ISO 27001 IT Management for Creatives

More agencies are being asked to prove how they handle client data. We help you put the right IT controls in place and keep them working.

Logo ISO 27001

A quick summary

ISO 27001 is an internationally recognised information security standard. Achieving certification tells clients, procurement teams and prospects that your organisation handles data responsibly across your systems, people and processes.

Think of it as a driving test for your IT. There are requirements to meet, an examiner to pass, and a certificate that proves you did it properly. Our role is the driving instructor: we get you ready for the test.

Cubit handles the IT controls side of ISO 27001. We help creative and communications agencies put those controls in place, keep them maintained, and make sure they hold up when it matters. Certification itself is carried out by an accredited certification body. We work alongside them.

If you are already a Cubit client, you are likely closer to certification-ready than you think. Good IT management is the foundation. ISO 27001 is the formal layer on top. It’s the documentation and evidence that demonstrates you have done this properly.

What does ISO 27001 actually cover?

ISO 27001 is risk-based. You identify what information you are trying to protect, where it lives, who can access it, and what could go wrong. You then put controls in place to reduce that risk to an acceptable level, and then document it so it can be independently verified. From an IT perspective, that typically includes:

User
Access Control

Device & Endpoint
Security

Backups & Recovery
Processes

Logging, Monitoring &
Incident Response

Supplier &
Third-Party Access

Documented Procedures
& Evidence

See how ISO27001 can help make your business more secure

Where organisations typically have gaps

Common issues we find

  • Shared user accounts and unclear ownership
  • Leavers not fully removed from systems
  • Inconsistent security across laptops and mobiles
  • Controls that exist in theory but not in practice
  • No reliable evidence trail for audits

Agency environments add complexity:

  • Freelancers joining and leaving regularly
  • Multiple collaboration tools in use simultaneously
  • Client data spread across platforms and services

How Cubit supports ISO 27001

Our role is the driving instructor. We prepare you for the test. Here is how the process works:

1. Documented management system

We help you build the formal documentation ISO 27001 requires: an information security policy, documented procedures, and a management framework that demonstrates your organisation takes security seriously.

2. Implementing the controls

We review your current IT setup against ISO 27001 requirements and implement or improve the technical controls, i.e. access management, device security, backups, logging, and everything else the standard expects to see in place.

3. Internal audits and management review

Before you face the examiner, we help you check your own work. Internal audits and management reviews confirm that controls are working as intended and that you have the evidence to prove it. If an internal audit flags something that would cause a failure at certification, we fix it before you go anywhere near the real audit. You only go forward once we are confident you will pass.

4. Certification

The formal certification audit is carried out by an accredited certification body, not by Cubit. But we do not disappear once the audit starts. We support you through the audit itself, on hand to answer technical questions and resolve anything that comes up on the day.

What we don’t do

  • We do not certify or audit
  • We do not issue ISO 27001 certificates
  • We work alongside accredited certification bodies. They conduct the formal test, we do the preparation, and we stay involved right through the audit itself

What do you get?

Clients typically end up with:

  • A clear, documented information security management system
  • Asset and device inventories that are accurate and maintained
  • Consistent security controls across all users and devices
  • Repeatable onboarding and offboarding processes
  • An evidence pack that holds up under audit

Next steps?

Already a Cubit client?

If we are already managing your IT, you are likely further along than you think. The technical controls ISO 27001 expects, device security, access management, backups and logging, are things we will already have in place. Getting certified is largely about documenting and evidencing what is already there. Talk to us about where you stand.

 

Starting from scratch?

We will assess your current IT setup against ISO 27001 requirements, work through what needs to change, and support you all the way to certification. A short call with Ralph is the best place to start.

Frequently Asked Questions

Do you provide ISO 27001 certification?

No. We provide IT support and implementation, putting the technical controls in place and keeping them working. Certification is carried out by accredited certification bodies. We work alongside them to make sure you are ready, and we will not put you forward for certification until our internal audits confirm you are ready to pass.

How long does ISO 27001 certification take?

Three to six months is a realistic timeframe for most agencies. Under three months is very difficult as the process involves building documentation, implementing controls, running internal audits, and then going through a two-stage certification audit. If your IT is already well-managed, you are starting from a stronger position and the timeline can be towards the shorter end.

Does ISO 27001 certification need to be renewed?

Yes. Certification is maintained through annual surveillance audits, with a full re-certification every three years. The annual cycle is part of what makes the certificate credible. Clients and procurement teams know that an independent assessor has reviewed your controls within the last twelve months, so they do not need to audit you themselves.

What is a UKAS-accredited certification body?

UKAS (United Kingdom Accreditation Service) accredits the organisations authorised to carry out ISO certification audits. When an ISO 27001 certificate carries the UKAS mark, it means the certification was conducted by a body that has itself been independently assessed. When choosing a certification body, always look for UKAS accreditation as not all organisations offering ISO certificates carry it.

What is the difference between ISO 27001 and Cyber Essentials?

They serve different purposes. Cyber Essentials is a government-backed scheme focused on a defined set of basic technical controls, primarily to guard against common cyber attacks. ISO 27001 is broader and risk-based: you identify the specific threats and vulnerabilities relevant to your organisation and put controls in place accordingly. Many agencies pursue both. If you already have Cyber Essentials, you have a solid foundation to build on.

Does ISO 27001 change over time?

Infrequently. The standard was last updated in 2022 and typically evolves on a five-to-ten year cycle. It is considerably more stable than frameworks like Cyber Essentials, which update more regularly in response to the changing threat landscape.

What if we do not have ISO 27001 yet - can we still win contracts that ask for it?

Sometimes, particularly if you can demonstrate that certification is in progress or that equivalent controls are in place. The honest answer is that the standard is becoming more common as a procurement requirement, particularly for agencies working with larger brands or public-sector adjacent clients. Starting the process now puts you ahead of the curve.