certification has moved from a nice-to-have differentiator to a practical necessity. Enterprise clients include it in their due diligence questionnaires. The FCA references it as a recognised standard for information security governance. Cyber insurance underwriters give preferential terms to certified organisations. And DORA’s ICT risk management requirements map directly onto the ISMS framework ISO 27001 defines.
What ISO 27001:2022 Requires
The standard operates on two levels.
Clauses 4 through 10 define the management system requirements. You must understand your organisation’s context, secure leadership commitment, plan your approach to risk, provide resources and competence, implement operational controls, evaluate performance through monitoring and audit, and drive continuous improvement. These clauses are mandatory. You cannot exclude any of them.
Annex A provides a reference set of 93 controls organised into four themes. The 2022 revision, which replaced the 2013 structure of 114 controls across 14 domains, introduced 11 new controls reflecting current threats and practices. These include threat intelligence (A.5.7), cloud security (A.5.23), ICT readiness for business continuity (A.5.30), and monitoring activities (A.8.16).
You do not need to implement every Annex A control. You need to consider each one, implement those relevant to your risk profile, and document your decisions in a Statement of Applicability. However, for financial services firms, the vast majority of controls will be applicable.
Why Financial Services Firms Need the Framework
Regulated financial firms face a particular challenge: multiple overlapping compliance obligations, each with their own terminology, each demanding evidence that controls are in place and working.
ISO 27001 provides a single framework that satisfies multiple requirements simultaneously. Your risk assessment methodology feeds DORA’s ICT risk management requirements. Your incident management procedure supports both FCA operational resilience reporting and DORA’s incident classification obligations. Your supplier management controls address third-party risk across every framework.
Without this unifying structure, firms end up with parallel compliance workstreams, duplicate documentation, and conflicting control implementations. An ISMS eliminates that waste by providing one authoritative system of record for information security governance.
The firms we work with that hold ISO 27001 certification consistently find their DORA readiness programmes and FCA operational resilience reviews proceed faster and at lower cost. The foundations are already in place.
The Annex A Controls That Matter Most
For a typical London financial services firm, several control areas carry particular weight.
Access control (A.5.15-A.5.18, A.8.2-A.8.5) governs who can access what, under what conditions, and how access is reviewed and revoked. For firms handling client assets or sensitive financial data, this is the control family that auditors scrutinise most closely.
Cryptography (A.8.24) ensures data is protected in transit and at rest. With hybrid working now standard, encryption of endpoints, email, and cloud storage is a baseline expectation.
Operational security (A.8.7-A.8.16) covers malware protection, backup, logging, monitoring, and vulnerability management. These are the technical controls that your managed IT provider implements and maintains daily.
Supplier relationships (A.5.19-A.5.22) require documented assessment and monitoring of third-party security. For firms using multiple SaaS platforms and outsourced services, this control area demands active management, not annual questionnaires.
Incident management (A.5.24-A.5.28) requires a structured process for detecting, reporting, assessing, and responding to security events. The 2022 revision added specific requirements for learning from incidents and preserving evidence.
How Nerdster Supports Your ISO 27001 Journey
We position ourselves as the technical implementation partner in your certification programme. While your ISMS consultant or internal compliance team handles policy development, scope definition, and management system governance, we implement and maintain the technical controls that make the policies real.
Our managed services deliver the Annex A controls that fall within the IT domain. We configure and manage access controls, deploy and monitor endpoint protection, implement backup and recovery systems, maintain logging and monitoring infrastructure, run vulnerability management programmes, and manage supplier security assessments for technology vendors.
During the certification audit, we provide evidence packs covering every technical control in your Statement of Applicability. Screen captures, configuration exports, log samples, test results, and trend reports are compiled and ready for the auditor.
After certification, we maintain continuous compliance through the same managed services that support your daily operations. When the surveillance auditor returns each year, the evidence is current because the controls have been operating continuously, not reassembled for the audit.
ISO 27001 is not a project. It is a management system that must live and evolve with your business. We ensure the technology layer does exactly that.
FAQ
Frequently asked questions
How long does ISO 27001 certification take?
For a London financial services firm with 20-150 staff, a well-structured certification programme typically takes 6-12 months from initial gap analysis to certification audit. The timeline depends on your starting maturity, the scope of your ISMS, and how quickly policy and procedural gaps can be closed. Firms with an existing managed IT provider and good security hygiene can move faster.
What is the difference between ISO 27001:2022 and the previous version?
The 2022 revision restructured Annex A controls from 14 domains with 114 controls to 4 themes with 93 controls. It introduced 11 new controls covering areas including threat intelligence, cloud security, data masking, and secure development lifecycle. The core ISMS requirements in clauses 4-10 received minor updates for clarity. Organisations certified to the 2013 version had until 31 October 2025 to transition.
How does ISO 27001 map to DORA requirements?
ISO 27001 provides a strong foundation for DORA compliance. The ISMS framework maps directly to DORA's ICT risk management requirements. Annex A controls cover incident management, access control, cryptography, and supplier relationships that DORA mandates. However, DORA adds prescriptive requirements around incident reporting timeframes, resilience testing methodologies, and third-party contract clauses that go beyond ISO 27001.
Do we need to be ISO 27001 certified, or just aligned?
That depends on your business drivers. Certification provides independent assurance and is increasingly required by enterprise clients, regulators, and insurers. Alignment without certification means you follow the framework but lack third-party verification. For FCA-regulated firms, certification strengthens your regulatory position and simplifies due diligence with counterparties.
What does Nerdster's role look like during certification?
We implement and manage the technical controls that form the bulk of Annex A. This includes access management, endpoint security, network security, backup and recovery, logging and monitoring, and vulnerability management. We provide evidence packs for audit, support policy drafting with technical input, and ensure the IT environment meets the standard's requirements on an ongoing basis.
How much does ISO 27001 certification cost?
Costs vary by scope and firm size. For a London financial services firm with 30-100 staff, expect certification body fees of £5,000-£15,000 for the initial audit, plus annual surveillance audits at roughly half that cost. Consultancy support for ISMS development ranges from £10,000-£30,000. Managed IT services that maintain ongoing compliance are a separate, ongoing cost that most firms already incur.
Need compliance guidance?
Book a free compliance review and we'll assess your readiness against the latest requirements.