• We advise clients in achieving successful zero defect ISO 27001 certification.
  • Our ISMS – ISO 27001 consulting practice combines industry best practices in risk assessment, implementation, documentation, training and measurement of controls leading to a successful ISO 27001 certification and an ongoing governance program.
  • Our ISMS ISO 27001 program has been delivered across the world, across different industry sectors, from SMEs to large businesses operating across the world.
  • Choosing the right ISO 27001 consulting organisation goes a long way in establishing the Cyber Security Framework for your organisation
  • Contact us to get started.

Kindly share your details for ISMS requirements

ISO 27001 Certification Consultant

ISMS – ISO 27001 Consulting Engagement Phases

Here is a brief overview of al the phases involves in implementing ISMS-ISO 27001 certification.

Phase I - Understanding Business and Security Objectives

  • Every client is unique with its business model, customers, and information security requirements
  • The ISMS-ISO 27001 implementation journey starts with this phase where we determine and document the clients’ business requirements for Information Security management system (ISMS).
  • This is where ISMS context, requirements of internal and external parties, and scope are determined and documented.

Phase II - Gap Analysis and Risk Assessment

  • Based on the outcome of phase I, a combination of approaches are applied by Coral ISMS ISO 27001 consultants to conduct the gap analysis.
  • A session with each individual organisation team to asses their current scope of work and their controls are determined
  • A Penetration test against their applications and network reveals their current state of controls
  • A threat model approach is applied to determine their systems and their current process gaps
  • With more and more organizations choosing a combination of on prem and cloud infrastructure, an assessment may involve set of controls and their effectiveness across both the environments.
  • ISO 27001 Gap Analysis phase is a key phase in designing control responsibility to stakeholders.
  • ISO 27001 Gap analysis will reveal gaps in all applicable domains such as ISMS governance, Application development, IT operations, Cloud Operations, Human resources, Physical Security, Supplier management etc
  • Coral consultants will provide detail recommendation for each identified gap with their recommendations.

Phase III - Control - Design, Documentation, Measurement, and Risk Management

  • Design involves control allocation responsibility to organisation stakeholders.
  • Documentation involves drafting and discussing 20+ policies and procedures across domains involving ISMS governance, Application development, IT operations, Cloud Operations, Human resources, Physical Security, Supplier management etc., as per applicable controls.
  • Risks identified in the gap analysis are tracked towards decision making and closure. Some risks are quick wins, whereas others may take longer to close.
  • Control Measurement involves testing the control effectiveness and providing stakeholders with an objective performance of the ISMS
  • These phases may run in parallel or sequential based on the organizational dynamics.

Phase IV - Training & Brainstorming Sessions

  • Training of staff involved in ISMS operations is a key factor in successful ISMS implementation.
  • ISMS involves company staff involved in defining their internal security controls.
  • Our consultants will deliver a combination of trainings including awareness, risk management and standard interpretation
  • Each documentation or risk undergoes brainstorming with staff to derive at a ‘best-fit’ solution for the organisation.

Phase V - Internal Audit and Management Review

  • ISO 27001 Internal audit starts with preparation of ISO 27001 checklist and selecting client staff as auditee, latter responsible for the controls.
  • Internal Audit involves verifying the effectiveness of the implemented lifecycle controls through interviews with system verification of applicable controls,
  • A formal report is published for management team.
  • We facilitate reviews with the management to ensure that the initial ISO 27001 policy objectives and goals are achieved.


At this stage:

  • As a result of undergoing these phases, Coral has implemented for a client an operational Information Security Management system (ISMS) that includes people, processes, technology and ongoing measurements.
  • Each of the ISO 27001 certification requirement has been completed by combination of one or more of policy, responsibility, report, record, technology, and automation.
  • The organisation now has a plan that demonstrates its continued commitment like any other business function
  • At this stage, the organisation is ready for inviting external certification body to certify them to ISO 27001 certification

Phase VI - External Certification Support

Chosen external certification body audit performs ISO 27001 certification in two phases:

  • Stage 1 – Documentation Review, and
  • Stage 2 - Implementation Verification

With the two phases completed, the certification body issues an ISO 27001 certificate.
Finally, upon receiving their ISO 27001 certificates, the clients are officially iso 27001 certified. This is the time to celebrate !!


Seek a one to one session with our Principal Consultant, who will answer your questions to get started.

ISMS – ISO 27001 FAQs

Did you Know?

ISO 27001 - 2022 Controls Calculator

If you are seeking ISO 27001 for the first time using this you can determine the applicable controls from the total list of 93 annexure controls.
We have a simplified methodology to determine with fair accuracy how many controls would apply. So go ahead and give it a go!

1. Do you have application development team or a department in the scope of your ISO 27001 certification? (Note : "Application development has at least 9 controls. Depending upon whether you have one or more apps, additional controls may apply.")
Yes    No
2. Do you have one or more office locations? (Note : "Physical security has at least 11 controls. Note - Even if you don’t have a physical office some degree of physical security controls would apply.")
3. Do you have one or more application software vendor - who develops code for you? (not contracted staff)? (Note : "Security of 'Outsource software development' vendor is one control. ")
4. Do you have one or more cloud service providers ? (Note : There is one control for cloud security. Note - For each cloud service provider depending upon SAAS, PAAS or IAAS, there may be additional controls based on the shared security responsibility model - which are not in ISO 27001 list directly.)
Call or write to us at :
for proposal / roadmap / information
Would You Like To Speak To Our ISO 27001/ISO 27002 Certification Consultant?
Contact Us Now !