ISO 27001 for MSPs: How to Build an Information Security Management Service Line

ISO 27001 has been around for twenty years. What is new is who is asking for it.

Enterprise procurement teams have tightened supplier qualification requirements. Cyber insurers are adding ISO 27001 (or equivalent controls evidence) to application forms. Public sector contracting authorities in the UK and EU reference it in tender requirements. The result is that mid-market companies — companies with between 25 and 500 employees that have never thought about a management system standard before — are getting the certification question from customers they cannot afford to lose.

Most of those companies have an MSP. Almost none of them have a security team. That is the opportunity.

What ISO 27001 Actually Is

ISO 27001 is an international standard for Information Security Management Systems — ISMS. It specifies the requirements for establishing, implementing, maintaining, and continually improving a systematic approach to managing information security risk.

The standard has two parts. Clauses 4 through 10 define the management system requirements — the governance, policy, risk management, and continuous improvement processes that have to be in place. Annex A lists 93 controls across four themes (Organisational, People, Physical, Technological) that the organisation must evaluate for applicability and implement where appropriate.

Certification is awarded by an accredited Certification Body — BSI, DNV, Bureau Veritas, and others. The Certification Body sends qualified auditors who assess whether the ISMS meets the standard’s requirements and whether the controls are actually implemented as documented. A certificate issued by an accredited Certification Body is recognised internationally and is accepted by enterprise buyers across sectors and geographies.

This is the meaningful distinction from a self-assessment framework. ISO 27001 certification carries an audit trail and a third-party assertion. That is what enterprise procurement departments are looking for when they ask the question.

Who Is Buying It and Why

The demand is coming from several directions simultaneously.

Enterprise supply chains. Large companies with their own ISO 27001 certification are extending the requirement to their supply chains. Any supplier handling data on behalf of the enterprise — SaaS tools, IT service providers, professional services firms, outsourced processing — is increasingly being asked to certify. If your client processes data for a large bank, insurance company, or retailer, this question is coming.

Cyber insurance applications. Insurers have moved from asking general security questions to asking for evidence of specific controls. ISO 27001 certification is the easiest way to answer those questions definitively. Companies without certification are facing higher premiums or sublimits on claims. Companies with certification are accessing better coverage at lower cost.

Public sector contracting. UK government and NHS procurement increasingly references Cyber Essentials Plus and ISO 27001 in tender requirements. Companies bidding for public sector contracts above certain value thresholds often need to demonstrate ISO 27001 certification or equivalent controls evidence.

GDPR and UK GDPR enforcement. While ISO 27001 is not required by data protection law, the ICO and EU supervisory authorities recognise it as evidence of appropriate technical and organisational measures. Companies that have had a data breach and face regulatory scrutiny are often advised by their legal counsel to pursue ISO 27001 to demonstrate corrective action.

The common thread is commercial pressure. Your client does not choose to pursue ISO 27001 because they are especially security-conscious. They pursue it because a customer or insurer requires it. That urgency is what makes the service line work — the client has a deadline and a contract at stake.

The ISMS Structure: What Has to Be Built

Understanding the standard at this level is table stakes for MSPs positioning this service.

The management system (Clauses 4-10) defines the governance structure around security. This includes: establishing the ISMS scope (what systems, data, and processes are in scope), the information security policy, roles and responsibilities, risk assessment and treatment methodology, objectives, competence and awareness, documented information requirements, operational planning, performance evaluation, internal audit, management review, and continual improvement processes. For a small or mid-market company, most of this does not exist in a formal, auditable form. Building it is a significant documentation and governance exercise.

The Statement of Applicability is the central compliance artifact. It lists all 93 Annex A controls, states whether each is applicable or excluded, and where applicable, documents how the control is implemented. Exclusions must be justified. The SoA is what the Certification Body auditor reviews first to understand the scope of the ISMS and to guide their evidence requests.

Annex A controls span four themes:

Organisational controls (37) — policies, roles, threat intelligence, information security in project management, supplier relationships, incident management, business continuity.

People controls (8) — screening, terms and conditions, security awareness, remote working, disciplinary processes.

Physical controls (14) — physical security perimeters, clear desk and screen, secure disposal of equipment and media.

Technological controls (34) — access management, authentication, encryption, backup, malware protection, vulnerability management, network security, data masking, monitoring, web filtering, secure coding.

For a typical 50-person company, the most commonly absent controls at assessment time are: vulnerability management processes (most have ad hoc patching but nothing documented), logging and monitoring (endpoint logs exist, centralised monitoring does not), supplier security (contracts with cloud vendors have no security requirements), and documented information classification (everyone knows what is sensitive informally, but no written classification scheme exists).

Building the Service Line: Phase Structure

Phase 1: Scoping and Gap Assessment (4-6 weeks)

The ISMS scope decision is the first lever. A narrow scope — a specific product line, a specific data type, a specific business unit — is easier to certify than a whole-of-company scope. Enterprise buyers generally accept narrower scopes provided the scope statement is clear about what it covers. An honest conversation about scope options at the start of the engagement can reduce the certification effort significantly.

Once scope is defined, run a gap assessment against Clauses 4-10 and the relevant Annex A controls. Document current state, identify gaps, and produce a remediation roadmap with prioritised workstreams. This becomes the project plan.

Phase 2: ISMS Design and Control Implementation (3-6 months)

This is the bulk of the engagement. Work streams typically run in parallel:

Governance and documentation — information security policy, ISMS scope statement, risk assessment methodology, roles and responsibilities, Statement of Applicability. These are policy and procedure documents. For most clients, this means authoring them from scratch, not updating existing documents.

Risk assessment and treatment — identify information assets, identify threats and vulnerabilities, assess risk against a documented methodology, select controls to treat risk, and document the risk treatment plan. This process needs to produce a defensible, documented output, not just a spreadsheet.

Technical control implementation — working through the Technological controls that are absent: centralised log management, vulnerability scanning with a documented remediation process, backup testing and verification, access reviews, MFA enforcement, data encryption for sensitive assets. This is where the MSP’s existing technical capability translates directly into compliance work.

Supplier management — for many companies, this is the most underestimated workstream. ISO 27001 requires that information security requirements are addressed in supplier agreements. This means reviewing existing cloud vendor contracts and, where necessary, ensuring data processing agreements are in place and that the vendor’s security posture has been assessed.

Awareness and training — all staff handling in-scope information need security awareness training, documented evidence of completion, and role-specific training where relevant.

Phase 3: Internal Audit and Management Review

Before the certification audit, the standard requires an internal audit — a formal review of ISMS conformity and effectiveness — and a management review where leadership formally reviews ISMS performance, risk posture, and objectives. Both need to be documented with specific outputs. The internal audit needs to be conducted by someone with auditor competence. For most clients, this means either training a staff member to run it or using the MSP to conduct it as a service.

The management review meeting and its outputs become evidence for the Certification Body that the management system is functioning as intended, not just documented on paper.

Phase 4: Certification Audit

ISO 27001 certification is a two-stage process. Stage 1 is a documentation review — the Certification Body auditor reviews the ISMS documentation, the SoA, and the risk treatment plan to confirm the management system is designed correctly and is ready for assessment. Stage 1 is typically conducted remotely and takes 1-2 days.

Stage 2 is the on-site certification audit — auditors assess whether controls are implemented as documented, interview staff, review evidence, and test the ISMS. Stage 2 typically takes 2-4 days depending on company size. Findings can be major nonconformities (blocking certification), minor nonconformities (requiring a corrective action plan), or observations (advisory). A clean Stage 2 with no major nonconformities results in certification.

MSPs should brief client staff on what to expect before the audit: how to answer auditor questions, what evidence to have ready, and what to say (and not say) when the auditor asks about specific controls.

Phase 5: Surveillance Audit Retainer (annual, per certification cycle)

ISO 27001 certificates are valid for three years. Surveillance audits are conducted annually in years one and two, and a recertification audit replaces the surveillance in year three. Each surveillance audit reviews a subset of the ISMS — the Certification Body will rotate through different clauses and controls each year.

The retainer delivers: continuous monitoring and log review against documented procedures, quarterly policy and SoA reviews to catch drift, internal audit support in year two, surveillance audit preparation, corrective action tracking, and ISMS maintenance when organisational changes occur. Clients who let the retainer lapse and try to prepare for surveillance audits themselves typically discover they have drifted — documentation is out of date, staff have changed, controls have been modified without updating the SoA.

Pricing the Service

Scoping and gap assessment: £2,500–£5,000 for a 25-100 person company.

ISMS design and control implementation: £10,000–£25,000 depending on gap count, scope complexity, and how much technical control work is required.

Internal audit and management review support: £2,000–£4,000.

Certification audit preparation and liaison: £2,000–£3,500.

Surveillance retainer: £1,200–£3,000/month.

Certification Body fees are a separate client cost — budget £3,000–£8,000 depending on company size and CB choice. This is paid directly by the client.

Total first-year engagement value: £20,000–£40,000 in project fees plus the retainer. For an MSP with 10 clients in the service line, the recurring retainer alone generates £120,000–£360,000 in annual revenue.

What Most MSPs Get Wrong

Treating it as a documentation exercise. ISO 27001 auditors are experienced at identifying documented controls that are not actually implemented. If the vulnerability management process says scans run weekly but the tool logs show the last scan was four months ago, that is a finding. The controls need to work, not just exist on paper.

Skipping the risk assessment. The risk assessment is the foundation of the ISMS — it drives the SoA applicability decisions and the control selection. MSPs who copy a generic risk assessment template without going through the process with the client produce a document that does not hold up to auditor scrutiny. The risk assessment needs to reflect the client’s actual assets, threats, and risk appetite.

Underestimating the supplier management workstream. Cloud services, SaaS tools, and outsourced processing relationships all need to be captured in the supplier register and assessed for security requirements. For companies that have grown by adopting SaaS tools without procurement controls, this workstream consistently takes longer than expected.

Not preparing staff for the audit. The Certification Body auditor will interview staff — reception, HR, finance, not just IT. If an employee tells an auditor “I don’t really know what the security policy says” or “we don’t really follow that process,” that is evidence of a control gap regardless of what the documentation says. Audit preparation needs to include non-technical staff.

Letting the ISMS drift between audits. Staff turnover, new cloud tools, office moves, and software changes all need to trigger ISMS updates. MSPs who deliver certification and then go quiet are setting clients up for nonconformities at the next surveillance audit.

Why ISO 27001 Is the Right Service Line for 2026

The commercial triggers for ISO 27001 certification are not going away. Enterprise supply chain requirements are tightening. Cyber insurance underwriting is hardening. The UK and EU regulatory environment is reinforcing security management standards as the baseline for supplier qualification.

Your clients in SaaS, professional services, financial services, and healthcare are going to be asked for ISO 27001 certification by the enterprise customers they need to keep. When that question comes, they will call their IT provider first. If you can answer it, you win the engagement and deepen the relationship. If you cannot, they will find a specialist who can — and that specialist may replace you on more than just the compliance work.

ISO 27001 is not the easiest service line to build. It requires auditor-grade documentation discipline and genuine security expertise. But it is one of the stickiest — a three-year certification cycle with annual surveillance creates a long-term retainer relationship that outlasts any single project.

GetCybr maps ISO 27001 Annex A controls to specific implementation requirements, evidence types, and policy templates for each client. MSPs can manage multiple ISMS clients from a single dashboard, tracking control implementation, risk treatment status, and audit readiness across the full standard. When the Certification Body audit arrives, the SoA and evidence packages are current and organised.

See how GetCybr supports ISO 27001 delivery for MSPs.