Petronella Technology Group runs the certification project end-to-end. We scope your Information Security Management System, build the documentation your auditor expects, implement the Annex A controls your business actually needs, and stand beside you through Stage 1, Stage 2, and every annual surveillance audit. Fixed-fee engagements, defined deliverables, no shelf-ware.
This page describes the engagement. If you are still researching what ISO 27001 is, what Annex A actually contains, how the certification body landscape works, or what the standard costs, our ISO 27001 framework explainer covers that ground in depth. The page you are reading now is about what Petronella Technology Group does for you once you have decided to pursue certification: the people who show up, the documents we hand you, the controls we implement, and the audit room we stand in with you.
We are a hands-on consultancy, not a template vendor. Our engineers have spent the last two decades implementing security controls inside regulated environments, which means we build ISMS programs that the certification body recognizes as operational, not aspirational. The difference matters at Stage 2, where auditors stop reading documents and start interviewing the people who do the work.
ISO 27001 has two pages on this site because they answer two different questions. Make sure you are on the right one before you keep scrolling.
Our framework page covers what ISO 27001 is, the 2013-to-2022 transition, the four Annex A themes, the Statement of Applicability, what a Stage 1 audit looks like versus Stage 2, surveillance and recertification rhythm, and the cost components a certification body charges.
Read the ISO 27001 framework explainer →This page describes the Petronella Technology Group consulting engagement: who runs the project, what we deliver in months one through twelve, how we work with your chosen certification body, how we map ISO 27001 against the other frameworks you already report on, and what the team looks like in the audit room.
Start the scoping conversation →A typical Petronella Technology Group ISO 27001 engagement runs six phases over six to twelve months. Each phase has a fixed scope, a named deliverable, and a clear exit criterion. You always know what month you are in and what has to be true before the next phase starts.
We sit down with leadership, IT, security, HR, and legal to map your information assets, identify interested parties (clients, regulators, investors), and define the legal entities, locations, services, and data classes that will live inside the ISMS boundary.
We evaluate your current posture against every clause of the standard (4 through 10) and every applicable Annex A control. The gap report names each finding, its severity, the work required to close it, and a realistic estimate of internal hours plus external spend.
We build the management system: the security policy, the risk assessment methodology, the Statement of Applicability, the risk treatment plan, the supplier security framework, the access governance model, and the operating procedures your team will actually follow.
We work shoulder-to-shoulder with your engineers to deploy the technical and operational controls selected in your Statement of Applicability. Where you need additional capability, our delivery teams stand up detection and response, penetration testing, and data loss prevention directly.
An independent Petronella Technology Group auditor (separate from your delivery consultant) walks the ISMS the same way your certification body will. We surface nonconformities, draft corrective actions, and run the management review meeting so leadership signs off with full visibility.
We attend the documentation audit (Stage 1) and the implementation audit (Stage 2) alongside your team, run the audit-room interview prep, manage the findings response, and remain on retainer for the year-one and year-two surveillance audits plus the year-three recertification.
Fixed-fee, not time-and-materials. After Phase 02 (gap analysis) we deliver a written proposal with a single, all-in fee for Phases 03 through 06. You decide whether to proceed. No surprise invoices, no hourly meters running during your weekly check-ins, no scope expansion without your written approval.
ISO 27001 is industry-neutral by design, but the way the audit body interprets controls, the scoping conversations you face, and the integration with the rest of your compliance burden differ sharply by sector. These are the verticals where we do the most work.
Investor diligence, regulator scrutiny, and PCI overlap make ISO 27001 a near-mandatory credential. We integrate the ISMS with your SOC 2 reporting cycle and FFIEC examination expectations so two compliance programs run on one set of evidence. See financial services cybersecurity.
BAAs increasingly require ISO 27001 alongside HIPAA. We map Annex A controls against the HIPAA Security Rule and run the program so a single set of safeguards satisfies both frameworks. See HIPAA compliance and HIPAA risk assessment.
Approximately 70 percent of Annex A overlaps with CMMC Level 2 practices. We deliver both programs from one project plan so you achieve CMMC Level 2 and ISO 27001 on the same evidence base. See defense contractor cybersecurity.
Your customers are pushing certification into your master service agreements. We run the ISMS so your sales team can answer the security questionnaire in one page and your auditor can produce evidence on demand. See MSP partner program.
Enterprise procurement teams treat ISO 27001 as table stakes. We align the ISMS with your cloud architecture, your DevOps cadence, and your cloud security posture management program so the certificate reflects how the platform actually runs.
Client-data sensitivity is the differentiator and certification is the proof point. We scope the ISMS around your matter-management and document-handling workflows, keeping the program lean and audit-ready without disrupting billable work. See cybersecurity for law firms.
Most of our ISO 27001 clients are already running, or about to run, at least one other compliance program. We design the ISMS so a single set of policies, procedures, and evidence satisfies multiple audits. The table below shows the overlap we exploit most often.
| Framework | Approximate Annex A Overlap | How Petronella Integrates It |
|---|---|---|
| CMMC Level 2 | ~70 percent | NIST SP 800-171 practices map directly into ISO 27001 Annex A. We run a single control library and produce the SSP and POA&M alongside the Statement of Applicability. See CMMC compliance. |
| HIPAA Security Rule | ~65 percent | Administrative, physical, and technical safeguards align cleanly to Annex A Organizational, Physical, and Technological themes. One set of safeguards, two compliance regimes. See HIPAA compliance. |
| SOC 2 Type II | ~70 percent | The AICPA Trust Services Criteria sit on top of the ISMS. Your SOC 2 auditor reads the same evidence your ISO 27001 auditor does. We coordinate both audit calendars. |
| NIST CSF 2.0 | ~80 percent | NIST CSF is our internal maturity model during gap analysis. The Identify-Protect-Detect-Respond-Recover language gives leadership a shared vocabulary for the ISMS. See NIST compliance services. |
| FedRAMP Moderate | ~55 percent | For cloud vendors pursuing FedRAMP, the ISMS becomes the foundation for the System Security Plan. We run the ISO 27001 engagement first to create the documentation spine the 3PAO will read. |
| PCI DSS 4.0 | ~50 percent | PCI is narrower (cardholder data environment only) but every PCI requirement has an Annex A analogue. We scope the ISMS to envelope the CDE so the QSA reads ISMS evidence directly. |
| GDPR Article 32 | ~75 percent | The "appropriate technical and organisational measures" language in GDPR Article 32 is satisfied by a functioning ISMS. We add data-protection-impact-assessment artifacts on top of the standard Annex A documentation. |
Overlap percentages above are working estimates from our own crosswalk work, not vendor marketing claims. We will show you the actual control-by-control mapping during the Phase 02 gap analysis so you see exactly where one set of evidence does double duty and where it does not.
Certification auditors interview the people who built the program. The biographies below are the team Petronella Technology Group puts on your engagement, the credentials that travel with them, and what they have actually shipped.
ISO/IEC 27001 certificates are issued by accredited certification bodies (sometimes called registrars). Examples include BSI, Schellman, A-LIGN, and TUV. By design, the consulting firm that builds the ISMS cannot also issue the certificate. Petronella Technology Group prepares your organization, supports you through the audit, and remains a long-term partner; the certification body is selected separately. We help you evaluate auditors based on your industry, scope, and budget, and we attend the audit alongside your team to answer questions and manage findings. Our framework explainer walks through how certification bodies operate, the role of accreditation bodies like ANAB and UKAS, and what to look for when you choose yours.
Petronella Technology Group operates from Raleigh, North Carolina. We deliver ISO 27001 consulting nationally with a hybrid model: on-site for the work that has to happen in person, remote for the work that does not, and one project lead who knows your business start to finish.
For clients outside the Carolinas we typically schedule two on-site visits during the engagement: one during Phase 01 discovery and one during Phase 05 internal audit. Everything in between (workshops, document drafts, technical implementation, evidence review) happens via secure video conferencing, screen-share working sessions, and our shared evidence-collection workspace.
For clients in the Raleigh-Durham-Chapel Hill triangle, Charlotte, Greensboro, and the broader North Carolina business community we default to on-site delivery and integrate with your existing IT staff.
For defense, healthcare, and financial-services clients with classification-sensitive workloads, we operate from your facility under your cybersecurity controls and never store sensitive evidence outside your environment.
An ISO 27001 program rarely lives alone. These are the adjacent Petronella Technology Group practices that most commonly attach to a certification engagement.
No reputable consulting firm can guarantee a certification outcome, because the certificate is issued by an independent third-party body that we do not control. What we do guarantee is the work product: every Phase 03 deliverable, every Phase 04 implementation milestone, and the readiness sign-off at the end of Phase 05. Across our ISO 27001 engagements, organizations that follow the program through Phase 05 enter Stage 1 without major nonconformities. If a finding does surface during Stage 1 or Stage 2, we remain on the engagement at no additional fee until it is closed.
Fees vary with scope, organizational size, starting maturity, and the number of in-scope locations or product lines. After Phase 02 (gap analysis) you receive a written fixed-fee proposal covering Phases 03 through 06 with defined deliverables, dates, and an itemized scope. Certification body audit fees are billed by your chosen registrar directly and are not part of our fee. Contact us to start the scoping conversation; Penny will book a 15-minute introductory call with Craig.
Our ISO 27001 framework page describes the standard itself: what ISO 27001 is, the Annex A control catalogue, the Statement of Applicability, the difference between Stage 1 and Stage 2 audits, surveillance and recertification rhythm, and what certification bodies typically charge. This page describes the Petronella Technology Group consulting engagement that takes you from "we should pursue this" to "we are certified and surveillance-ready." If you are still researching the standard, start with the framework page. If you have decided to pursue certification, this is the right page.
Yes. A senior consultant from Petronella Technology Group attends Stage 1 and Stage 2 in person (or by video, depending on auditor preference and your location). We sit with your audit team, manage the document-pull requests, prep interviewees beforehand, and own the findings response. ISO 27001 Clause 9.2 requires that the consultant who built the ISMS is not the consultant who runs your internal audit; we honor that separation organizationally and we will introduce both team members in Phase 01.
A certified ISMS has to be kept alive. Year 1 and Year 2 surveillance audits sample the system; Year 3 recertifies the whole standard. We stay on retainer through the three-year cycle: we run an annual internal audit, refresh the risk register and Statement of Applicability, retest a sample of controls, draft management-review materials, and attend the surveillance and recertification audits. Many clients pair the surveillance retainer with a virtual CISO engagement so the ISMS leadership function is permanently staffed.
Yes, and we recommend it for any organization in the defense supply chain. Approximately 70 percent of Annex A controls map directly to NIST SP 800-171 practices. We run a single control library, a single evidence repository, and a single internal audit cycle that produces both the Statement of Applicability (ISO 27001) and the System Security Plan plus Plan of Action and Milestones (CMMC). The combined engagement typically saves 30 to 40 percent versus running the two programs independently. See CMMC compliance services.
SOC 2 and ISO 27001 serve different markets. SOC 2 is an AICPA attestation primarily recognized in North America. ISO 27001 is an internationally recognized certification. If your customer base is shifting toward international procurement teams, regulated industries, or government agencies, ISO 27001 adds significant commercial value. The good news: approximately 70 percent of your existing SOC 2 control work maps directly to Annex A. We frequently take SOC 2-mature clients to ISO 27001 certification in 4 to 6 months rather than the typical 6 to 12.
We have certified organizations as small as 12 employees and as large as several thousand. The deciding factor is not headcount, it is the commercial pressure to certify. If enterprise procurement teams, government agencies, or international partners are requiring ISO 27001 in your contracts, the certification will pay for itself regardless of organizational size. Smaller organizations actually have an advantage: scope is naturally tighter, communication is faster, and Phase 03 documentation completes in weeks rather than months.
A 30-minute call with Craig produces a real timeline, a real scope, and a written fixed-fee proposal after Phase 02. Petronella Technology Group has been delivering security and compliance programs from 5540 Centerview Dr., Suite 200, Raleigh, NC 27606 since 2002.
