Q: Do I need to have Factorial HR to get certified?

No. Factorial IT works independently and integrates with more than 40 HRIS on the market. The relevant detail is in offboarding: With integration (Factorial HR or another HRIS). When a departure is registered in HR, access is revoked automatically, the device is locked remotely and the closure is documented with a timestamp. Why it matters. It's one of the controls the auditor reviews most closely, and where issues are most frequently found. It works the same way with an external HRIS, as long as the integration stays active.

Question 1

How does the ISO 27001 certification process with Factorial IT work?

Accepted Answer

The process is structured in five stages. In several of them, the most labor-intensive tasks (such as the asset inventory or evidence collection) are carried out automatically from your organization's real data.

Diagnosis and ISMS definition. We assess your regulatory and technical maturity and define the scope of your Information Security Management System, the security policy and the responsible roles. This way you know your starting point from day one.

Asset inventory and risk analysis. Factorial IT automatically generates a real-time inventory of devices and access. We build your risk map on that data, with no need for manual inventories.

Risk treatment and control selection. We select the applicable Annex A controls and document the Statement of Applicability (SoA), which only needs your approval.

Implementation and documentation. Encryption, lock and access management policies are applied through MDM, and each control generates its exportable evidence automatically. This way, implementing and evidencing become a single step.

Audit and certification. We support you through the internal audit and with the certification body. Once you obtain the seal, evidence keeps being generated automatically for every surveillance audit.

Question 2

How is Factorial IT different from a consultancy or a compliance automation platform?

Accepted Answer

We don't leave you with a certificate and a PDF, nor do we simply read data from other tools. The foundation of our approach is that your compliance is demonstrated, not just declared, and that it rests on your own infrastructure. The key differences:

We are the infrastructure, not a layer on top. Compliance automation platforms run on top of your existing tools and collect evidence through integrations; your MDM, inventory, SaaS access or antivirus stay in separate systems. With Factorial IT, the same platform that manages devices, access, inventory, EDR and offboardings is the one that generates the evidence: a single source of truth, with no information to reconcile between systems.

Real evidence. Every Annex A control is backed by exportable evidence generated by the platform itself, not by paper-based declarations.

Automated technical foundation. Devices, access, MDM and EDR are managed from a single place, so the operational base of your ISMS doesn't have to be built by hand.

Dedicated Lead Auditors. Unlike a tool that only aggregates data, a specialized team guides you from start to finish.

Ongoing support. A consultancy usually disappears once you get the seal; we keep your compliance alive so you reach every annual surveillance audit without surprises.

Question 3

How are responsibilities shared between Factorial IT and my organization?

Accepted Answer

We take care of most of the process, split across two fronts:

What we automate. Device inventory, access control, policy enforcement via MDM, incident detection with EDR and evidence collection — without a single spreadsheet.

What we write. Our team of Lead Auditors prepares the policies, the risk analysis and the Statement of Applicability from your real data.

Your role is limited to reviewing, approving and signing. No need to run a parallel project lasting several months or to tie up your team with manual tasks that take time away from what matters.

Question 4

If I already have security measures in place, why would I need Factorial IT?

Accepted Answer

Because most companies don't fail ISO 27001 for lack of security, but because they can't demonstrate it. You probably already have your devices managed, access controlled and policies written; the problem usually shows up on audit day, when the failure isn't technical but documentary. The most common critical points are:

1) Outdated inventory. The asset list lives in a spreadsheet that doesn't reflect the real situation at the time of the audit.

2) Access not revoked. Active accounts or permissions remain for people who are no longer part of the organization.

3) Lack of evidence. There's no record proving that controls are applied effectively and continuously.

Factorial IT fills precisely that gap: it turns your daily operations into evidence automatically and continuously, so that what you already do can be demonstrated to the auditor.

Question 5

Do I need to have Factorial HR to get certified?

Accepted Answer

No. Factorial IT works independently and integrates with more than 40 HRIS on the market. The relevant detail is in offboarding:

With integration (Factorial HR or another HRIS). When a departure is registered in HR, access is revoked automatically, the device is locked remotely and the closure is documented with a timestamp.Why it matters. It's one of the controls the auditor reviews most closely, and where issues are most frequently found.

It works the same way with an external HRIS, as long as the integration stays active.

Question 6

Where is the data hosted, and is Factorial IT a secure solution?

Accepted Answer

Yes. Factorial is a European company headquartered in Barcelona, subject to the GDPR, with its infrastructure hosted on AWS servers in Germany. The company also applies to its own operations the same standards it helps its clients certify against:

Certifications. ISO/IEC 27001:2023, SOC 2 Type I and II, and ENS High Level.Regulatory compliance. GDPR, UK-GDPR and equivalent regulations in other regions.

Question 7

Is Factorial IT an affordable solution for smaller organizations?

Accepted Answer

Yes. Regardless of your organization's size, we design a personalized plan that fits your reality, not the other way around. We don't apply a single price or fixed packages: we adapt the scope to your specific situation, whether you're a small company or a multi-entity environment. In practice, the proposal is sized based on:

- The size and complexity of your organization. A small company doesn't take on the same scope as a large corporation, and its plan doesn't reflect one either.

- The frameworks you need to cover. We only size what your case requires (ISO 27001, ENS, NIS2…), without paying for what doesn't apply.

- Your starting point. If you already have part of the work done, we build on it instead of starting from scratch.

It's also worth weighing the cost as a whole: much of the work is automated and compliance maintains itself year after year, avoiding the hundreds of internal hours and the recurring effort that the manual route or a traditional consultancy involves. The best way to find out what the investment looks like in your case is to request a personalized proposal, with no commitment: we build it from your real situation and with full transparency.

Get ISO 27001 certified in weeks, not months

Everything you need for ISO 27001

Build controls that manage risk, not just tick compliance boxes

What other teams who've already made the switch are saying

How far are you from ISO 27001?

Frequently Asked Questions