ISO 27001 Certification & ISMS Consulting in Belgium
Get certification-ready without the overhead. We build a right-sized ISO/IEC 27001:2022 ISMS — risk-based, audit-ready, and integrated with your NIS2, GDPR and DORA obligations — guided by an ISO 27001 Lead Auditor.
ISO/IEC 27001 is the international standard for an Information Security Management System (ISMS) and the certification most often demanded in tenders and supplier due-diligence. The 2022 revision restructured Annex A into 93 controls across four themes — organizational, people, physical and technological — and introduced new controls such as threat intelligence, secure coding and cloud security. ICTLAB helps Belgian organizations design, implement and operate a right-sized ISMS, from scoping and risk assessment to the Statement of Applicability and internal audit, then supports you through the Stage 1 and Stage 2 audits performed by an accredited certification body. Because ISO 27001 overlaps with NIS2, GDPR and DORA, we build one coherent management system that satisfies several obligations at once — guided by an ISO 27001 Lead Auditor.
What We Deliver
ISMS Scoping & Gap Analysis
Definition of the ISMS scope and a control-by-control gap analysis against ISO/IEC 27001:2022 with a prioritized remediation backlog.
Risk Assessment & Treatment Plan
A documented information-security risk assessment and risk treatment plan that drives control selection and residual-risk acceptance.
Statement of Applicability & Annex A Controls
A complete Statement of Applicability justifying each of the 93 Annex A controls, with implementation guidance for the selected ones.
ISMS Documentation Set
The mandatory policies, procedures and records ISO 27001 requires — information security policy, access control, supplier security, incident management and more.
Internal Audit & Management Review
An independent internal audit and a structured management review to confirm the ISMS is effective and ready for certification.
Certification Audit Support (Stage 1 & 2)
Hands-on support before and during the Stage 1 and Stage 2 audits performed by your accredited certification body, including nonconformity remediation.
How We Work
Scoping & Gap Analysis
Agree the ISMS scope and assess current controls against ISO/IEC 27001:2022 to identify gaps and quick wins.
Risk Assessment & Treatment
Run the information-security risk assessment, decide treatments, and select Annex A controls accordingly.
ISMS Implementation
Develop policies and procedures, deploy the selected controls, and embed the ISMS into day-to-day operations.
Internal Audit & Management Review
Perform the internal audit, run the management review, and close nonconformities before the certification audit.
Certification Audit Support
Support the Stage 1 and Stage 2 audits with the accredited body and help resolve any findings.
Continual Improvement
Maintain the ISMS through surveillance audits, corrective actions and ongoing improvement of controls.
Technologies We Use
Frequently Asked Questions
How long does ISO 27001 certification take?
For most SMEs, a first certification takes roughly 4 to 9 months depending on scope, existing maturity and resource availability. We can accelerate it with a focused scope and a pragmatic, risk-based ISMS.
How much does ISO 27001 certification cost?
Our consulting for gap analysis and ISMS implementation typically ranges from €15,000 to €60,000+ depending on scope and maturity. The certification-body audit fees are separate and billed directly by the accredited body.
ISO 27001:2022 vs 2013 — what changed?
The 2022 version reorganised Annex A from 114 controls into 93 across four themes (organizational, people, physical, technological) and added 11 new controls, including threat intelligence, information security for cloud services, and secure coding. Existing certified organizations had a transition period to update.
Does ISO 27001 help with NIS2, GDPR and DORA?
Yes. ISO 27001 controls map closely to NIS2 risk-management measures, support GDPR's security obligations, and provide a strong base for DORA's ICT risk framework. A single ISMS can evidence large parts of all three.
Do you issue the ISO 27001 certificate?
No — the certificate is issued by an independent accredited certification body, which keeps the process credible. We prepare your ISMS, run the internal audit, and support you through the body's Stage 1 and Stage 2 audits.
From Our Blog
13 June 2026
DORA vs NIS2: Overlap, Differences and Which One Applies
DORA and NIS2 both govern cyber resilience — but which applies to your organisation? Scope, the lex specialis rule, the five DORA pillars, key dates, and a decision guide for Belgian entities.
13 June 2026
DORA ICT Third-Party Risk: Building Your Register of Information
DORA's third-party rules (Art. 28–30): what the Register of Information must contain, the mandatory contractual clauses (Art. 30(2) vs 30(3)), critical-or-important functions, and the 2025 reporting deadlines.
12 June 2026
NIST CSF 2.0 for European SMEs: A Practical Implementation Guide
A step-by-step guide to NIST Cybersecurity Framework 2.0 for European SMEs: the six functions (Govern, Identify, Protect, Detect, Respond, Recover), tiers, profiles, and how it maps to NIS2 and ISO 27001.
12 June 2026
NIST AI RMF: Building Trustworthy AI (and How It Maps to the AI Act)
NIST AI Risk Management Framework explained: the four functions (Govern, Map, Measure, Manage), the Generative AI Profile, trustworthy-AI characteristics, and how it complements the EU AI Act.
9 June 2026
AI Act Risk Classification: Prohibited, High-Risk or Limited-Risk?
A practical decision guide to classify your AI system under the EU AI Act: prohibited practices (Art. 5), high-risk systems (Annex III), limited and minimal risk — with concrete examples.
9 June 2026
GDPR & AI: Training Data, Automated Decisions and DPIAs in Belgium
How GDPR applies to AI for Belgian companies: lawful basis for training data, automated decision-making (Art. 22), data protection impact assessments, and where GDPR meets the AI Act.
Related Services
Security Audit
Comprehensive evaluation of your security posture against industry standards. Our audits identify gaps and provide actionable remediation plans.
NIS2 Compliance
Navigate NIS2 with confidence. We help Belgian organizations understand their obligations, close compliance gaps, and build the security capabilities the directive demands.
GDPR Technical Compliance
Implement the technical controls GDPR demands. From encryption and access management to data protection impact assessments, we ensure your systems meet regulatory requirements.