ISO 27001 Foundation Sprint
A fast foundation sprint that builds a coherent ISO 27001 baseline: governance, SoA, control narrative, ownership and an evidence index that fits your stack.
Works with your auditor and your stack (including Vanta/Drata). No tool replacement required. No system access needed.
Who this is for
If you are a SaaS or IT-led organisation selling into enterprise customers, ISO 27001 requests often show up as:
- a procurement requirement
- a customer security review
- an audit date that is already booked
You might already have controls in place, but documentation is incomplete, inconsistent, or written for “a generic company”.
What you get
With an ISO 27001 Foundation Sprint you receive:
- a policy and procedure suite with ownership, versioning, and review cadence
- a SoA and control narrative structure so scope and control intent stay consistent
- an evidence index and collection plan designed to be specific and collectible
- implementation notes that explain what to configure and what reviewers tend to ask
- an editable deliverable set plus reviewer-friendly PDFs
To inspect quality before you buy, download the sample bundle.
Deliverables at a glance
| Deliverable | Includes | Notes |
|---|---|---|
| Statement of Applicability (SoA) draft | Starting applicability view plus scope rationale notes. | Baseline and mapping, not certification guarantees. |
| Control mapping workbook | Owners, artefacts, and evidence expectations per control. | Designed to fit your current tools and evidence workflows. |
| Policy and procedure baseline | Ownership, versioning, review cadence, and implementation notes. | Editable docs plus reviewer-friendly PDFs. |
| Evidence checklist and plan | Concrete evidence prompts and what to implement next notes. | Optimised to reduce procurement back-and-forth. |
Documentation that supports implementation
We do not position documentation as “compliance achieved”. Documentation is the operating manual for your programme.
Your sprint includes:
- evidence cues that map to real activities (access reviews, vulnerability scans, supplier reviews)
- common pitfalls that trigger reviewer questions
- a rollout plan you can execute with your team
Delivery timeline
Typical timeline (after intake):
- Day 0 to 1: confirm framework expectations, scope, owners, and constraints
- Days 2 to 10: tailoring, mapping workbook, evidence checklist, implementation notes
- Revisions: controlled loop for minor revisions, then handover
Your responsiveness affects speed. If you need a fixed deadline plan, request a recommendation.
Examples you can inspect
- Redacted sample deliverables bundle
- ISO 27001 and SOC 2 crosswalk (example)
- ISO 27001 documentation checklist (article)
What’s out of scope (short version)
- legal interpretation (for example GDPR)
- implementation work inside your environment
- audit guarantees
We focus on what we can control: artefact quality, mapping completeness, and clarity.
Next step
- See Services for fixed scope and inclusions.
- Or request a recommendation to confirm fit, scope, and timeline.
See sample deliverables, then request a recommendation
If the structure looks right, the pricing page shows fixed scope and artefact lists.