Documentation Review
Thorough review of your ISMS documentation — policies, procedures, risk register, treatment plan, and evidence records against standard requirements.
ISO 27001, 42001 & 27701 Lead Audits conducted with genuine technical depth. I assess whether your controls actually work — not just whether you've ticked the boxes.
Most auditors come from a compliance or governance background. They know the standards but may struggle to assess whether your technical controls are genuinely effective — or just configured to look the part.
I spent 26 years in IT infrastructure, cloud platforms, networking, and security before becoming a certified Lead Auditor. That means when I review your patch management, your access controls, or your network segmentation — I understand exactly what I'm looking at.
"Ticking boxes isn't compliance. Working controls are."
A rigorous, evidence-based audit process. Not a box-ticking exercise.
Thorough review of your ISMS documentation — policies, procedures, risk register, treatment plan, and evidence records against standard requirements.
Verification that your technical controls work as claimed — access management, patch management, logging, network controls, encryption, and more. Assessed with genuine IT understanding.
Structured interviews with key personnel to verify that controls are understood, operated as documented, and genuinely embedded in day-to-day operations.
Assessment of your information security risk register and treatment plan — verifying that identified risks have appropriate, proportionate, and implemented controls.
Clear, actionable audit findings — conformities, nonconformities, and observations. Written to be understandable to both technical teams and executive leadership.
Post-audit guidance on addressing findings — practical recommendations for closing nonconformities, prioritised by risk and achievability for your organisation.
A structured, ISO 19011:2018 compliant audit process conducted with professionalism and transparency.
Define scope, agree objectives and criteria, review prior findings or documentation, and establish the audit programme. You'll know exactly what to expect before we begin.
On-site or remote evidence gathering — documentation review, technical control verification, and management interviews. Conducted professionally and with minimal disruption to your operations.
Closing meeting to walk through findings, followed by a written audit report. Nonconformities clearly categorised (major/minor), with actionable guidance on remediation.
Lead Audits for the world's leading information security management standard. Exemplar Global certified. Covering both Clauses 4–10 and Annex A controls.
Certification audits for AI governance and responsible AI management. Specialist certification in this emerging and increasingly critical standard.
Privacy Information Management System audits — the privacy extension to ISO 27001. Specialist certification in the 2025 edition.
ASD's Essential Eight Maturity Model assessments. TAFEcyber certified assessor — practical, evidence-based maturity rating across all eight mitigation strategies.
An auditor who has never configured a firewall, deployed an endpoint management system, or managed cloud infrastructure is at a disadvantage when assessing your controls. They see the documentation; they may miss the gaps.
I spent 26 years in the engine room. When I test your patch management control, I know what a well-configured system looks like — and what a poorly-configured system looks like when someone's tried to make it look compliant.
Your audit findings will be technically accurate, practically worded, and actually achievable to remediate.
Auditor Independence: I can only conduct your certification audit if I have not previously provided consulting services to your organisation. This independence requirement exists to protect the integrity of your certification. If you've been working with an external consultant, that's fine — I just can't be both your consultant and your auditor for the same engagement. See FAQ for more.
If your ISMS is implemented and you're ready for a Lead Audit with genuine technical credibility — let's talk scope, timeline, and what to expect.