Service ISO 27001 engineering · ISMS + Annex A controls · UK

ISO 27001 engineering, an ISMS your team. actually uses.

ISO 27001 engineering for UK SaaS and scale-up teams whose ISMS lives in a Notion doc nobody reads. We build the controls your auditor signs and your engineers run on, not a binder of policies — ISMS implementation, Annex A controls, the evidence pipeline, and certification body liaison, with the receipts your acquirer asks for.

24hreply, from a senior
100+projects shipped since 2019
Senioronly, on the spine
Why founders sign for ISO 27001

You need ISO 27001 engineering. We ship it with senior engineers and the receipts your acquirer asks for.

Compliance is a build problem, not a paperwork problem. We wire the evidence pipeline on day one and hand you an ISMS the certification body signs and your team runs on.

“The evidence pipeline was the thing the acquirer’s CTO walked through without flinching. Retention got signed before close.”

CTO, UK SaaS scale-up

Acquirer review passed 2025

001

0+

ISO 27001 engagements shipped since 2022.

002

0

Production incidents on shipped engagements.

003

0-day

Fixed-scope audit, £8K, 30-page brief, six ADRs.

The founder this page is for“rip and replace or 25% haircut” · retention signed

The ISMS was a Notion doc. The product was good. The acquirer’s CTO walked the codebase.

01

A UK SaaS scale-up signed Empyreal for ISO 27001 engineering after six months of in-house attempt. Two engineers part-time, no observability, no audit log, and a Confluence page with the runbook. The acquirer’s CTO walked the codebase pre-LOI and said: “rip and replace or take a 25% diligence haircut.”

02

The product wasn’t the problem. The evidence was. Compliance had been treated as paperwork someone would do later. There was no audit log of who touched what data, no DR drill on the calendar, no procurement pack a security questionnaire could clear.

03

We rebuilt over 12 weeks. Senior engineers paired daily. ADRs documented the same day. The evidence pipeline went in on day one. The acquirer’s CTO came back, walked the same surface, and signed full-team retention. This page is for the founder or CTO who decided compliance is a build problem and wants the evidence shipped.

Evidence-first since 2022
The eight security pains we hear in every audit call

The pain you live with. The day-1 answer.

Every founder who emails us about ISO 27001 is fighting one of these eight things. Each one is impossible to fix cheaply once the codebase is live. Each one is a single architectural decision made on day one of our build.

  1. 01
    The silent failureDay-1 architecture

    “A workflow died silently. The customer found out before we did.”

    Per-workflow observability and alerts. PagerDuty and Slack wired to every workflow. The customer never finds out first, and the control your auditor wants is the same one your on-call relies on.

  2. 02
    The audit log gapDay-1 architecture

    “Who did what, when? No record. The SOC 2 auditor flagged it.”

    Append-only audit log on every mutation. Every write logged: actor, tenant, IP, timestamp. Tenant-admin viewable. The certification body and your acquirer both walk away satisfied.

  3. 03
    The cost spiralDay-1 architecture

    “The cloud bill spiked and nobody knew which workload caused it.”

    Per-workload cost tags and budget alerts. Every paid event tagged. The bill stabilises within 30 days and your capacity-planning evidence writes itself.

  4. 04
    The untested restoreDay-1 architecture

    “The backup runs. The restore was never tested. A real disaster would be career-ending.”

    DR drill on the calendar, rehearsed quarterly. RTO and RPO documented and tested. Restore proven in under four hours, with the drill log as Annex A evidence.

  5. 05
    The bus factor of oneDay-1 architecture

    “One engineer knows the system. If they leave, we lose the whole ISMS.”

    Two senior engineers paired, ADRs same day. Bus factor moves from one to four. Every decision documented, so any senior picks up the codebase and the controls the next morning.

  6. 06
    The procurement bounceDay-1 architecture

    “An enterprise prospect asked for SOC 2, a DPA, and a sub-processor list. We had none.”

    Procurement pack shipped on day one. SIG-Lite, CAIQ, DPA, SCCs, and a SOC 2 stance ready from the start. The vendor security review clears in days, not quarters.

  7. 07
    The regulator requestDay-1 architecture

    “The ICO asked for a record and we couldn’t produce it inside 30 days.”

    DSAR runbook and audit log export. A 30-day deadline you can defend. Right-to-erasure honoured at the schema, with the export your DPO hands the regulator.

  8. 08
    The observability gapDay-1 architecture

    “A production incident hit and on-call had no idea what happened.”

    Trace IDs end-to-end, structured logs. On-call reads the trace and knows what happened in 60 seconds. The same telemetry is the monitoring control your ISMS needs.

ANNEX A CONTROL GAPS WE FIND ON 80% OF AUDITS

What an ISMS in a doc nobody reads is missing. And how we engineer it.

These four gaps show up in roughly 80% of the estates we audit for ISO 27001. None of them is a policy problem. Each one is a control your auditor will test and your engineers have to live with.

01

Access control nobody can prove (A.5, A.8)

Least-privilege exists in a wiki, not in IAM. We map roles to Annex A, enforce them in code, and produce the access review your auditor asks for on demand.

02

No logging or monitoring (A.8.15, A.8.16)

Who did what, when? No record. We wire an append-only audit log on every mutation plus alerting, so the certification body sees evidence, not assertions.

03

Backups that never restore (A.8.13)

The backup runs. The restore is never tested. We rehearse DR quarterly, document RTO and RPO, and prove a restore in under four hours.

04

A risk register that hasn’t moved (A.5.1, Clause 6)

A spreadsheet last edited at kick-off. We build a living risk treatment plan tied to real controls, so your Statement of Applicability survives the Stage 2 audit.

ISO 27001 security stack · evidence-first

Three tiers, the same defensible spine your auditor and your acquirer both trust.

Nine ISO 27001 engagements have stress-tested these picks. Tier 1 runs every engagement. Tier 2 is what we reach for when the brief needs it. Tier 3 is the infrastructure that scales the controls to Series B without a rebuild.

T1

What we ship every engagement on

evidence + observability
Vanta / DrataOpenTelemetryDatadog APMSentryPagerDutyPostgreSQLNode.js + TypeScriptPythonGitHub ActionsTerraformVaultAWS KMS
T2

When your brief actually calls for it

reach when needed
Clerk / Auth0 / WorkOSSnowflake / BigQueryKafka / ConfluentRedisStripeLaunchDarkly
T3

The infrastructure that scales the controls

AWS + cloud-native
AWSKubernetes (EKS)AWS LambdaECS FargateRDS / AuroraS3 + CloudFrontAWS BackupCloudWatch + GuardDutyAWS Secrets ManagerAWS Cost Explorer
The six controls your certification body will test

Annex A controls, engineered

Every ISO 27001 engagement lands the same six load-bearing controls in code, not in a policy nobody reads. Each one is hard to retrofit. Each one closes a finding on the audit.

CONTROL(01)

Append-only audit log per mutation

Every write is logged with actor, tenant, IP, timestamp, before and after values. Tenant-admin viewable, exportable. Your auditor reads evidence, not a promise.

A.8.15A.8.16Day 1Exportable

Append-only audit log per mutation

CONTROL(02)

Access control mapped to Annex A

Roles enforced in IAM, not in a wiki. Least-privilege by default. The quarterly access review is a report you run, not a fire drill before the audit.

A.5A.8Least-privilegeDay 1

Access control mapped to Annex A

CONTROL(03)

Encryption + key management (A.8.24)

At rest and in transit, with keys in AWS KMS or Vault. Rotation documented. The control your DPO and your auditor both ask about, answered in code.

A.8.24KMS / VaultRotationDay 1

Encryption + key management (A.8.24)

CONTROL(04)

DR drill rehearsed quarterly (A.8.13)

Restore on the calendar, not in theory. RTO and RPO documented and tested. Restore proven in under four hours, with the drill log as evidence.

A.8.13RTO / RPOQuarterlyDay 1

DR drill rehearsed quarterly (A.8.13)

CONTROL(05)

Evidence pipeline, Vanta / Drata wired

Evidence collected continuously, not screenshotted the week before. Vanta or Drata maps controls to evidence, so surveillance audits stop being a project.

VantaDrataContinuousDay 1

Evidence pipeline, Vanta / Drata wired

CONTROL(06)

Living risk register + SoA

A risk treatment plan tied to real controls, with a Statement of Applicability that survives Stage 2. Reviewed on a cadence, owned by a name, not abandoned at kick-off.

A.5.1Clause 6SoAWeek 2

Living risk register + SoA

Acquirer-defendable

In-house ISMS to
acquirer-defendable, in twelve weeks

A UK SaaS scale-up, in real numbers. Rebuilt over a 12-week sprint with senior pairing, ADRs same-day, and the evidence pipeline wired on day one. The acquirer’s CTO signed full-team retention before close.

The rebuild

12wk
ISO 27001 engineering sprint
0
Production incidents shipped

The outcome

9wk
To SOC 2 Type 1
Full
Team retention signed

Track record

9
ISO 27001 engagements since 2022
3
Acquirer reviews passed 2025
ISO 27001 engineering · honest answers

What founders actually ask before signing the contract

Pain-first, soft-second. The questions every founder asks after their third compliance scare.

The audit is fixed at £8K: five days, two senior engineers, a 30-page brief, six ADRs, and a fixed-price quote for the sprint. After that, most ISO 27001 engineering engagements land between £35K and £85K on a fixed-scope basis, scoped at the audit. No day-rate, no scope creep. If we can’t hit your budget, we tell you in week one and you walk away with the brief.

No. We work in-place wherever possible. Migration only gets scoped at the audit if you actually want it, and the old and new run in parallel until you sign off. The ISMS we build wraps the stack you already have, with the controls enforced in code rather than bolted on as policy.

You hand them the ADR pack, the audit log, the evidence pipeline, and the SOC 2 Type II stance. The acquirer’s CTO walks the surface and signs full-team retention. We’ve done this three times across 2024 and 2025. The receipts are the point of ISO 27001 engineering done as a build, not a binder.

Yes. AWS is the default and we’ve also shipped on GCP, Azure, Cloudflare, DigitalOcean, Vercel, and Fly.io. The multi-cloud lock-in path is documented as part of the brief, so your Annex A scope and your data-residency story both hold up under a Stage 2 audit.

A Vanta or Drata evidence pipeline on day one, with SOC 2 Type 1 achievable in 8 to 12 weeks. A signed DPA plus SCCs for cross-border, a versioned sub-processor list, and a DSAR runbook with a right-to-erasure tool. Procurement clears in days because the pack ships by default, not on request.

This is the single biggest risk with a small studio, and the reason we pair two senior engineers on every engagement and document every decision in an ADR the same day. If one leaves, the other has full context the next morning. Bus factor sits at four, not one. In seven years, two engineers have left mid-project. Both handovers were inside 48 hours.

Yes, with 14 days’ notice. The engineers move to other work, your repo and evidence pipeline stay where they are, and your spend pauses. Pick it back up with 14 days’ notice and we resume on the same board with the same engineers. No cancellation fee, no restart fee. We’ve done this several times and clients came back and shipped.

No. You keep everything and IP assigns on every commit. The handover pack includes the ISMS, the ADRs, the runbook, the DPA, and a code tour for your next engineer. The optional retainer runs at £5K a month for surveillance-audit support and is cancellable with 30 days’ notice, any month. Most clients run it 3 to 6 months while their in-house lead settles in, then end it cleanly.

Iso 27001 engineering — dashboard / app screen
In context

The surface you hand over.

iso 27001 engineering, in context — the dashboards, flows and components your team actually ships, reviews and maintains.

Build the ISMS your auditor signs and your team runs

One paragraph. That’s it.

Tell us your current estate, your certification deadline, and your target outcome. Mohit reads every first email and replies inside 24 hours: a clear yes, a clear no, or the one question that decides it, plus your next audit slot.

Write to mohit@empyrealinfotech.com Replies in 24hEvidence-firstAcquirer-defendable
What happens after the email lands
  1. < 24h

    A personal reply.

    Yes, no, or the deciding question, plus your next audit slot. Straight to your inbox, not a team thread.

  2. Week 1

    The 5-day audit begins.

    We read the estate, write the controls plan, hand you a 30-page brief and a fixed-price quote.

  3. Week 14

    Acquirer-defendable ISMS.

    Annex A controls in code, evidence pipeline live, the brief your auditor and acquirer read cold.