As a cybersecurity consultancy, we regularly support clients with ISO 27001 readiness and internal audits. So when we split from WithSecure and launched as an independent company in 2025, certification for this foundational security framework became a top priority. In this article, Lead Implementer Torbjörn Johansson and internal auditor Ondrej Doubek share their accounts of how a newly formed cybersecurity company achieved ISO 27001 certification in just four months — and why a sub-year timeline is achievable for others.
The significance of ISO 27001
ISO 27001 provides a structured, systematic and mature approach to managing security across the organization, from executive leadership to operational procedures. Certification for the standard is granted through an audit by an independent third party.
Across Europe and in most regions outside the United States, it is the most widely adopted security standard. While demanding, it offers clear guidance and a well-defined structure that makes implementation manageable. Achieving ISO certification demonstrates that an organization has the right controls in place and treats security as a serious, ongoing responsibility.
Motivation
From the beginning, ISO certification was a clear requirement for Reversec. Prior to launching our company, we operated under WithSecure, where the standard was already in place. Once we became independent, clients expected us to maintain the same level of maturity, posture and evidence-based security practices.
Our decision was also shaped by ISO 27001’s strong position in Europe and its recognition as a credible way to demonstrate alignment with several EU regulations, including the increasingly relevant NIS2 Directive.
Timeline: Kickoff to certification
The preparations typically begin by defining the scope of what you want certified. Our project started in early February 2025, with the goal of achieving certification quickly to minimize the transition gap between WithSecure Consulting and Reversec. This helped reassure customers that continuity would be maintained.
Torbjörn Johansson led the implementation of our Information Security Management System (ISMS) while also serving as CISO, a role he continues to hold today. His background in information security and experience running ISO 27001 projects for clients gave us a solid foundation to build on.
‘To keep the process on track, management made it clear that ISO 27001 certification was a mandatory initiative. At the start of the project, Executive Vice President Scott Reininga, who was expected to become CEO, sent a message to the entire organization: “We’re doing this. Make yourself available and be prepared to contribute.” That message set the tone.
For internal follow-up, Torbjörn provided weekly updates to the project’s steering group. At the same time, members of the group were also managing Reversec’s broader transition, rolling out ERP, CRM, HR and finance systems. Despite the parallel efforts, Torbjörn consistently received the support he needed.
Stage 1 – Documentation review
Within two months, we were ready for Stage 1 of the initial audit, which took place on 12 April. This stage involves a review of required documentation by the external auditor to confirm that the minimum documentation exists and aligns with the company’s scope and ambitions. Our external auditor was DNV, a leading assurance and risk management firm.
In late April, we brought in Ondrej Doubek, a certified ISO 27001 Implementer and Auditor, to conduct the internal audit. His role was to assess the ISMS for any gaps or deficiencies. To maintain independence, Ondrej had not been involved in creating the ISMS.
Following Ondrej’s two-week assessment, the team began preparing for the next stage of the external audit. Identified issues were addressed over the course of about ten days, leading up to the next stage of the initial audit.
Stage 2 – Certification audit
The certification audit was focused on how well Reversec’s processes and procedures were functioning. External auditors examined our organization and evaluated how we had adopted the ISMS. This stage included extensive interviews across the company and took place over four days, from 16 to 19 June.
The auditors looked for major nonconformities that could delay certification. Reversec had no major nonconformities and one minor (for which we successfully submitted a corrective plan). The auditors also highlighted three opportunities for improvement — suggestions, not misses — which we’ll incorporate into our continuous improvement cycle. This outcome allowed the auditors to proceed with issuing the certification.
Finally, DNV conducted a third-party review of the findings. With no further concerns, the certificate was approved and issued in July.
Scope and audit sizing
Reversec had around 250 employees and three offices in scope. The audit covered our Swedish headquarters, along with sites in Manchester and Singapore. The Singapore office was audited remotely through a video walkthrough.
The total effort for the project amounted to approximately 100 FTE days. This excludes work already underway as part of the broader transition, where additional instructions were provided by the project team to align with relevant requirements.
Typical durations
- Three to four months is exceptionally fast for the certification. It requires full commitment, coordination, cybersecurity expertise and a clear understanding of the process from everyone involved.
- Six months is a realistic minimum for organizations with a highly engaged team.
- Twelve months is a typical timeline for companies starting from scratch or without prior certification.
Roles and responsibilities
The implementation involved staff from Finland, Denmark, Stockholm, Singapore, Manchester and London. Everyone with a stake in security — from executive leadership to administrative staff in Finance — contributed to the project.
- Torbjörn Johansson served as the lead implementer of the ISMS.
- Ondrej Doubek conducted the internal audit.
- The project’s steering group included the operations and transition manager, Nordic consulting manager, and frequently the EVP.
- Our Senior Engagement Manager in the UK supported the project by allocating available capacity and bringing in team members who weren’t assigned to client work.
- The Singapore office manager facilitated the video for that location.
Inside the internal audit
During his two-week document review, Ondrej Doubek examined and compiled all relevant materials into a structured report, closely following the ISO standard — familiar territory from his work with clients. To maintain objectivity, Ondrej remained at a distance throughout the project until the review phase. “Whenever I thought I could help with writing something, I was told, ‘No, you stay away,’” Ondrej reflects on the process.
The purpose of the internal audit is never to nitpick. It should aim to exceed the thoroughness of the external audit, helping the company prepare for the external audit in a meaningful way. As a cybersecurity company that supports clients with ISO compliance and internal audits, our assessment had to reflect our high ambitions and go well beyond the standard’s minimum requirements.
The process was complicated by the fact that the ISMS was still evolving. Before Ondrej could submit his report, a policy might have changed twice, requiring him to revise his findings. He was effectively auditing a moving target.
Despite these added challenges, the auditor was highly satisfied with the outcome, describing the internal audit as exceptionally thorough and uncompromising.
“Whenever I thought I could help with writing something, I was told, ‘No, you stay away.’”
Why four months was possible
In most organizations, policy creation involves multiple rounds of HR approval. Staff often need time to familiarize themselves with ISO 27001, which slows progress.
Reversec was already fully tuned to the standard. Our staff understood the importance of the certification, trusted the policies, and didn’t need convincing. We also had a large pool of experienced contributors.
Commitment from top management played a central role in our ISO compliance journey. Leadership prioritized certification and allocated the resources to make it happen. When projects lose momentum, it’s often because management isn’t fully engaged.
Given the nature of our business, we had in-house cybersecurity expertise and extensive experience with ISMS implementation. This allowed us to access and adapt a wide range of templates and documentation for internal use. Adjusting policies and procedures from WithSecure’s certified ISMS to suit our needs saved significant time.
We offer this advantage to our clients as well. While no two ISMS’s are identical, we can noticeably accelerate the implementation process by drawing from our extensive library of curated structure templates and example documents.
What we’d do differently
Looking back, we began our certification journey earlier than ideal, while Reversec was still being established as an independent consultancy. At that point, we were still defining our business processes, building our IT environment and setting up core governance. Not a setup we’d recommend to other companies, but it was unavoidable given the circumstances.
“Implementing ISO 27001 while building the company was challenging, but it also had advantages.”
For most organizations, a stronger starting point is when:
- The company structure, key processes and stable IT environments are in place.
- Leadership roles and responsibilities are well defined.
- There is a clear understanding of critical services, data flows, and applications that require protection.
- Internal expectations, customer commitments and legal or regulatory obligations are clearly understood.
- Security awareness and basic controls are already in place.
- Risk management practices are at least partially established.
This foundation allows the ISO 27001 project to focus on improving and formalizing what already exists, rather than designing everything from scratch.
“Implementing ISO 27001 while building the company was challenging, but it also had advantages,” Torbjörn Johansson recalls. “It meant we could embed security and compliance principles directly into the way we operate — not bolt them on later.”
Recommendations for ISO 27001 success
- Begin with a gap analysis.
Compare your current state with certification requirements before committing. - Secure management involvement.
Leadership must provide clear direction and maintain momentum. - Design the ISMS to support real security.
Avoid measures that look good on paper but fail in practice. - Ensure competence in information security.
Expertise is essential for risk-based decisions a posture that reflects current threats. - Define a clear scope early.
Outline what is included and what will be certified. This is key to planning resources and costs. - Focus on risk, not just controls.
ISO 27001 is risk-based. Manage and assess risks properly. Management should understand the risks and how they’re addessed. - Leverage existing resources.
Use available tooling, documentation and processes. Teams and SharePoint can support the effort. - Keep documentation practical.
Write policies for people to follow, not just for audits. Avoid overcomplication. - Run awareness and training early.
Staff should understand objectives, what’s being measured and why it matters. - Manage the project efficiently.
Don’t underestimate time and resources. - Use available capacity flexibly.
Reassign tasks when necessary to maintain progress. - Maintain focus without burnout.
Set clear milestones to facilitate hard work. Avoid pushing at an unsustainable pace.
After certification
The ISMS is called a management system for a reason: Once implemented, it needs to be maintained. Regular activities are expected throughout the year between audits. The standard also calls for continuous improvement, which means the organization must evolve to stay compliant.
Why certification matters
One of the biggest advantages of ISO 27001 certification is client trust. Being able to show that an independent auditor has verified your security posture carries weight.
Certification also helps avoid missed opportunities. Without it, you may not qualify to pitch for certain types of business. This is especially true in the public sector.
Another benefit is regulatory alignment. Across regions and industries, organizations face different regulations but share a growing need to demonstrate compliance. With ISO 27001 in place, you’re well positioned to align with other frameworks and future requirements. For example, the entire ICT risk component of DORA and NIS2 is covered by the ISO standard.
How we can help
We support organizations through every step of the ISO 27001 certification journey — from initial gap analysis to successful certification and ongoing compliance.
Our services include:
- Gap analysis & readiness review – Understand where you stand today and what’s needed to meet ISO 27001 requirements.
- Implementation support – Develop policies, procedures, and controls aligned with ISO 27001:2022.
- Internal audits – Independent audits to verify effectiveness and readiness before certification.
- ISMS management – Ongoing support to maintain compliance, either through a virtual CISO or as operational assistance to your in-house CISO.
Whether you’re starting from scratch or strengthening an existing ISMS, we can tailor our involvement to your needs.
