Skip to content

Services

The AI Auditor helps companies worldwide with ISO/IEC 42001 (AI management systems), ISO/IEC 27001 (information security) and EU AI Act readiness: gap analysis, build and internal audit. Independent supplier and second-party audits are available on top, in Germany and worldwide. Official certification itself is always issued by an accredited certification body.

I make your AI auditable and your information security solid, from the first baseline to certification readiness.

Who I work with

My focus is the manufacturing mid-market, precision machining, metal and mechanical engineering, industry and industry-adjacent services, plus international companies that source from or operate in Europe. In other words, organisations that use AI in real operation and must prove to customers, supply chains or the EU AI Act that they have it under control. I speak the language of the shop floor because I run one myself, and I carry exactly that practice into ISO 42001, ISO 27001 and the AI Act.

ISO/IEC 42001, AI management system

The world's first standard for responsible AI. As a Senior Lead Auditor and Senior Lead Implementer (PECB) I build your AI management system and examine it, from gap analysis to certification readiness.

  • Gap analysis against ISO/IEC 42001
  • Build of the AIMS (risks, roles, controls)
  • Internal audit & management review
  • Preparation for certification
More on ISO/IEC 42001

ISO/IEC 27001, information security

The foundation of any serious AI governance: a solid ISMS. I support the build, internal audits and preparation for certification to ISO/IEC 27001.

  • ISMS gap analysis & Statement of Applicability
  • Risk treatment to Annex A (2022)
  • Internal audit to ISO 19011
  • Interface to ISO 42001 & the EU AI Act
More on ISO/IEC 27001

EU AI Act, readiness & classification

Prohibited practices, high-risk systems, transparency obligations: I classify your AI applications and show what needs doing by when, with the extraterritorial reach that catches many non-EU firms.

  • Risk classification of your AI systems
  • Obligations mapping (Art. 50, Annex III)
  • Bridge to ISO 42001 as evidence
  • Roadmap with deadlines
More on EU AI Act

AI decision advisory for leaders

You have to decide on AI without being an AI expert yourself? I advise management and leaders independently: where AI pays off, where it becomes a risk, and what ISO/IEC 42001 and the EU AI Act ask of you as leadership. Plain talk instead of hype, from an owner-manager's perspective.

  • AI strategy & use-case prioritisation
  • Governance & accountability (who checks, who is liable)
  • ISO/IEC 42001 & the EU AI Act framed for the leadership level
  • Sparring before investment & vendor decisions
Book a no-obligation intro call

Also available on its own

External supplier & second-party audits

You need to audit a supplier or site but have no capacity of your own, or you need an independent auditor with manufacturing experience? I take on supplier and second-party audits as a standalone service, in Germany and worldwide, on-site or remote.

  • Supplier & second-party audits (2nd party)
  • Against ISO 42001 / 27001 or your own requirements
  • On-site or remote, you decide
  • Clear audit report with findings & actions
  • International too, audit experience in several countries
  • An auditor who knows the shop floor from the inside

For clarity: official certification may only be issued by an accredited certification body. A supplier or second-party audit is something else, an audit on your behalf that lets you have your suppliers or your own processes checked independently.

Why me?

ISO/IEC 42001 is an international standard, my PECB qualification is globally recognised, and I have not only been abroad in theory: I have audited in several countries and helped build up a manufacturing operation abroad from the ground up. Because I sat on the audited side myself as a managing director, I know how a management system has to work in real operation, not just on paper. That is the difference between a report and a result.

Audited on-site in

the Netherlandsthe UK (Scotland)CroatiaSerbiaTürkiye

…plus Germany as the base.

Efficiently delivered

Less effort, lower cost

Two standards, one project

ISO 42001 and ISO 27001 share a core structure, risk logic and a large part of the evidence. Tackling both together, or building on an existing ISMS, means you do not build the core structure and evidence twice; that often cuts the additional effort noticeably. A reliable estimate follows the gap analysis. I plan for exactly this from the outset.

Tool-neutral, no lock-in

I don't sell you software that ties you down. Your management system runs on the tools you already have, from a spreadsheet to a GRC platform. You keep control of your data, your processes and your running costs.

Often eligible for funding

For German-based SMEs, advisory and implementation work around digitalisation and AI is frequently eligible for funding, for example via the nationwide BAFA advisory programme or state programmes. What is possible in your region we clarify in the free intro call. More on cost & funding

Your advantage

What you get here, and rarely elsewhere

Senior Lead Auditor in person

No junior team learning on your project: you work directly with me. PECB awards the Senior level only from 1,000+ documented audit hours and at least seven years of professional practice.

Dual competence: build and audit

I build management systems AND examine them as an auditor, you buy both in one person. That produces a system built to pass the external audit from day one.

Owner-manager's perspective

I have sat on the audited side myself and run a manufacturing company. I know the pressure of day-to-day operations and build systems that relieve the business rather than paralyse it.

Neutral, free choice of body

No ties to any certification body: you choose the body freely, and my recommendations answer only to your interests.

Seven years of AI practice

Seven years of AI practice, from building my own AI and ERP systems to AI governance. I don't just talk about AI, I have built and run it myself.

Lean & AI-supported

Fewer consulting days for the same result: I work AI-supported and without overhead. That lowers your investment, and for German-based clients advisory work is often eligible for funding.

Packages & process

Three steps, one clear path

Each package builds on the previous one, and you can start with the baseline alone. The investment is project-specific; you get a firm fixed price after the free intro call, no inflated figures. For rough orders of magnitude, see the cost insight.

01

Baseline

Where do you really stand?

approx. 2-4 weeks

A stocktake against ISO 42001 / ISO 27001 and a classification of your AI applications under the EU AI Act.

You receive

  • Gap analysis report
  • Risk classification of your AI applications
  • Prioritised action plan

Fixed price after the free intro call

02

Build & readiness

From finding to a working system

approx. 1-3 months

Build of the management system that holds up in operation, policies, roles, risk assessment and controls.

You receive

  • AIMS / ISMS framework
  • Policies & procedures
  • Risk assessment & controls
  • Training for the people who own it

Fixed price after the free intro call

03

Certification readiness

Into the external audit without surprises

up to the certification audit

An internal audit run like the certification body, corrective actions and preparation for the external audit.

You receive

  • Internal audit report
  • CAPA / action tracking
  • Management review template
  • Support for stage 1 / stage 2

Fixed price after the free intro call

What you concretely get

What my results look like

No PowerPoint clouds, but auditable artefacts. In a project they are produced tailored to your company.Note: samples for illustration, not client material.

AI system inventory

Every AI application with purpose, data types, EU AI Act risk class and owners.

AI policy

Principles, roles, risk and impact assessment, transparency, AI literacy.

AI impact assessment

A structured impact assessment of an AI system, including a GDPR note.

Audit preparation checklist

12 points that must be in place before any ISO 42001 / 27001 audit.

Gap analysis report

Where you stand today against ISO 42001 / 27001, with a prioritised action plan.

Internal audit report & CAPA

An audit report like the certification body's, plus corrective-action tracking.

Industry focus

From the workshop to aerospace

My background runs from precision manufacturing, metal and mechanical engineering through industry into aerospace. I carry that practice, industry by industry, into ISO 42001, ISO 27001 and the EU AI Act, with real shop-floor experience rather than textbook theory. A few reads:

Frequently asked questions

What is ISO/IEC 42001 and do I really need it?+

ISO/IEC 42001 is the first international standard for AI management systems (AIMS). It helps you run AI responsibly, transparently and defensibly, and is the practical proof that you have your AI under control. With the EU AI Act, exactly that proof becomes a competitive advantage.

How do ISO 42001, ISO 27001 and the EU AI Act connect?+

ISO 27001 secures your information (the foundation). ISO 42001 builds on it and governs the responsible use of AI. The EU AI Act is the law, and a system built to ISO 42001 is a proven, structured way to meet its obligations demonstrably.

Can you also certify?+

Certification itself is always issued by an accredited certification body, for reasons of independence. As an ISO/IEC 42001 Senior Lead Auditor I get you there: gap analysis, build, internal audit. That way you enter the external certification audit without surprises.

Do you also offer supplier or second-party audits?+

Yes. Supplier and second-party audits can be booked as a standalone service, in Germany and worldwide, on-site or remote. I audit against ISO 42001 / 27001 or your own requirements and deliver a clear audit report with findings and recommended actions. This is especially useful when your own team has no capacity or you need an independent auditor with real manufacturing experience. Accredited certification audits are unaffected; those are issued by an accredited certification body.

How does a supplier or second-party audit work with you?+

In three steps: first we agree the objective, scope and criteria (which standard or which of your own requirements, which sites, which processes) and I draw up an audit plan. Second I run the audit, on-site or remote, with document review, interviews and on-the-floor observation. Third you receive a traceable audit report with findings, risk rating and concrete recommended actions. On request I also follow up on the corrective actions.

What is the difference between a second-party audit and a certification audit?+

A second-party audit is an audit 'by an interested party', typically you as the buyer having a supplier audited on your behalf. A certification audit (third party) is carried out by an accredited certification body and results in an official certificate. Both have their place: the second-party audit gives you fast, independent assurance about a supplier or site, without that party needing to be certified.

Which companies is this worthwhile for?+

For any organisation that uses AI seriously, in production, administration, sales. If AI influences decisions, processes customer data, or you must provide evidence to clients, a clean management system is worthwhile. There is no minimum size.

ISO 27001 first or ISO 42001 first?+

Either works. A solid information security management system (ISO 27001) is a good foundation, but not a mandatory precursor to ISO 42001. It is often worth looking at both together and saving duplicate work. In the intro call we settle the order that makes sense for you.

How big does my company need to be?+

There is no minimum size. What matters is that you use or introduce AI and want to take responsibility for it. The approach is tailored to be pragmatic and without corporate overhead.

What does ISO 42001 cost, and is there funding?+

That can only be answered seriously after a short assessment, which is why it starts with a free intro call and, where useful, a baseline. You then get a clear price, no inflated figures. Thanks to a lean, AI-supported way of working the effort stays low; and for German-based clients advisory work is often eligible for funding (e.g. the BAFA advisory programme, state programmes).

How do you keep confidentiality and conflicts of interest clean?+

With clear rules. A non-disclosure agreement (NDA) is standard on request, just say the word. Any potential conflicts of interest, such as proximity to a competitor of my own manufacturing company, I disclose before accepting the engagement, so you can decide. Audit reports and results go exclusively to you as the client. And advice and accredited certification stay strictly separate: the official certificate is always issued by an independent, accredited certification body.