ISO 27001
Information Security Management System
ISO 27001 is the internationally recognised standard for information security management systems. For Private Equity firms and Family Offices, certification provides independently verified evidence of security governance maturity — increasingly determining competitive positioning in investor relations, client acquisition, and portfolio company valuation.
Standard Overview
ISO/IEC 27001 specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). The standard adopts a risk-based approach, requiring organisations to identify risks, select appropriate controls, and demonstrate ongoing management through documented processes and regular review.
The current version, ISO/IEC 27001:2022, restructured the Annex A control set from 114 controls across 14 domains to 93 controls in four themes: organisational (37), people (8), physical (14), and technological (34). The revision introduced 11 new controls addressing threat intelligence, cloud services security, ICT readiness for business continuity, data masking, data leakage prevention, web filtering, secure coding, and more.
Unlike NIS2 or DORA, ISO 27001 is voluntary. However, institutional investors, enterprise clients, and regulators increasingly treat certification as a baseline expectation. For PE portfolio companies and Family Offices holdings, certification often functions as a prerequisite for contract award, regulatory approval, or institutional investment.
Key Requirements
Risk Assessment Methodology
The ISMS must incorporate a systematic methodology that identifies risks, analyses likelihood and impact, evaluates levels against acceptance criteria, and selects treatment options. The methodology must be documented, repeatable, and produce consistent results. Assessments must occur at planned intervals and upon significant organisational changes.
Statement of Applicability
The SoA is a mandatory document listing all Annex A controls, stating applicability with justification, and confirming implementation status. It serves as the central reference linking risk assessment outcomes to control selection decisions and is a primary focus of the certification audit.
Annex A Controls
The 2022 revision organises 93 controls into four themes. Organisational controls (A.5) cover policies, asset management, access control, supplier relationships, and compliance. People controls (A.6) address screening, awareness, and remote working. Physical controls (A.7) cover perimeters and equipment. Technological controls (A.8) address endpoints, malware, vulnerability management, logging, and secure development.
Management Commitment
Clause 5 requires top management to establish the information security policy, ensure ISMS objectives align with strategic direction, integrate ISMS into business processes, ensure resource availability, and communicate the importance of effective security management. Management reviews must be conducted at planned intervals.
Internal Audit Programme
Clause 9.2 requires internal audits at planned intervals to confirm ISMS conformity and effective implementation. The programme must consider process importance and previous audit results. Auditors must not audit their own work. Findings must be reported to management with corrective actions tracked to closure.
Continual Improvement
Clause 10 requires continual improvement through nonconformity management, management review outputs, internal audit results, and monitoring data analysis. The ISMS is a living management system that must evolve with the organisation and its threat environment.
Certification Process
Phase 1: Gap Analysis
A thorough comparison of current practices against ISO 27001 requirements, identifying existing compliance, gaps requiring remediation, and effort needed for certification readiness. Informs the implementation plan, resources, and timeline. Organisations starting from low maturity typically find 60-80% of controls requiring implementation or formalisation.
Phase 2: Implementation
Design and deployment of the ISMS: security policy and objectives, risk assessment, Annex A control selection and implementation, Statement of Applicability, mandatory documented information, personnel training, and embedding the ISMS into operations. Typically 4-12 months depending on size, complexity, and starting maturity.
Phase 3: Internal Audit
At least one complete internal audit and management review before the certification body engagement. Nonconformities must be addressed through corrective actions. Intarmour provides qualified internal auditors for clients lacking internal audit capacity.
Phase 4: Certification Audit (Stage 1 & Stage 2)
Conducted by an accredited certification body. Stage 1 is primarily documentation review assessing ISMS readiness. Stage 2 is a comprehensive on-site audit evaluating effective implementation through interviews, records examination, and process observation. Upon success, the certificate is issued for three years.
Phase 5: Surveillance Audits
Annual surveillance audits verify continued conformity, covering a subset of the ISMS each year. A recertification audit at the end of the three-year cycle renews the certificate. Intarmour provides ongoing ISMS support to maintain certification readiness between visits.
Benefits for PE Firms and Family Offices
Due Diligence Advantage
ISO 27001 certification provides immediate, verifiable evidence of security governance maturity. For sell-side, it strengthens positioning and justifies premium valuations. For buy-side, certification reduces the depth and cost of technical due diligence required.
Client Confidence
Certification signals independently verified security governance to enterprise clients, institutional investors, and business partners. In competitive procurement, certification is increasingly a qualification requirement rather than a differentiator.
Regulatory Alignment
ISO 27001 controls map significantly to NIS2, DORA, and GDPR requirements. Certified organisations typically achieve 60-75% coverage of NIS2 Article 21 and substantial DORA alignment, making certification an efficient foundation for multi-framework compliance.
Operational Discipline
The ISMS framework imposes structured governance extending beyond security into broader operational management: risk assessment, incident management, supplier governance, and business continuity. Particularly valuable in PE portfolio companies undergoing growth, transformation, or post-acquisition integration.
Advisory Approach
Intarmour provides end-to-end ISO 27001 advisory from gap analysis through certification and ongoing ISMS management, calibrated to the governance structures and strategic objectives of PE-backed companies and Family Office holdings.
For portfolio-level engagements, we design ISMS frameworks accommodating shared service models and centralised governance. Where multiple portfolio companies require certification, we develop standardised ISMS templates creating economies of scale while allowing entity-specific customisation — typically reducing per-entity cost by 30-40% compared to independent implementation.
We design controls that deliver genuine risk reduction, not documentation exercises. Every control is calibrated to the organisation's actual risk profile, ensuring a living management system that creates measurable value. We also integrate ISO 27001 with NIS2, DORA, and GDPR compliance where applicable, maximising return on security investment across all regulatory obligations.
Ready for institutional-grade
cybersecurity?
Confidential assessments for qualified Private Equity and Family Office entities requiring sovereign defense infrastructure.