Service

ISO 27001 Readiness Programme

Get certified. Win the contracts that require it.

Request a quote

The problem

ISO 27001 certification is increasingly a prerequisite for doing business with international clients, enterprise procurement teams, development finance institutions, and BoT-licensed financial partners. Most Tanzanian SMEs that need certification don't know where to start — the standard runs to hundreds of controls, the documentation burden is significant, and the path from 'we should get certified' to 'we are certified' is rarely clear. Without a structured readiness programme, businesses either stall before they begin or invest months of effort only to fail the certification audit.

Our methodology

  • ISO 27001:2022 gap assessment — map your current controls against all 93 Annex A controls and all 10 clauses of the standard
  • ISMS scope definition — determine what systems, processes, and locations fall within certification scope
  • Risk assessment methodology design and execution — identify and rate information security risks in a format that satisfies ISO 27001 clause 6.1
  • Statement of Applicability (SoA) — document which controls are applicable, which are excluded, and why
  • ISMS documentation build — policies, procedures, and records required by the standard (Information Security Policy, Acceptable Use, Access Control, Incident Management, Business Continuity, and more)
  • Controls implementation support — hands-on assistance implementing the technical and organisational controls identified in the SoA
  • Internal audit — simulate the certification audit before it happens, identify gaps, and remediate
  • Certification audit support — liaise with your chosen accredited certification body (BSI, SGS, Bureau Veritas, or equivalent), prepare your team, respond to audit findings

What you will receive

  • ISO 27001:2022 gap assessment report with clause-by-clause findings
  • ISMS scope document
  • Risk register and risk treatment plan
  • Statement of Applicability
  • Full ISMS documentation set (policies and procedures)
  • Internal audit report with findings and remediation actions
  • Certification readiness report
  • Ongoing support through the certification audit

Estimated timeline

3–6 months for most SMEs, depending on starting point and internal capacity. Certification itself is granted by an accredited third-party body, not Hawrat Cyber.

Overview

ISO 27001 is the international standard for information security management. Certification demonstrates to clients, partners, and regulators that your organisation manages information security systematically — not reactively. For Tanzanian businesses pursuing international contracts, fintech licensing, or partnerships with enterprise clients, it is increasingly the price of entry.

The readiness programme takes you from your current state to certification-ready, with a structured methodology that avoids the two most common failure modes: over-documentation without implementation, and implementation without documentation.

Why ISO 27001 Now

The demand for ISO 27001 certification among Tanzanian and East African businesses is accelerating, driven by three forces:

International contracting — Development finance institutions, INGO procurement teams, and enterprise clients increasingly require ISO 27001 certification in their vendor due diligence. Without it, Tanzanian businesses are disqualified before the conversation begins.

Fintech and financial services licensing — The Bank of Tanzania’s cybersecurity guidelines and the increasing alignment of Tanzanian financial regulation with international standards means that structured information security management — the substance of ISO 27001 — is expected of licensed institutions.

Supply chain security requirements — As large regional and international businesses tighten their third-party risk requirements, SME suppliers are being asked to demonstrate security credentials. ISO 27001 is the most widely recognised credential to provide.

The Readiness Pathway

Phase 1: Understand where you stand (Weeks 1–3) Gap assessment against ISO 27001:2022. You receive a clear picture of which clauses and controls you already satisfy, which are partially met, and which require significant work. Scope is defined — we agree precisely what systems, processes, and organisational units will be in scope for certification.

Phase 2: Build the management system (Weeks 4–10) Risk assessment and treatment. Statement of Applicability. The ISMS documentation set — every policy and procedure the standard requires, written for your organisation, not copied from a generic template.

Phase 3: Implement and evidence (Weeks 8–16) Controls implementation with your internal team. We support the technical implementation (access control, vulnerability management, logging, backup, encryption where required) and the organisational measures (training, supplier agreements, review cycles). Evidence of controls operation is collected and structured for the audit.

Phase 4: Internal audit and certification (Weeks 14–20) Internal audit simulates the certification audit. Findings are remediated. The certification body audit proceeds — we support your team throughout. Certification is issued by the certification body on successful audit completion.

What Certification Costs You Are Not Paying Us

Certification body fees are separate from our engagement fee and are paid directly to the certification body you choose. For an SME, expect certification body fees of approximately USD 2,000–5,000 for the initial certification audit (Stage 1 + Stage 2), depending on scope and certifier. Surveillance audits are typically cheaper. We can recommend accredited certification bodies operating in East Africa.

Frequently asked questions

Does Hawrat Cyber grant the ISO 27001 certificate?

No — and this distinction matters. ISO 27001 certification is granted by an accredited certification body (such as BSI, SGS, Bureau Veritas, or a UKAS/DAkkS-accredited local equivalent). Hawrat Cyber prepares your organisation to pass that audit: we build the documentation, implement the controls, and run an internal audit before the real thing. Think of us as the team that gets you ready for the exam — the certification body sits the exam with you.

How long does certification take from scratch?

For a focused SME with 10–50 staff and a defined ISMS scope, the readiness programme typically runs 3–6 months. This includes the gap assessment, documentation build, controls implementation, and internal audit. The certification body's audit typically adds 4–8 weeks on top. Organisations with more complex environments, multiple locations, or significant control gaps may take longer. We will give you a realistic timeline after the initial gap assessment.

What is the difference between ISO 27001:2013 and ISO 27001:2022?

ISO 27001:2022 is the current version of the standard. It introduced a restructured Annex A with 93 controls (down from 114 in 2013, but with new controls covering cloud security, threat intelligence, data masking, and more). If you are starting your certification journey now, you should target the 2022 version. If you are already certified to 2013, you have a transition deadline — your certification body will advise. We work exclusively with the 2022 standard.

Can a very small business (5–10 people) get ISO 27001 certified?

Yes. The standard is scalable. A 5-person fintech with a narrow ISMS scope (e.g., your SaaS platform and the systems that support it) can achieve certification. The documentation burden is proportionate to your scope. We have seen small organisations achieve certification in under 4 months with focused effort.

Does ISO 27001 certification help with Tanzania PDPA compliance?

Significantly. ISO 27001 addresses the technical and organisational measures that underpin PDPA compliance. Completing an ISO 27001 readiness programme will also advance your PDPA posture considerably — particularly around access control, incident response, and third-party risk. We integrate PDPA alignment into the programme wherever the two standards overlap, so you are not doing the work twice.

Related services

Compliance-as-Code Engineering

Replace manual evidence collection with automated, auditable pipelines.

Security & Compliance Health Check

Find out where you stand — across cloud, identity, policy, and PDPA — in two weeks.

Tanzania PDPA Compliance Pack

Get ahead of the Personal Data Protection Act — before regulators come to you.

Virtual CISO (vCISO) Retainer

Executive-level security leadership — without the full-time hire.

Ready to get started?

All engagements begin with a free 30-minute discovery call. No commitment, no jargon — just an honest conversation about your situation.

Request a quote View all services