PECB Partner · ISMS Specialists

ISO 27001 ISMS Implementation Consultancy Malaysia

End-to-end implementation of an ISO/IEC 27001:2022 Information Security Management System — from scope definition to Stage 2 certification audit, in a 6-9 month sprint.

Get a Scoping Call Talk to a Lead Implementer

What we deliver

ISO/IEC 27001:2022 is the international standard for an Information Security Management System (ISMS). It is the most widely recognised assurance certification globally — increasingly demanded by enterprise customers, government tenders, financial institutions and Malaysian NCII operators as a precondition to business. A clean ISO 27001 certificate is also the highest-leverage investment a Malaysian organisation can make in cyber maturity, because the standard forces an actual management system rather than a one-time control implementation.

nCrypt's ISO 27001 consultancy delivers the full implementation programme — from scoping the ISMS to handing your Lead Auditor a clean Stage 2 audit. We do not also audit you (that would be a conflict). We work with the major Malaysian-recognised certification bodies including SIRIM, BSI, DNV, BV, TÜV SÜD and SGS to align our deliverables to their expectations.

Phase 1 — Scoping the ISMS

Scope is the single most consequential decision in the entire programme. A well-scoped ISMS targets the business processes, people and technology in scope of the certification — and explicitly excludes everything else. A badly scoped ISMS either over-covers (driving wasted cost) or under-covers (failing audit on interfaces).

We run a structured 1-2 week scoping workshop with your executive sponsor, IT leadership, business unit heads and (where relevant) compliance and legal. Outputs are a written scope statement, a context-of-the-organisation document, an interested-parties register, and an initial information asset inventory — all four are mandatory ISO 27001 documents and audit findings.

Phase 2 — Gap analysis

Against the scope, we run a structured gap analysis covering all clauses (4-10) and all 93 Annex A 2022 controls. Each control is assessed for design adequacy, operating effectiveness and evidence availability. The output is a heat-mapped gap register with effort estimates, dependency graph and remediation owner per gap.

For organisations starting from a low baseline this is typically a 3-4 week exercise. For organisations already running a mature security programme (with NIST CSF or CIS Controls deployed) it can compress to 2 weeks. See our standalone cybersecurity gap assessment service for a detailed methodology.

Phase 3 — Annex A 2022 control implementation

Annex A:2022 reorganised the control set into four themes. We work through each theme in parallel streams, sequenced against the dependency graph from Phase 2.

Organisational (37 controls)

Information security policies, roles & responsibilities, segregation of duties, contact with authorities, threat intelligence, supplier relationships, ICT readiness for business continuity. The governance backbone of the ISMS.

People (8 controls)

Screening, terms of employment, awareness training, disciplinary process, joiners-movers-leavers, remote working, NDA management. Where the ISMS meets HR.

Physical (14 controls)

Physical security perimeters, secure areas, equipment siting, secure disposal, supporting utilities, cabling. Site-walks, datacentre tours and waste-disposal evidence collection.

Technological (34 controls)

Endpoint protection, access management, secure development, change management, encryption, data masking, data leakage prevention, network controls, web filtering, secure coding. The largest workstream by effort.

Phase 4 — Internal audit programme

ISO 27001 clause 9.2 requires an internal audit programme covering the full ISMS at planned intervals before Stage 1. We design the internal audit programme, train your nominated internal auditors (or perform the audit ourselves under an independence model), and deliver findings against a structured non-conformity register with corrective action ownership.

For organisations without an internal audit function we can also perform the internal audit as an independent service — frequently the right model for SMEs where building auditor competency in-house is not justified.

Phase 5 — Management review

Clause 9.3 requires top management to review the ISMS at planned intervals. We facilitate the first management review meeting, prepare the input pack (audit results, security KPIs, risk-treatment progress, supplier performance, customer feedback, opportunities for improvement) and document the management review minutes against the standard's required outputs.

We also build the recurring management review cadence into your governance calendar — typically quarterly executive review, annual full management review.

Phase 6 — Stage 1 and Stage 2 audit preparation

Stage 1 (the documentation review) is conducted by your selected certification body and confirms the ISMS documentation is complete and ready for the on-site Stage 2 assessment. We attend Stage 1 alongside your team, prepare the document index, and respond to any Stage 1 observations before Stage 2.

Stage 2 (the on-site implementation audit) is the certification decision. We conduct a full mock Stage 2 audit two weeks ahead, walk through likely auditor lines of inquiry with each control owner, and provide on-site support during the actual audit (subject to your CB's engagement rules).

For surveillance audits (annual, lighter-touch reassessment) we provide a 5-day refresh and on-site support package.

Engagement model: 6-9 month sprint

We engage on a fixed-fee, milestone-based contract sized at the kickoff workshop. The standard sprint runs:

Months 1-2: Scoping, context, asset inventory, gap analysis
Months 3-5: Annex A control implementation (parallel streams)
Month 6: Internal audit, management review, Stage 1 audit
Months 7-9: Remediation of Stage 1 findings, Stage 2 audit, certification decision

For surveillance audit support and post-certification ISMS operation, we offer a separate ongoing retainer.

Frequently asked questions

How long does ISO 27001 implementation typically take?

For a mid-sized Malaysian organisation engaging us in a structured sprint, the typical timeline from kickoff to Stage 2 certification audit is 6-9 months. Smaller organisations with focused scope can compress to 4-5 months; complex multi-entity scopes with significant remediation can extend to 12-15 months. We publish a milestone schedule at the kickoff workshop.

Do I need to certify the whole company?

No. ISO 27001 certifies a defined ISMS scope, not the whole legal entity. Many clients certify a specific business line (managed services, payments platform, customer-facing SaaS) while explicitly excluding non-relevant functions. The scope statement is one of the first deliverables — get it right and you avoid a great deal of unnecessary cost.

Who runs the certification audit — nCrypt?

No, and this is an important separation of duties. We implement and prepare your ISMS. The Stage 1 and Stage 2 audits must be conducted by an accredited certification body (CB) — common options for Malaysian organisations include SIRIM, BSI, DNV, BV, TÜV SÜD and SGS. We help you select a CB but we cannot also audit you.

What's the difference between ISO 27001:2013 and 2022?

ISO 27001:2022 restructured Annex A from 114 controls in 14 domains down to 93 controls in 4 themes (Organisational, People, Physical, Technological) and introduced 11 new controls — including threat intelligence, ICT readiness for business continuity, and cloud security. Existing 2013-certified organisations have a transition window; new implementations should target the 2022 edition directly.

Is nCrypt an ISO 27001 certification body?

No. We are an implementation and consultancy partner. nCrypt's own ISO 27001 certification audit is in progress. We hold PECB partner status for ISO 27001 training, and we routinely prepare clients for certification with accredited bodies including SIRIM, BSI, DNV and BV.

Ready to certify your ISMS?

Scoping calls take 30 minutes. Most clients are Stage 2 audit-ready within 6-9 months from kickoff.

Get a Scoping Call