ADL Consulting Passes Its ISO 27001 Recertification

Apples a cherry and a banana used to create a smiling face on an orange background.
News

June 29th, 2026

|

7 min read.

We Just Sat on the Other Side of the Table:
ADL Consulting Passes Its ISO 27001 Recertification

Most ISO 27001 consultants have never been audited against the standard they sell. We think that's a problem. So once again, we volunteered for it.

There's an awkward question we like to ask people who advise on ISO 27001 for a living: are you certified yourselves?

It lands awkwardly because, for most consultancies, the honest answer is no. They'll help you build an Information Security Management System, walk you to the audit door, wish you luck, and then go home to a business that has never been held to the same standard. It's a bit like a personal trainer who has never set foot in a gym.

We have just been through our ISO 27001 recertification audit. We passed, our certificate stands, and we remain part of the surprisingly small group of ISO 27001 consultancies that have actually done the thing we help everyone else do.

Here's why that matters more than it might first appear.

What recertification actually involves

ISO 27001 isn't a badge you earn once and frame on the wall. The certificate runs on a three-year cycle. You get your initial certification, then surveillance audits in the years between, then a full recertification audit at the end of the cycle to prove the whole system is still alive, still working, and still improving.

Our audit was carried out by ISOQAR, a UKAS-accredited certification body (our certificate number is 22955, if you ever feel like checking). UKAS accreditation is the part that gives the certificate its weight. It means the people auditing us are themselves held to a recognised national standard, so the result isn't a participation trophy we handed ourselves. It's an independent verdict.

The assessor's job was to answer, on your behalf, the three questions that sit at the heart of the standard:

  1. What are your information security risks?

  2. What are you actually doing about them?

  3. And how do you know it's working?

Plenty of organisations can answer the first two with a confident slide deck. The third is where systems either hold up or fall over, because it demands evidence, not intention. We're pleased to say ours held up.

Why we put ourselves through it

We could give the cynical answer, which is that holding the certification is good for business. It is. But that's not really why we do it.

We spend most of the year sitting next to clients as they prepare for this exact audit. We know precisely how it feels: the slightly-too-warm meeting room, the assessor working through your evidence, the small voice in your head wondering whether that one policy you reworked back in March is going to hold. Going through it ourselves, year after year, keeps us in that chair. It keeps us honest.

It also means every recommendation we make has been road-tested in our own business first. When we tell a client that a control can be lightweight, or that a policy doesn't need to be twelve pages long to be effective, we're not theorising. We're describing something we've already run, audited, and defended.

If we asked you to meet a standard we weren't willing to meet ourselves, why on earth would you trust us?

"Light touch" isn't a slogan, it's the whole point

ISO 27001 has a reputation for being heavy. Paperwork marathons, management overhead, a system so cumbersome that maintaining it becomes a job in itself. We've audited plenty of those systems, and we understand exactly where the bad reputation comes from.

But that overhead is almost always a symptom of a system built badly, not of the standard itself. A well-built ISMS should make your business easier to run, not harder. It should hand you useful management information, surface the risks that matter, and quietly get out of your way the rest of the time.

That philosophy is the thing our clients tend to remark on. As Richard Abbots, CEO of Inventory Hive, put it:

Working with ADL was fantastic, I just wish we'd found them before we ever started ISO 27001! Whilst we've had ISO 27001 for coming up on 3 years, I feel like we finally now understand what we're supposed to be doing and why.

That word why comes up again and again. Leanne Mennie, Operations & HR Director at Preact, described it like this:

Andy guided and mentored us through the entire engagement, going over and above to ensure that we not only understood what we were doing at every step of the way but most importantly WHY we were doing it... who knew ISO 27001 could be so enjoyable!

We'll take "enjoyable ISO 27001" as one of the higher compliments in our line of work.

The kind of partner you actually want for an audit

A recertification audit is exactly the moment you find out whether your consultant built you something durable or something that merely passed once. The clients we're proudest of are the ones who sail through their surveillance and recertification audits long after the initial certificate, because the system was built to last.

Damon Witherick, Director of Infrastructure and Operations at Redgate Software, summed up the relationship side of it:

ADL have been our ISO 27001 consultants supporting our implementation for the past 18 months. Their expertise and guidance were invaluable to our success, and we even consider them token Redgaters! I cannot recommend ADL highly enough.

And for smaller businesses, where there's no dedicated compliance team to lean on, that support can be the difference between getting there and giving up. Emma Spencer, a Commercial Manager who came to us needing to migrate her ISMS and transition to the 2022 standard and introduce ISO 9001 on a tight timeline, told us:

It seemed like an impossible task in such a short space of time, but ADL made it happen seamlessly... As a small business, we could not have got to where we have without them.

Proudly Leicestershire, working everywhere

One last thing worth saying. We work with businesses across the UK and well beyond it, from small software firms to enterprises, with a particular soft spot for technology companies. But we're a Leicestershire business at heart, founded here and still based here, and we're proud of the depth of technology and security talent in this region.

You don't have to be down the road from us to work with us. But if you are, do say hello.

Key takeaways

  • Recertification is the real test. Anyone can pass once. Holding ISO 27001 across a full three-year cycle, through surveillance and recertification audits, is what proves a system actually works.

  • Ask your consultant if they're certified. Most aren't. The ones who are have skin in the game and have tested their own advice before giving it to you.

  • UKAS accreditation matters. An audit from a UKAS-accredited body like ISOQAR is an independent verdict, not a self-awarded badge.

  • A good ISMS is light, not heavy. Management overhead is a symptom of a poorly built system, not an inevitable feature of the standard.

  • The "why" is everything. Understanding why a control exists is what turns compliance from a chore into a genuine business improvement.

Thinking about ISO 27001 yourself?

Whether you're starting from scratch, dreading a recertification of your own, or quietly suspecting your current system is heavier than it needs to be, we'd love to talk. We build information security management systems that are light-touch, practical, and simple enough to run yourself, and we try to make the whole thing rather more enjoyable than its reputation suggests.

Head to https://www.adlconsulting.co.uk/contact and let's start the conversation.

.

Andy Larkum

Managing Director

ADL Consulting logo, ISO 27001 consultants I S O Q A R . C O M R E G I S T E R E D ISO/IEC 27001 0026 Certificate number: 22955

Registered Office: 6 Hinckley Road, Ibstock, Leicestershire, LE676PB, UK

Company Registration No: 06684621

VAT No: 140 0539 56

Company

© ADL Consulting Ltd 2026. All rights reserved.