If a supplier holds your data, you’re entitled to ask how they look after it, and to expect a better answer than “we’re careful.” That’s the standard we’ve decided to hold ourselves to, not just the clients we work with.
We’re pleased to share that Reformed IT has passed Stage 1 of our ISO 27001 certification audit, following an assessment on 30 June 2026 by Peers Quality Assurance Limited (PQAL), a UKAS-accredited certification body.
What ISO 27001 actually is
Strip away the acronym and ISO 27001 is a fairly simple idea: a business writes down, in detail, how it protects information, who can access what, how it spots problems, how it responds when something goes wrong, how it manages risk from suppliers and staff, and so on. That written system is called an Information Security Management System, or ISMS. Then, instead of taking the business’s word for it, an independent, accredited auditor checks the ISMS is real, sensible, and actually being followed.
It’s the same principle as a set of accounts being audited rather than just trusted. Anyone can say they’re careful with money, or with data. ISO 27001 is what it looks like when a business is willing to have that claim independently tested.
What Stage 1 checks
Certification happens in two stages, and it’s worth understanding the difference because it’s easy to assume “passed Stage 1” means “fully certified.” It doesn’t, and being upfront about that is part of the point of this post.
Stage 1 is a documentation review. The auditor doesn’t yet watch us work day to day, they check that the groundwork is properly built: the scope of what our ISMS covers, our risk assessments (what could go wrong, and how likely and serious each risk is), our policies (access control, incident response, supplier management, and the rest), and the records that show those policies exist in practice, not just in theory. Think of it as an auditor checking the blueprints before anyone inspects the finished building.
Passing Stage 1 means that groundwork is in place, is properly structured, and holds up to independent scrutiny. It doesn’t yet prove we live up to it every day, that’s what Stage 2 is for.
What happens next
Stage 2 is the hands-on audit, and the harder test. Where Stage 1 asks “do you have the right policies on paper?”, Stage 2 asks “are you actually doing what they say?” The auditor will look at real evidence over time, things like access logs, staff training records, and how we’ve actually handled any incidents or changes, rather than just the policy documents describing how we’re supposed to handle them.
That audit is scheduled for September 2026 with PQAL. Certification is only awarded once both stages are passed, so we’re treating Stage 1 as real progress, not a finish line, and we’ll share the outcome here once Stage 2 is complete.
Why we’re doing this
We spend our working day advising clients on Cyber Essentials, Cyber Essentials Plus and general security posture, telling other businesses what good practice looks like. It felt right to hold our own Information Security Management System to the same independent standard we recommend to everyone else, rather than just describing good practice and hoping it holds up if anyone ever asked to see it.
What this means for our clients
Nothing changes about how we work with you day to day. What it does mean is that the way we handle access, data and risk internally is being checked against a recognised international standard, by an independent auditor, not just described in a policy document.
That matters most if you’re in a regulated or high-trust sector, solicitors, accountants, manufacturers handling client IP, or commercial real estate businesses managing sensitive tenant and financial data are all examples, where your own clients, insurers or regulators increasingly expect you to know how your suppliers handle information security, not just take it on trust. If you’re ever asked to demonstrate supplier due diligence, this is the kind of evidence that answer is built on.




