No IT Estate. No Controls. We Built the Infrastructure. They Passed the Audit.
How a stable 100-person SME went from zero structured IT infrastructure to passing ISO 27001. We built the controls as part of an ongoing engagement. When the auditor arrived, the infrastructure was already live.
At a Glance
The Problem
A stable 100-person SME was making technology decisions without a technical voice in the room. The company needed ISO 27001 certification but had no structured IT estate to certify against. There was no centralised identity provider, no device management, no endpoint protection, and no documented access controls. Every tool had been adopted ad hoc as the company grew.
What Was Actually at Risk
Growing without controls means the certification gap widens every month. Auditors do not accept policies on paper if nothing is technically enforced behind them. The longer the company waited, the larger the estate that would need to be retrofitted. Without a structured control set, there was nothing for an assessor to audit.
How We Did It
We designed the control set and implemented the tooling end-to-end. Identity went through Okta with lifecycle automation. Devices were enrolled into Intune with compliance policies enforced at login. SentinelOne was deployed to every endpoint. DNS filtering was configured to meet web access control requirements. Access reviews were built as a scheduled process rather than a one-off exercise.
Everything was built as infrastructure and handed over as code repositories coupled with documentation that mapped each control to the relevant ISO 27001 Annex A requirements. The client received working infrastructure and a clear record of what was implemented, why, and where it sat in the control framework.
The Result
The infrastructure was ready from the moment we built it as part of the ongoing engagement. When the auditor arrived, they walked through live controls rather than a policy binder. Enrolment records, endpoint compliance data, access review logs, and DNS filtering configuration were all available because they were how the estate was managed day-to-day. The nine-month certification timeline was driven by the client working through HR policies, documentation, and paperwork at their own pace. The IT controls side of ISO 27001 certification passed on the strength of what was technically enforced and evidenced.
“Most companies pass ISO 27001 by writing documents. We passed it by showing what we had actually built. The auditor could see it was real.”— CFO (name withheld by request)
By the Numbers
This Might Sound Familiar
If your company needs ISO 27001 but does not have the IT infrastructure to certify against, the gap will not close on its own. We build the controls, implement the tooling, and hand over the documentation your assessor needs to see.
Learn more about our fractional cio & it strategy servicesThe identity governance layer that helped pass ISO 27001 was built as part of a parallel IAM engagement.
Read that case studyYou'll talk to the engineer who does the work, not a sales team.