ISO 27001 for a UK energy market operator

Context

A UK energy market operator was facing a regulatory expectation that the ISMS supporting its market-clearing platform would be ISO 27001 certified within the calendar year. The platform processed high-value settlement flows under a regulator-mandated operational uptime expectation; an unplanned outage during the certification window was not an acceptable trade-off.

The internal team had drafted policies; what was missing was the control evidence, the internal audit, and the operating model that would keep the certification renewable in subsequent years.

Risk

• Schedule risk — the auditor was booked; slipping meant a 6-month delay and a public statement.
• Operational risk — controls implemented sloppily would burden the platform team for years.
• Audit risk — major non-conformities at Stage 2 would force a re-audit and a regulator conversation no one wanted to have.

Engagement

We took the ISMS lead role for 26 weeks:

• Weeks 1-4: scoping — the boundary of the ISMS, the risk register, the Statement of Applicability. We deliberately scoped in the market-clearing platform and out of corporate IT (which had its own programme already in train).
• Weeks 5-16: control design and implementation — every control built with the team that operates it, not for them. We set up the evidence collection so the auditors could see it themselves rather than ask for it.
• Weeks 17-22: internal audit — full dry-run with structured findings and remediation plan. 23 minor findings, all closed before Stage 1.
• Weeks 23-25: Stage 1 + Stage 2 — we attended every meeting with the auditor, held the relationships, wrote the management responses.
• Week 26: certification — issued on time, zero major non-conformities, three minor observations.

Outcome

The pillar article on DORA readiness for fintech draws on the operating-model patterns from this engagement.