Sulzer Schmid Laboratories (SSL) Achieve ISO 27001 Certification With No Nonconformities

The Challenge

While a number of information security controls and processes were already in place, these had developed over time and presented an opportunity for greater standardisation and alignment with recognised best practice. In particular, there was a need to enhance consistency in documentation, governance, and the application of controls across the organisation.

Sulzer Schmid also identified opportunities to further structure its approach to areas such as incident management, business continuity and information security risk management. Establishing more formalised processes in these areas would support a more consistent and proactive approach to managing risk, as well as strengthening the organisation’s ability to respond to and recover from potential security incidents.

The implementation of ISO 27001 provided a framework to bring these elements together, enabling Sulzer Schmid to build on its existing capabilities and adopt a more structured, scalable and internationally recognised approach to information security. SSL wanted to achieve ISO 27001 certification as soon as possible, ideally in Q1 2026. Achieving certification would enable the organisation to demonstrate a clear and externally validated commitment to information security to its customers and stakeholders.

Implementing a formal ISMS would also provide SSL with a clear structure in terms of managing information security risk and help foster a more proactive security culture across the organisation.

The Solution

As part of a structured market assessment and procurement process, Sulzer Schmid reviewed a range of cyber security partners and their services. This allowed the organisation to evaluate different approaches, capabilities and expertise before selecting the solution that best aligned with its objectives for ISO 27001 certification and the implementation of a formal Information Security Management System (ISMS). Other cyber security partners’ services were considered as part of the market assessment and procurement process.

Bridewell has credible energy industry experience and demonstrated a very flexible and outcome driven approach that was a great match for how SSL wanted to deliver and gain ISO 27001 certification.

SSL’s ISMS was designed and implemented in accordance with Bridewell’s five phase methodology.

Scope & Context

The first phase of the project was focused on establishing context, building relationships, agreeing ways of working, and defining a roadmap to achieve ISO 27001 certification. Initial deliverables included the completion of an ISO 27001 gap analysis, and the development of the ISMS Scope, Context & Requirements document. The outputs of the ISO 27001 gap analysis helped Bridewell develop a more in-depth understanding of how well SSL and their security controls aligned with ISO 27001 and what gaps existed that required remediation during the course of the project.

Risk Assessment

The objective of the next phase was to establish an information security risk management framework within SSL. After developing a risk assessment and treatment methodology tailored to reflect SSL’s requirements, each of the risks identified during the ISO 27001 gap analysis were added to a new ISMS risk register and analysed and evaluated.

Risk treatment plans were developed for all those risks that needed their impact and/or likelihood reduced, and each risk was assigned a risk owner. A series of workshops were run with key stakeholders across SSL to ensure that each of the identified risks were relevant and assessed correctly.

Control Implementation

Phase three of the project required the most amount of time and effort, and consisted of implementing all of the clause 4-10 requirements plus the risk treatment plans designed in phase two. Designing and implementing these controls necessitated a hugely collaborative effort amongst stakeholders across SSL from all departments including IT, Software Development, Operations, and People and Culture.

Many hours were spent drafting and reviewing security policies, procedures and standards to ensure they made sense to SSL and their organisational needs. Technical controls were reviewed and improved, and various weekly meetings were run by Bridewell to ensure that SSL staff were educated on the controls being put in place, their rationale, and the benefits of implementing such controls. Various registers, logs and trackers were operationalised in this phase to track and improve ISMS performance, including the effectiveness of any newly implemented or improved security controls and processes.

Internal Audit

Once the control implementation phase was complete, the next major milestone was to plan and execute the first internal audit on the ISMS. This audit was run by a Bridewell consultant who was completely independent of the implementation project to ensure impartially. An internal audit methodology was developed prior to the audit, and Bridewell worked closely with SSL on all audit preparation activities.

The Bridewell delivery team also attended each of the audit interviews alongside SSL, providing support in answering questions raised by the auditor and helping to demonstrate and present any relevant evidence. Upon completion of the internal audit, Bridewell and SSL reviewed any findings raised and worked collaboratively to ensure that all findings were addressed in a timely manner and ahead of the certification audit.

External Audit

The final phase of the project was the ISO 27001 certification audit. Similar to the internal audit, Bridewell supported SSL with all preparation activities relating to both Stage 1 and Stage 2. This included stakeholder preparation, evidence collection and arrangement of each of the audit interviews. The Bridewell delivery team also attended each of the interviews to ensure that SSL had all the support they required to adequately answer the questions and requests of the auditor. Thanks to all of the hard work completed across the project, SSL achieved ISO 27001 certification with no nonconformities raised by the external auditor.

The Results

The project finished with Bridewell conducting a detailed handover to ensure that SSL and their ISMS team had a clear roadmap of activities they needed to perform before their first surveillance audit to not only maintain the ISMS but also improve it, which is one of the key requirements of ISO 27001.

Bridewell established strong working relationships with various key stakeholders across SSL, in particular the appointed ISMS lead, as they worked closely together to plan, design and implement all of the required security controls to align with ISO 27001 requirements and manage information security risk.

Weekly project review meetings and daily discussions and workshops were used to ensure all those involved in the ISMS implementation project were fully aware of their duties and what tasks needed to be completed over the short, medium and long term to ensure project success. By having such regular touch points, any project issues, risks or blockers were quickly identified and resolved to ensure that project deadlines were achieved. The open communication channels put in place meant that Bridewell were able to respond to any queries that SSL had in a timely manner thus minimising the likelihood of any project delays or blockers.

Since working with Bridewell, SSL has strengthened and formalised its information security practices across the organisation. The company now has clearly defined information security roles and responsibilities, supported by a suite of tailored policies, procedures, and standards. A structured information security risk management framework ensures that risks are identified, analysed, and treated proactively, while incident response and business continuity plans are in place and tested regularly.

Governance has been enhanced through the establishment of an Information Security Board (ISB), which reports ISMS performance to top management on a consistent basis. Supplier management processes have been implemented to address supply chain risks, particularly for critical or high-risk suppliers. In addition, a comprehensive security awareness and training programme has been introduced, and a new Security & Trust Centre has been designed and implemented, providing SSL with improved visibility, accountability, and a more proactive security culture throughout the organisation.