ISO 27001 certified.
Talk Think Do holds ISO 27001 certification, the international standard for information security management. Our certification is independently audited and covers the full scope of how we manage security across client work, internal systems, and operational processes.
Discuss your security requirements
What ISO 27001 means.
ISO 27001 is the internationally recognised standard for information security management systems (ISMS). Published by the International Organization for Standardization, it defines the requirements for establishing, implementing, maintaining, and continually improving a systematic approach to managing information security risks.
Certification requires an independent audit by an accredited certification body. Auditors assess whether an organisation's policies, processes, and controls genuinely meet the standard's requirements, not just whether the documentation says they do. Certification must be renewed through surveillance audits and a full reassessment every three years.
The current version is ISO 27001:2022, which updated the standard to reflect the realities of cloud computing, remote working, and modern threat landscapes. We transitioned to the 2022 standard as part of our most recent recertification.
The standard covers
- Risk management — Identifying, assessing, and treating information security risks systematically
- Access control — Who can access what data and systems, and under what conditions
- Cryptography — Encryption standards for data at rest and in transit
- Physical and environmental security — Controls on access to physical premises and infrastructure
- Supplier relationships — How third-party access and data sharing is governed
- Incident management — How security incidents are identified, reported, and resolved
- Business continuity — Ensuring operations can continue after a disruptive event
- Compliance — Meeting legal, regulatory, and contractual security obligations
Why ISO 27001 matters when choosing a software partner.
Your data is handled to a verified standard
Our certification is not self-declared. An accredited third party has audited our controls and confirmed they meet ISO 27001 requirements. When you share client data, system credentials, or commercially sensitive information with us, you have independent assurance that it is being handled properly.
We can satisfy enterprise and public sector due diligence
Many organisations require their software suppliers to hold ISO 27001 certification before they can be approved as a vendor. Our certification removes that barrier. It is a common requirement in enterprise procurement, government frameworks, and regulated industries.
Security is built into our delivery process
ISO 27001 is not just about protecting our own systems. It shapes how we manage access to client environments, how we handle credentials, how we conduct code reviews, and how we respond when something goes wrong. Security is embedded in how we work, not added at the end.
Incidents are managed, not hidden
Our certified ISMS includes documented incident management procedures. If a security incident occurs that affects your data or systems, we have a clear, tested process for identifying, containing, and reporting it, including notification obligations under GDPR.
Supplier risk is managed on your behalf
The standard requires us to assess and manage the security of our own suppliers and subcontractors. Third parties with access to client data or systems are subject to the same level of scrutiny as we apply to ourselves.
Continuous improvement, not a point-in-time snapshot
Certification requires annual surveillance audits and a full reassessment every three years. Our ISMS is a live system that we review and improve continually, not a document written once and filed away.
Information security on our blog.
Questions about our security posture?
We are happy to share our certification documentation, discuss our controls in detail, or complete a security questionnaire as part of your procurement process.