Know exactly where your security controls stand — against the frameworks that matter to your customers, regulators, and board. Paragon audits with rigour, and reports with clarity.
Whether you're pursuing certification, satisfying a customer requirement, or simply want an honest picture of your security posture — we have the audit for it.
Gap analysis, internal audit, and certification readiness assessment against ISO/IEC 27001:2022. We support you through the full ISMS audit cycle — from initial scoping to surveillance and recertification.
Pre-assessment readiness review and technical verification for Cyber Essentials and Cyber Essentials Plus. We identify gaps before the assessor does — maximising your first-time pass rate.
Structured maturity assessment against the NIST Cybersecurity Framework — covering Identify, Protect, Detect, Respond, and Recover functions with a scored current-state vs target-state profile.
Readiness assessment against SOC 2 Trust Services Criteria — identifying control gaps across Security, Availability, Confidentiality, Processing Integrity, and Privacy before your formal audit.
Gap analysis and readiness assessment against PCI DSS v4.0 requirements — covering cardholder data environment scoping, control effectiveness, and SAQ/ROC preparation support.
On-site or remote audit of your suppliers, partners, and third parties — assessing whether their security controls meet your requirements and contractual obligations.
Every audit begins with an honest maturity assessment. We score your organisation across five levels — giving you a clear, benchmark-comparable picture of your current security posture before we recommend anything.
Security practices are informal, undocumented, and inconsistently applied. Reactive to incidents.
Some policies and procedures exist but are inconsistently applied across the organisation.
Controls are documented, consistently applied, and aligned to a recognised framework.
Controls are monitored, metrics are tracked, and security decisions are data-driven.
Security is proactively improved, threat-intelligence driven, and embedded in culture.
Our ISO 27001 audits cover all 93 controls across 4 themes and 11 clauses of ISO/IEC 27001:2022. Here's an overview of what's assessed.
| Domain | Clause / Annex | Key Controls Assessed | Coverage |
|---|---|---|---|
| Organisational Controls | Annex A.5 | Policies, roles, responsibilities, supplier relationships, incident management | Full |
| People Controls | Annex A.6 | Screening, terms of employment, awareness, disciplinary process, remote working | Full |
| Physical Controls | Annex A.7 | Physical perimeters, entry controls, desk/screen, equipment security, clear desk | Full |
| Technological Controls | Annex A.8 | Access control, malware, logging, vulnerability mgmt, network security, data masking | Full |
| Leadership & Context | Clauses 4–6 | Context of the organisation, interested parties, scope, leadership commitment, policy | Full |
| Risk Management | Clause 6 & 8 | Risk assessment methodology, risk register, treatment plan, Statement of Applicability | Full |
| Performance & Improvement | Clauses 9–10 | Internal audit programme, management review, nonconformities, continual improvement | Full |
We don't just hand you a list of failures. Every audit concludes with a prioritised, actionable improvement plan and hands-on support to help you address findings — not leave you alone with a report.
We agree the audit scope, objectives, and methodology. For ISO 27001 this includes defining the ISMS boundary and identifying applicable controls.
1–2 DaysAssessment of your policies, procedures, risk registers, and evidence documentation against the target framework's requirements.
2–5 DaysStructured interviews with key personnel to verify that documented controls are understood and applied in practice — not just on paper.
1–3 DaysWhere applicable, technical controls are verified — configuration reviews, log sampling, access control testing, and patch status checks.
1–2 DaysFull audit report with findings rated by severity, a prioritised remediation roadmap, and an executive summary suitable for board-level presentation.
Delivered within 5 daysEvery engagement delivers a suite of documents designed to satisfy auditors, inform your leadership, and guide your remediation team.
Full findings document — conformities, non-conformities, and observations — mapped to the framework and rated by severity.
Board-ready one-pager covering overall maturity score, key risks, compliance status, and recommended investment priorities.
Domain-by-domain maturity scoring with current state vs target state, benchmarked against industry peers where available.
Prioritised improvement plan with effort estimates, ownership guidance, and quick wins identified for immediate action.
Live walkthrough of findings with your team — answering questions, clarifying priorities, and confirming next steps.
30-day access to your auditor for follow-up questions, evidence queries, and guidance as you begin addressing findings.
Scope is agreed upfront and the price is fixed. No day-rate uncertainty, no surprise extras.
Snapshot assessment against a single framework
Complete internal audit — certification-grade evidence
Annual internal audit cycle — retainer model
An internal audit (like the one Paragon conducts) assesses your own ISMS or security controls against the standard — it's a requirement of ISO 27001 and serves as your readiness check before engaging a certification body. The certification audit is conducted by an accredited third-party certification body (such as BSI, Alcumus, or LRQA) who issues the certificate. Paragon prepares you for the certification audit and can support you through it, but we are not the certification body.
For a typical SME with a defined ISMS scope, a full internal audit takes 5–8 days of auditor time — spread across document review, interviews, and technical checks. Larger or more complex environments may require more time. We agree the programme plan at scoping stage so there are no surprises.
Yes. We regularly support organisations through their annual surveillance audits and three-year recertification cycles. This includes reviewing any changes to your ISMS since the last audit, updating your risk register and SoA, conducting a pre-surveillance internal audit, and liaising with your certification body on your behalf.
Yes — our audit reports are written to a professional standard and are widely accepted by enterprise customers, procurement teams, and regulators as evidence of security assessment. For formal third-party assurance, ISO 27001 certification from an accredited body remains the gold standard, and our reports explicitly support the path to achieving that.
Yes — and we strongly recommend it where there is meaningful overlap. ISO 27001 and NIST CSF share significant common ground, as do ISO 27001 and SOC 2. A combined audit avoids duplicating interviews and evidence collection, reducing the time and cost burden on your team while delivering coverage against multiple frameworks simultaneously.
Book a free consultation and we'll outline exactly which controls need attention before your next audit or certification assessment.