Skip to content

Information security · ISO/IEC 27001:2022

ISO 27001 information security

I build your information security management system (ISMS) to ISO/IEC 27001:2022 and make it audit-ready, from the gap analysis through the Statement of Applicability and risk treatment to Annex A (2022), to the internal audit under ISO 19011. A solid ISMS is the foundation of any serious AI governance and the answer to NIS2, supply-chain and customer audits. The accredited certification is issued by the certification body, I get you there without surprises.

ISO/IEC 27001 is the internationally recognised information-security standard, requested in global supply chains and procurement, wherever you operate.

When it makes sense

NIS2, supply-chain requirements, customer audits and tenders make information security a business condition. An ISMS to ISO/IEC 27001 makes sense if you:

  • are affected by NIS2 or must prove yourself as a supplier along the chain
  • need to show a solid ISMS in customer audits or tenders
  • aim for ISO 27001 certification and want to enter the audit without surprises
  • are building ISO 42001 / AI governance and need the security foundation for it

What I build

  • ISMS gap analysis against ISO/IEC 27001:2022
  • Statement of Applicability (SoA)
  • Risk treatment to Annex A (2022)
  • Policies, roles & procedures that hold up in operation
  • Internal audit to ISO 19011
  • Interface to ISO 42001 & the EU AI Act

For clarity: official certification is issued only by an accredited certification body. I take on the preparation and readiness, so your ISMS holds up and the external audit becomes a confirmation, not a surprise.

Why me?

As an ISO/IEC 27001 Lead Auditor & Lead Implementer and ISO/IEC 42001 Senior Lead Auditor (PECB) who runs a manufacturing company himself, I build an ISMS that works in real operation, not a binder for the certification body. PECB awards the Senior level only from 1,000+ documented audit hours and at least seven years of professional practice. I know both sides of the audit table and translate the standard into the language of your business.

Dual qualification

ISO/IEC 27001 Lead AuditorISO/IEC 27001 Lead ImplementerISO/IEC 42001 Senior Lead AuditorPECB

How it works

Three steps to ISMS readiness

01

Gap analysis

A stocktake against ISO/IEC 27001:2022, where you stand and what is missing. The result is a prioritised finding, not an off-the-shelf spec sheet.

02

Risk treatment & SoA

Assess risks, select controls from Annex A (2022) and record them with justification in the Statement of Applicability. The ISMS gains substance.

03

Internal audit

Examination of the ISMS to ISO 19011 with classified findings, the dress rehearsal before the accredited body's certification audit.

More on the topic

I have covered the central questions around ISO/IEC 27001 in depth, from NIS2 for SMEs through the Statement of Applicability to the distinction from ISO 42001:

Preparation vs. certification

I prepare your ISMS to certification readiness: gap analysis, risk treatment, Statement of Applicability and internal audit. The official ISO/IEC 27001 certificate is issued exclusively by an accredited certification body, following its own certification audit. I work neutrally throughout, without ties to a particular certification body, and represent only your interests in the audit.

Frequently asked questions

What is an ISMS to ISO/IEC 27001?+

An ISMS (information security management system) is the systematic framework you use to manage information security: identifying risks, defining suitable controls and demonstrating their effectiveness. ISO/IEC 27001:2022 is the internationally recognised standard for it, the foundation on which any serious AI governance also builds.

What is the Statement of Applicability (SoA)?+

The Statement of Applicability is the central steering document of the ISMS. In it you document, for each control from Annex A (2022), whether it applies, whether it has been implemented and on what justification. I build the SoA so that it is derivable from your risk treatment and traceable in the certification audit.

Why do I need this? NIS2, customer audits, tenders?+

Because more and more clients make information security a condition. NIS2 tightens the obligations for many companies and their supply chains, and customer audits and tenders increasingly demand evidence. A solid ISMS, ideally to ISO/IEC 27001, is the answer that lets you meet these requirements and stay competitive. Even companies outside the EU are affected when they supply into EU value chains.

How do ISO 27001, ISO 42001 and the EU AI Act connect?+

Closely. An AI management system (AIMS) to ISO/IEC 42001 builds on a working ISMS, many controls (access, suppliers, incidents, logging) are shared by both standards. If you have already implemented ISO 27001, you reach ISO 42001 readiness faster and can evidence the AI Act more cleanly. I build both systems so they interlock rather than run side by side.

What is ISO 19011 and why do you audit to it?+

ISO 19011 is the guideline for auditing management systems. I run the internal audit of your ISMS to this methodology, with an audit plan, evidence, classified findings and a report. That way you go into the external audit without being surprised by the certification body.

Who selects and coordinates the certification body?+

I support you in choosing an accredited certification body and coordinate the process, stage 1 and stage 2 audits, dates and documents. The body invoices its fee separately; as a rough guide, for a small operation this is roughly EUR 3,000 to 4,500 for the initial certification plus about EUR 1,400 to 2,000 per annual surveillance audit (real offers for comparable accredited audits, 2026). Because I am not tied to any certification body, the choice stays neutral and in your interest.

Do you issue the ISO 27001 certificate?+

No. Official certification is issued exclusively by an accredited certification body. I prepare you for it, gap analysis, ISMS build, risk treatment, internal audit, and accompany you into the certification audit. I work neutrally, without ties to a particular certification body.

Imprint and privacy policy are available in German (the German version is legally binding): Imprint, Privacy (English summary).