Challenge
A government agency responsible for citizen-facing digital services was mandated to reach ISO 27001 certification. It had capable engineers but no information security management system: no risk register, no asset inventory, no incident process a certifier would recognize. Donor funding for the program had a fixed audit date attached.
Approach
We started with a two-week gap assessment against Annex A, then built the ISMS around how the agency actually works instead of importing a template nobody would follow. Policies were written with the teams that would own them. In parallel, we ran a hardening pass on the agency's public platforms so the technical reality matched the paperwork. Internal audit and a full mock certification audit came in weeks twelve and thirteen.
Result
The agency passed its Stage 2 certification audit fourteen weeks after kickoff with zero major nonconformities. The ISMS is now operated in-house, with NCA retained for annual internal audits.
Engagement under NDA; the agency's identity is withheld by agreement.