How we support you
Depending on your starting point, we support organisations in four clearly defined roles: from initial design to independent assurance and future-oriented development.
We help organisations strengthen information security through clear governance, risk-based prioritisation and practical control integration. This includes designing and improving ISMS structures, embedding security into operational processes, clarifying ownership and evidence, and creating an approach that supports assurance, audit readiness and effective decision-making.
01 Design
Establishing clear security governance and control structures
Information security governance and policy framework design
Definition of roles, responsibilities and decision rights
Risk assessment methodology and risk treatment approach
Security architecture and control design
Integration into existing management systems (e.g. QMS, privacy, AI governance)
Design of documentation and evidence structures
02 Operate
Making information security work in daily practice
Information security risk assessments and regular updates
Implementation of security controls and procedures
Supplier and third-party security requirements and onboarding
Incident and vulnerability handling processes
Security awareness and role enablement
Operational support for ISMS processes
03 Assure
Providing confidence and audit readiness
Independent reviews of information security governance
Control effectiveness and implementation checks
Internal audits (ISO/IEC 27001 or integrated systems)
Supplier and third-party security reviews
Audit readiness assessments and preparation support
04 Evolve
Keeping security effective as risks and environments change
Continuous risk monitoring and reassessment
Maturity assessments and improvement roadmaps
Integration of new regulatory or contractual requirements
Scenario analysis for emerging threats
Executive sparring on strategic security decisions
Typical situations and challenges
Organisations typically contact us when one or more of the following situations arise.
Information security responsibilities and decision rights are unclear
Management lacks transparency over security risks and priorities
Security controls exist, but are not consistently implemented or monitored
Audit findings or customer questionnaires highlight gaps in security governance
Increasing reliance on cloud services, suppliers or third parties
Preparation for certification or re-certification (e.g. ISO/IEC 27001)
Incidents or near misses reveal weaknesses in processes or controls
Typical starting points for engagement
Engagements often start with a focused assessment or review, such as the following.
Information security risk assessment
ISMS design or review (ISO/IEC 27001)
ISO/IEC 27001 certification readiness assessment
Supplier and third-party security review
Security policy and documentation review
Why Halderstone
Our approach
We focus on information security that works in practice, not theoretical control catalogues
Strong experience with management system implementation and audits
Clear separation between design, operation and assurance
Independent, technology-agnostic perspective
Suitable for both smaller organisations and complex, regulated environments
What we deliberately do not do
Sell or implement security tools or products
Provide generic, checklist-driven security programmes
