Two live ISO 27001 engagements — one Stage 2 certification sprint, one internal audit. Real clients, real findings, real outcomes. Anonymised at client request.
British Assessment Bureau · Zürich, Switzerland · September 2025
A Legal AI company in Zürich had completed Stage 1 with the British Assessment Bureau and was scheduled for Stage 2 within weeks. The Head of People & Operations — a returning client from a prior ISO 27001 Stage 1 engagement — needed two things: a structured two-week sprint to address open findings, and an experienced advisor available on audit day itself.
Two priority gaps emerged from the Stage 1 report: the server room was unlocked (Clause 7 / Annex A.7.3), and several Annex A controls had been excluded from the Statement of Applicability without sufficient justification (5.5, 5.12, 5.31, 7.8, 7.11, 7.12).
A third issue surfaced mid-sprint: Management Review minutes from May 2025 did not reflect the required discussion items — the auditor had flagged potential escalation to a Minor or Major non-conformity. It was resolved before it became a finding.
Both non-conformities raised at Stage 2 were resolved via corrective action records prepared during the sprint. Certification was confirmed within ten days of audit close.
| Stage 1 findings addressed | 100% prior to Stage 2 |
| Non-conformities raised at Stage 2 | 2 — both minor |
| Non-conformities resolved | Both accepted |
| Management review escalation | Prevented mid-sprint |
| Certification outcome | Confirmed ✓ |
| Certification body | British Assessment Bureau |
NC-1 — Clause 7 / Annex A.7.3 (Physical Security)
Network cabinet locked immediately. ISMS procedure updated with quarterly access control checks. Annual physical security re-evaluation added to risk cycle.
NC-2 — Clause 6.1.3 (Statement of Applicability)
Controls 7.11 and 7.12 reinstated. Evidence remapped in Vanta. SoA Governance Checklist and dual sign-off process introduced.
"Thank you Axel — everything worked out. We should receive the report within the next ten days. I'll let you know as soon as the certification is finally confirmed — but it looks good."— Head of People & Operations, Legal AI Technology Company, Switzerland · Personal reference available upon request
Healthcare Sector · Austria · July 2025
A medical diagnostics company specialising in protein analysis for the pharmaceutical industry was preparing for its ISO 27001:2022 external Stage 2 certification. The ISMS had been implemented the previous year. The CIO needed an independent internal audit to verify compliance, surface any remaining gaps, and produce an evidence-ready report the external auditor would review.
The CIO had one clear requirement: a structured, transparent process that produced a defensible audit record — not a formal exercise that added friction without adding value.
The engagement ran as a two-week Compliance Sprint. I was granted read-only access to the company's Vanta GRC environment as an authorised internal auditor — reviewing each control directly against the Statement of Applicability, rather than relying on self-reported status.
Fifteen specific evidence gaps were identified across business continuity testing, development procedures, container vulnerability management, and management review documentation. Every finding was mapped to a specific ISO 27001:2022 control. The audit report was delivered on day fourteen and uploaded directly to Vanta — visible to the external auditor with a timestamped audit trail.
The engagement led directly to a six-month Virtual CISO retainer covering ISO 27001 ongoing compliance, NIS2 readiness, and ISO 42001 preparation.
| Controls assigned | 100% |
| Controls fully completed | 85% |
| Evidence gaps identified | 15 specific items |
| Corrective action deadline | August 1, 2025 |
| Audit report delivered | Day 14 ✓ |
| External auditor visibility | Immediate via Vanta |
| Follow-on engagement | 6-month vCISO retainer |
Role-based access rights correctly enforced. Network segregation well-executed. "Need to know" principle consistently applied. Admin rights restricted to a small, well-managed group. Document quality across the ISMS audit-ready.
"I would like to express my sincere appreciation and gratitude to Axel for the excellent work he did in our recent internal ISO 27001 audit. His structured approach was clearly noticeable from start to finish and contributed significantly to ensuring the entire process ran smoothly and efficiently. I was particularly impressed by Axel's pragmatic and honest manner — at a time when other internal audits often try to extract the maximum for themselves, Axel focused on creating maximum value for us."— CEO, Medical Diagnostics Provider, Austria
Fixed scope. Fixed timeline. Audit-ready deliverables from day one.
Schedule a 30-minute scoping call to confirm fit and start date.