flexible

pragmatic

information security support

Sometimes it's best to just talk it out

Book a totally free 30 minute consultation on your security and ISO 27001 challenges.
No pushy sales, just an opportunity to get answers to your questions.

Book Now

Other Services

Fractional Information Security Retainer

Fractional information security expertise to identify & solve your security challenges and communicate trust to your customers to drive sales.

ISO 27001 Internal Audit

Need an impartial and objective audit of your ISMS in line with requirement 9.2 to get you ready for ISO 27001 certification.

Cyber Security Audit

Get clarity on your cyber security posture with actionable prioritised remediations.

GDPR Audit

Understand your current state and desired state of your business' GDPR compliance.

SERVICES

Our Values

affordable

Our transparent no bs retainer provides a home for infosec tasks within your business as an alternative to employing full-time information security expertise; for 10% of the cost.

pragmatic

Honest, practical, and pragmatic advice that balances preventing material breach without tying your business up in red tape.

swift

Our 3 phased approach ensures we design, implement and operate a information security programme that meets your unique time & resources challenges, and get you ready for ISO 27001 quickly.

ethical

We're on a mission to do the right thing. By choosing to work with us, you fund our pro bono security advisory services for charities who would otherwise be priced out.

Who we are

Our aim is simply to help businesses that need help, by delivering straight forward human support in an complex domain.

Our fractional consultancy solutions are designed specifically to address the unique information security & data protection challenges faced by small businesses, startups, and charities.

We can help design, implement, and operate pragmatic information security management systems that keep your business safe from cyber threats and compliant with regulations without tying you up in red tape.

ABOUT US

Get in touch

Let's have a chat about your information security challenges

Contact us today to learn more about how we can help you understand your material cyber risks, mitigate them, and prove your security to your customers.

Or just drop us an email at hello@steel.fyi

CONTACT

HOME

STEEL FYI

Straight forward information security support for small businesses that's affordable and pragmatic.

Can you conduct the final audit?

Steel FYI is not a certification body and therefore cannot conduct the final audit and present certifications. We can however help with the design, implementation, and operation of your ISO 27001 ISMS and get you ready for the certification. We are partnered with an excellent certification body who specialises in startups with a modern tech ecosystems and can assist in the scheduling of your final external audit.
Can you provide our ISO 27001 internal audit?

The internal audit is a incredibly useful exercise that allows for review of the ISMS that addresses elements of efficiency and effectiveness and facilitates significant improvement on the operations of the organisation. The internal audit is part of requirement 9.2 and requires that the assessor be qualified and objective. With over 10 years experience in information. and cyber security, and holders of the ISO 27001 Lead Implementor, CISSP, and CISM certifications we are qualified to conduct the internal audit. If we have assisted with the implementation of the ISMS we would not objective and therefore unable to provide the internal audit. However we work with a number of partner auditors who we can enlist and arrange to provide the internal audit.
How long does it usually take to get certified?

That depends! For our average customers around 1-50 employees, without physical locations, working on a SaaS product, we usually look at around 3 months for implementation, and an additional 3 months for running of your information security management system so that we can build up enough of an evidence base to pass the external audit with ease. Of course there's a number of factors that will impact this, but 3-6 months is about the average.
What is the end-to-end process look like for achieving ISO 27001 certification?

Broadly, the process would involve first understanding the organisation through a series of meetings with internal leadership, review of documentation, review of capabilities, and review of the technical estate. This would defined the internal and external context which would be used to produce the beginnings of an ISMS Plan. This would then lead to defining and agreeing security objectives, agreeing what resources are required, reviewing competence of employees, and documenting a communications plan. We would then conduct an organisational wide risk assessment in a workshop with leadership where we review and agree appropriate risk treatment plans to address these risks, aligned to the controls of Annex A. We would then work with the internal teams to ensure these controls are implemented and documented as defined by the risk treatment plans. This would include creation and dissemination of policies and delivery of training as necessary. Once the implementation is in place, a management review would be conducted to assess the effectiveness of the ISMS and identify opportunities for continuous improvement. An internal audit would need to then be conducted. Once we remediate any nonconformance identified by the internal audit we would begin enlist the stage 1 external audit from the certification body which is a documentation review to assess readiness. Assuming we get the green light to go forward after remediating any further non conformance, we would proceed to stage 2 where I would work alongside the business as the security officer to ensure that the audit goes smoothly, the business is supported, and that certification is achieved