Ethyra Advisory
Book a call
The Ethyra method

A transparent path from scope to certification.

Every engagement follows the same six-stage sequence. You always know where we are, what's next, and what we need from you. No mystery consulting, no scope creep — just a disciplined delivery model refined over dozens of certifications.

Discovery & Scoping

We start with a structured discovery — mapping your business model, data flows, infrastructure, and the risks that actually matter to your customers and regulators. The output is a written scope statement and engagement plan that we both sign before any deep work begins.

  • Business and asset discovery workshops
  • Data flow diagrams for in-scope processing
  • Certification scope statement (locations, services, people)
  • Engagement plan with milestones and responsibilities
Typical: 1 weekOutcome: Signed scope & plan

Gap Assessment

We benchmark your current state against the target framework — clause by clause, control by control. The deliverable is a prioritised remediation plan that groups findings by risk, effort, and dependency, so your team knows exactly where to start.

  • Control-by-control gap analysis against the target standard
  • Evidence review of existing policies and operational artefacts
  • Heat-mapped remediation plan (risk vs. effort)
  • Executive summary report with recommendations
Typical: 2–3 weeksOutcome: Gap assessment report

Policy & Controls Development

We draft your policy suite — not from a template pack, but tailored to your operating model, technology stack, and risk appetite. Everything is version-controlled, approved through a documented workflow, and cross-referenced to the framework.

  • Full ISMS policy suite (20–30 policies depending on scope)
  • Statement of Applicability (SoA) with justifications
  • Risk assessment methodology and live risk register
  • Control narratives and evidence catalog
Typical: 3–5 weeksOutcome: Approved policy suite & SoA

Implementation Support

Policies on paper are worthless if they don't reflect what's happening in your environment. We embed with your engineering, IT, HR, and operations teams to operationalise controls — configuring tools, designing evidence workflows, and training key personnel. This is where most programs stall; it's where we put our hours.

  • Technical control implementation support (MDM, access, logging, backups)
  • Evidence automation design — collect once, reuse across audits
  • Awareness training rollout and attestation
  • Vendor / third-party risk program activation
  • Incident response runbook and tabletop exercise
Typical: 4–8 weeksOutcome: Operational ISMS

Internal Audit & Management Review

Before a certification body sees you, we do. We run a full internal audit — independent, documented, and deliberately tough. The goal is to surface every finding now, when it's cheap to fix, rather than in front of an auditor you're paying by the day.

  • Full internal audit against all framework clauses and controls
  • Evidence sampling and operating effectiveness testing
  • Written audit report with non-conformities and opportunities
  • Remediation tracker and re-testing of closed findings
  • Management review facilitation with executive sponsors
Typical: 1–2 weeksOutcome: Clean audit trail, fixed gaps

Certification Support

We don't hand you off to a certification body and disappear. We help you select a reputable CB, prepare your teams for Stage 1 and Stage 2 audits, sit in on opening and closing meetings, and drive any residual non-conformities to closure.

  • Certification body shortlisting and selection advisory
  • Stage 1 audit preparation and dry-runs
  • Stage 2 audit support — we sit alongside your teams
  • Non-conformity response and corrective action planning
  • Post-certification maintenance calendar
Typical: Audit window + 4 weeksOutcome: Certification achieved
Principles

How we actually behave during an engagement.

Principle 01

Risk first. Compliance second.

Controls that don't reduce real risk are waste. We design programs to make your business safer and your customers more confident — the certificate is a by-product of doing the work properly, not the goal itself.

Principle 02

Evidence by design, not by deadline.

We build evidence workflows that generate proof as a natural side-effect of running the business — not scramble drills in the week before an audit. Done right, your next year's audit is 70% easier than the first.

Principle 03

Your environment, not a template.

Every policy we draft is written for your specific stack and operating model. Generic boilerplate is lazy — and auditors see straight through it.

Principle 04

No finger-pointing. Shared accountability.

When something isn't working, we flag it early, document it, and propose a fix. We don't escalate to cover ourselves or pad hours with status meetings. You hired us to solve problems — we solve them.

Timeline

What an ISO 27001 engagement looks like end-to-end.

For a first-time certification at a 20–100 person company, with a cooperative team and no exceptional complexity.

Week 1
Discovery & scope sign-off
Weeks 2–4
Gap assessment + initial risk register
Weeks 4–8
Policy & SoA drafting and approvals
Weeks 6–14
Implementation support (overlaps policy work)
Weeks 14–15
Internal audit + management review
Weeks 16–18
Stage 1 & Stage 2 audit with certification body

Timeline varies with complexity, team availability, and starting maturity. We quote firm after the discovery workshop.

Make it real

Let's turn this into your plan.

We'll walk you through how this methodology maps to your business during a free 30-minute scoping call.

Book a scoping call