How we helped a fast-growing telecoms company achieve ISO 27001:2022 certification in six months
The Challenge
When we first met our client, a fast-growing telecoms provider, their message was clear: “We know our customers expect strong security, but we need structure, clarity and a plan we can actually deliver while still running the business.”
Like many organisations in a competitive and highly regulated sector, they were juggling rapid growth, increasing customer security questionnaires, and pressure from enterprise prospects who were beginning to demand formal certifications such as ISO 27001. They had good technical capability, but processes were inconsistent, responsibilities were unclear, and security activity often depended on individuals rather than a defined system.
Our Approach
Over the next six months, the OmniCyber GRC team worked closely with them as a partner, not just a consultant. Together we moved from uncertainty to a confident, operational ISMS that aligned with their ambitions and supported commercial growth.
Phase 1: Gap Assessment and Readiness Review – Understanding the Starting Point
We began with a thorough assessment against ISO 27001:2022 and the Annex A controls. More importantly, we spent time with their teams to understand how they worked, what slowed them down and where risks genuinely lived.
During this stage we identified several challenges that are common across the telecoms industry:
- Risk management was inconsistent. Some teams assessed risks, others did not, and there was no single method for prioritising issues.
- Supplier security varied, especially across network partners, cloud platforms and outsourced development.
- Access control processes were present but undocumented and difficult to evidence.
- Incident management focused on resolving issues quickly but lacked a structured lifecycle.
We created a readiness report and a clear, achievable roadmap that showed what needed to happen before meeting a certification body. This gave the client visibility and confidence in the journey ahead.
Phase 2: ISMS Framework Development – Turning Direction into Structure
With agreement on the priorities, we began building the ISMS in a way that fitted the culture and pace of the organisation rather than forcing a generic framework onto them.
This included creating all core ISMS documents covering every ISO 27001 domain, written in plain language so teams could actually use them. We designed a governance model built around an Information Security Forum chaired by the CTO and supported by quarterly management reviews. We helped the client define a risk management methodology that linked naturally to their enterprise risk processes, and implemented a GRC platform to centralise risk, control evidence, documentation and reporting.
This stage gave the organisation a structure that leaders could govern and teams could follow without unnecessary overhead.
Phase 3: Implementation Support – Bringing the ISMS to Life
Documentation alone never delivers value. We worked alongside IT, engineering, development and operations to put controls in place and ensure they worked in practice.
Examples of the support we provided include:
- Running access reviews and helping teams automate elements for future cycles.
- Supporting backup and recovery testing to ensure results were reliable and repeatable.
- Strengthening patch management processes and making evidence collection easier.
- Performing supplier assessments and helping them define minimum security requirements.
- Setting up a structured incident logging and escalation process.
We also delivered business-wide awareness sessions and role-based training for technical teams so everyone understood both the requirements and their responsibilities.
To help the client measure more than just ISO conformity, we mapped their controls to the NIST Cybersecurity Framework and the CIS Top 10. This gave leadership a broader maturity view that they continue to use today.
Phase 4: Internal Audit and Certification Preparation – Ensuring Confidence Before the Audit
Before engaging the certification body, we carried out a full internal audit that followed the ISO 19011 approach. This provided an objective view of their readiness and highlighted a small number of minor issues which we helped close.
We then supported the team through both Stage 1 and Stage 2 audits. This included preparing evidence packs, rehearsing key conversations, and liaising directly with the auditor so the client always understood what was happening and why.
The Results
- Achieved ISO 27001:2022 certification on the first attempt with no major non-conformities
- Implemented a formal governance and risk management process that now meets both customer expectations and regulatory requirements
- Increased technical and operational security maturity across the organisation
- Improved customer confidence, with several enterprise clients onboarding more quickly due to the certification
- Established a strong foundation for future initiatives such as ISO 27701 and SOC 2
More importantly, security is now embedded in how they work, not just something they do for compliance.