What we do
We design, implement, and operate information security management systems for South African businesses. The ISMS is the spine of the rest of the security practice — without it, individual security controls are disconnected activities. With it, your organisation can demonstrate, defensibly, that information is being managed as a discipline.
We work to three frameworks: ISO 27001:2022 as the primary international standard, TISAX AL2 for clients with European automotive supply chain obligations, and CIS Controls as the baseline for organisations not yet ready for full certification. POPIA applies across all three.
When organisations need this
Most clients come to us about an ISMS for one of four reasons:
A regulator, insurer, or major client has asked them to demonstrate information security management — formally, with evidence. They have to produce something defensible within a timeframe.
They have decided, internally, that information security needs to be a discipline rather than a series of one-off projects. Usually this follows an incident, a near-miss, or a board-level conversation.
They are pursuing ISO 27001 certification — either for the certificate itself or for the operational discipline it requires.
They are entering a supply chain that requires TISAX AL2, typically as a supplier to European automotive OEMs.
If none of these describe your situation, an ISMS may not be the right starting point. Our advisory work (separate practice area) is often a better entry point — we can help you work out whether you need an ISMS at all, and if so, what scope is appropriate.
How we approach the work
The work is roughly four stages. The actual sequence varies — small organisations sometimes compress this into months, larger ones run it across a year or more, depending on scope and existing maturity.
Stage 1 — Understand the organisation. We work with you to define the scope of the ISMS — what it covers, what it does not, and why. We document the context: regulatory obligations, customer requirements, internal commitments, key information assets, the people who matter. This is the foundation. Done badly, the rest of the ISMS will not survive contact with reality. Done properly, it sets the constraints that make every later decision easier.
Stage 2 — Identify and treat risks. We run a structured information security risk assessment, surfacing the actual threats your organisation faces. Each risk is assessed, owned, and either treated, transferred, accepted, or avoided. We document treatment plans against the controls in ISO 27001 Annex A, CIS Controls, or whichever framework is being used. This stage produces the risk register that the ISMS will operate against.
Stage 3 — Implement and document. Policies, processes, procedures, and operating notes are written and embedded. We use a four-tier documentation hierarchy that we apply to our own organisation as well — policy at the top (direction), process below it (how we deliver), procedure below that (specific steps), and operating notes at the bottom (the live, changeable details). The point of this structure is that the ISMS lives in documents that are actually useful, not in a binder that gets opened once a year.
Stage 4 — Operate the system. An ISMS is not a project; it is a system that has to be operated. We run the disciplines that keep it alive — internal audit, management review, risk reassessment, incident learning, control monitoring, training and awareness. For clients without internal capacity, we operate the ISMS as a managed service. For clients with internal capacity, we hand over and provide ongoing advisory support.
If certification is the goal, certification audit support runs alongside stages 3 and 4 — gap assessment, evidence preparation, audit attendance, and corrective action work after findings.
What you get
A working ISMS. That sounds glib, but it is the actual deliverable. Specifically:
A documented scope, context, and statement of applicability. A populated information security risk register with treatment plans. Policies, processes, procedures, and operating notes covering the controls in scope. A working set of operational disciplines — audits, reviews, awareness, incident response — with evidence trails. Where applicable, certification readiness or maintained certification.
For clients moving toward ISO 27001 or TISAX certification, the deliverable also includes pre-audit gap assessment, audit support during the certification engagement, and post-audit corrective action work.
For clients on a managed ISMS arrangement, the deliverable is the ongoing operation of the system — month after month, year after year. The ISMS is not a thing you finish.
A note on independence and offensive testing
ISO 27001 Annex A includes controls that are best evidenced through independent testing — particularly A.8.8 (technical vulnerability management) and the broader expectation of ongoing assurance. Where the ISMS implementation calls for penetration testing, vulnerability assessments at audit grade, or other offensive security work, we arrange this through trusted independent partners.
We do not perform offensive testing ourselves. This is deliberate. A practice that designs and operates the controls cannot also independently test them — the assurance value is undermined by the conflict. Our blue-team-only posture is what makes the test results defensible to your auditor, your insurer, or the customer commissioning the assurance.
Who this is for
Owner-led and owner-managed organisations in regulated or supply-chain-sensitive sectors. We have implemented this work most often in manufacturing, insurance, finance, legal, and retail.
Specifically, this practice is for organisations where information has compliance and operational consequence — where a breach, a regulator visit, or a customer audit is a realistic possibility. It is for organisations that have decided, internally, that information security needs to be a managed discipline rather than an ad-hoc activity.
It is not for organisations looking for the cheapest route to a logo on a wall. ISO 27001 done as a certification exercise without operational substance is worse than not doing it — it produces evidence that nothing is governed, when audited rigorously. We will not help with that work.
How we work with you
This is engagement work, not service-catalogue work. The shape of each engagement depends on where you start and what you are trying to reach. A typical pattern is a defined-scope project for stages 1 to 3 (the design and implementation work), followed by a retainer for stage 4 (the ongoing operation).
We work alongside internal teams where they exist. Many clients have an internal IT manager, compliance officer, or risk function — we bring the framework depth and discipline; they bring the organisational knowledge. The ISMS that results is owned by the client, not us. We do the work; you can see how it is done; we leave you better able to defend it.
If you do not have internal capacity to operate the system after implementation, we operate it for you under a managed ISMS arrangement. Most clients fall somewhere between the two — internal ownership with our ongoing support.
What it looks like in practice
We apply the same disciplines to ourselves that we recommend to clients. WR360 operates its own ISMS, aligned to ISO 27001:2022 and TISAX AL2. Our internal four-tier documentation hierarchy is the same one we deploy with clients. Our internal audit, management review, and incident response procedures are the same ones we will help you implement.
This is not a boast. It is a constraint. We do not recommend disciplines we have not lived inside ourselves. The advice we give is shaped by the work we do every day to keep our own practice secure, governed, and operational.
A few honest things to know
ISMS work is not fast. The stage 1 and 2 work alone usually takes weeks to months — sometimes longer for larger organisations. Stage 3 implementation is several months at minimum. Certification, where pursued, adds time. Anyone promising you a certified ISMS in a few weeks is selling you a binder, not a system.
The work also requires real participation from your side. We can write the documents. We can design the controls. We cannot decide what your organisation values, what risks it will accept, or who internally owns information security — those are your decisions, and the ISMS only works if you make them.
We will tell you when the work cannot succeed in the form you have asked for, and what we recommend instead. This sometimes leads to conversations clients did not expect to have. That is the practice working as intended.
What this connects to
An ISMS does not exist in isolation. It frames the rest of the security practice:
Advisory and Architecture brings security thinking into decisions before they become commitments — the work that happens before scope is defined.
Technology Operations is where the day-to-day technology environment runs. The ISMS sets the controls; operations applies them.
Continuity and Recovery is one of the operational outcomes the ISMS protects — backup, archiving, and disaster recovery as governed disciplines, not just tools.
Monitoring and Response is the visibility layer that tells the ISMS whether it is working — alerting, incident response, and the evidence trail that supports the management review.
Procurement is how technology, licensing, and supplier arrangements come into the practice in a way the ISMS can actually govern.
We can deliver an ISMS without delivering the rest. Most engagements do start with the ISMS alone. But the value compounds when the practice is operated as a whole.
Want to talk?
The fastest way to start is a conversation. Tell us a bit about your organisation, why you are looking at this now, and what you are trying to reach. We will read it carefully and reply.