ISO 27001 work is governance-led — the ISMS, the risk assessment, the Statement of Applicability, the evidence pack. But several Annex A controls are technical and externally observable: an auditor on a certification or surveillance visit can assess them from the public internet in minutes.
Where a client's external posture doesn't match the controls claimed in their SoA, that gap surfaces at exactly the wrong moment. We are the external technical-validation layer that sits alongside your governance engagement — and we do not compete for the certification work.
Non-intrusive · permission-based · scope letter signed before any traffic is sent · zero internal-system access.
External-only, permission-based, non-intrusive — never touches the client's internal estate.
Evidence pack mapped to Annex A — control reference, SoA touch-point, confidence rating, remediation owner.
Referral-safe. We do not provide ISMS documentation, governance consultancy or certification services. We will not pitch your client.
Practitioner team — Asif Khan is a member of the British Computer Society (MBCS) and the Data Protection Officers Association of Ireland (DPOA).
Lead Implementer, internal auditor, or boutique cybersecurity consultancy — the engagement shape varies, the principle does not. We extend your governance engagement, we do not replace any part of it.
You're driving a client through their first ISO 27001 certification. The ISMS, the SoA and the risk treatment plan are yours. You'd rather not own the externally-observable technical-controls evidence pack yourself — that's where we sit.
You need an independent technical view of the public-facing controls before a stage 2 or surveillance audit. Our evidence pack maps each finding to the Annex A control it touches and the SoA claim it would support or contradict.
Your billable time is governance and ISMS work. The external technical-controls validation is real work but not your highest-value hour. White-label or co-branded — whichever your client prefers.
The three patterns below are the ones that surface most often in a stage 2 or surveillance walk-through. None require internal access to detect. All are externally observable in minutes by a competent auditor.
The SoA declares A.8.24 in scope; the live TLS configuration negotiates a TLS 1.0 fallback on a subdomain nobody remembers. The auditor finds it in ninety seconds. We find it three months before the auditor does.
The ISMS claims email authentication is in place; DNS says the published policy is enforcement-off. A surveillance audit is the wrong moment to discover this. It surfaces in a five-minute external check.
Six months after certification, marketing stands up a new subdomain for a campaign. It's outside the maintained scope, runs on an unmanaged platform, exposes a different cipher profile. The certification body asks about it. The consultant doesn't have an answer ready.
We are explicit about which Annex A controls our external assessment evidences — and equally explicit about which we don't. Governance, training, supplier-management and physical-controls evidence remains the consultant's domain.
Public posture vs. privacy notice, DPIA evidence trail, contractual undertakings to clients regarding TLS / data-in-transit.
TLS configuration, security headers, CDN posture, CMS hardening — externally fingerprintable today, evidenced today.
DNS posture, public exposure of administrative paths, subdomain inventory, segregation of public vs. management surfaces.
Outbound CSP / referrer policy / frame-ancestors as evidenced on every page — not as documented, as actually served.
TLS version negotiation, cipher suite quality, HSTS configuration, certificate chain validation, CT log presence.
SPF lookup budget, DKIM selectors for every active sender, DMARC enforcement, MTA-STS / TLS-RPT posture, look-alike risk.
Annex A control references above use ISO/IEC 27001:2022. Older 2013/2017 mappings available on request — our evidence-pack template carries the matching reference for legacy SoAs still in surveillance.
Intellix does not provide ISMS documentation, ISO 27001 governance consultancy, internal audit services, or certification body services. We do not maintain a Statement of Applicability for clients, we do not run their risk treatment plan, and we do not write their policy library.
Our remit ends at the external technical-controls boundary. Every engagement is scoped so that the governance work, the audit walk-through and the certification relationship remain entirely with the lead consultant. This is in our engagement letters as a written non-compete, not just goodwill.
We countersign a short scope letter that names the in-scope domains, the consultant of record, and the assessment window. Non-intrusive, permission-based, externally observable surfaces only. We never touch internal systems.
DNS, TLS, headers, email authentication, platform exposure, certificate lifecycle, subdomain inventory. Same engine that powers our free attack-surface scan, scoped to the SoA boundary you tell us about.
Each finding carries: the control reference, the SoA claim it touches, a confidence rating (we don't pad), a remediation owner mapped against the client's existing stack, and the evidence artefact (TLS handshake, header dump, DNS query trace) for the audit file.
After the client remediates, we re-run the affected checks and re-issue the evidence rows. The audit walk-through becomes a re-confirmation, not a discovery exercise.
No — and we will not. The ISMS, the risk assessment, the Statement of Applicability, the policy library and the audit walk-through belong to the lead consultant. We are the external technical-controls validation layer that sits alongside your engagement.
Not currently, and we will tell your client that plainly. We design and deliver against ISO 27001:2022 controls in our own infrastructure, but we hold no certification scheme today. We mention this in the first conversation so it isn't a surprise during procurement.
Either model works. Most consultants prefer that we engage through them — scope letter signed by both, findings delivered to the consultant first, then walked through with the client together. White-label and co-branded both available. Direct engagement is fine if your client has signed off on it.
An evidence pack of typically 12–24 findings (depending on estate size), each row carrying: Annex A control reference, SoA touch-point, observation, evidence artefact, confidence rating, remediation owner, recommended remediation. PDF and CSV. Optional re-test cycle after remediation, before the audit window.
The technical assessment is geographically neutral — it runs against any public domain. We deliver work remotely across the EU. For UK NIS-regulated entities we'll structure deliverables to suit a UK ICO / NCSC posture too.
A first-pass external technical-controls assessment of an SoA-aligned estate is typically two working weeks elapsed (one week of testing, one week of evidence-pack production and consultant walk-through). Re-test cycles after remediation are typically three working days. We can compress for a tight pre-audit window.
Tell us about the engagement — sector, certification stage (pre-stage 1, between stages, pre-surveillance), and the SoA scope you've drafted. We come back within two working days with a draft scope letter, a fee envelope, and a referenced sample evidence row.
Delivered remotely across Ireland, the UK and the EU · Thurles office for face-to-face scoping
