Four live engagements — ISO 27001 certification sprints and OSINT investigations across Germany, Switzerland, and Austria. Real clients, real findings, real outcomes. Anonymised at client request.
British Assessment Bureau · Zürich, Switzerland · September 2025
A Legal AI company in Zürich had completed Stage 1 with the British Assessment Bureau and was scheduled for Stage 2 within weeks. The Head of People & Operations — a returning client from a prior ISO 27001 Stage 1 engagement — needed two things: a structured two-week sprint to address open findings, and an experienced advisor available on audit day itself.
Two priority gaps emerged from the Stage 1 report: the server room was unlocked (Clause 7 / Annex A.7.3), and several Annex A controls had been excluded from the Statement of Applicability without sufficient justification (5.5, 5.12, 5.31, 7.8, 7.11, 7.12).
A third issue surfaced mid-sprint: Management Review minutes from May 2025 did not reflect the required discussion items — the auditor had flagged potential escalation to a Minor or Major non-conformity. It was resolved before it became a finding.
Both non-conformities raised at Stage 2 were resolved via corrective action records prepared during the sprint. Certification was confirmed within ten days of audit close.
| Stage 1 findings addressed | 100% prior to Stage 2 |
| Non-conformities raised at Stage 2 | 2 — both minor |
| Non-conformities resolved | Both accepted |
| Management review escalation | Prevented mid-sprint |
| Certification outcome | Confirmed ✓ |
| Certification body | British Assessment Bureau |
NC-1 — Clause 7 / Annex A.7.3 (Physical Security)
Network cabinet locked immediately. ISMS procedure updated with quarterly access control checks. Annual physical security re-evaluation added to risk cycle.
NC-2 — Clause 6.1.3 (Statement of Applicability)
Controls 7.11 and 7.12 reinstated. Evidence remapped in Vanta. SoA Governance Checklist and dual sign-off process introduced.
"Thank you Axel — everything worked out. We should receive the report within the next ten days. I'll let you know as soon as the certification is finally confirmed — but it looks good."— Head of People & Operations, Legal AI Technology Company, Switzerland · Personal reference available upon request
Healthcare Sector · Austria · July 2025
A medical diagnostics company specialising in protein analysis for the pharmaceutical industry was preparing for its ISO 27001:2022 external Stage 2 certification. The ISMS had been implemented the previous year. The CIO needed an independent internal audit to verify compliance, surface any remaining gaps, and produce an evidence-ready report the external auditor would review.
The CIO had one clear requirement: a structured, transparent process that produced a defensible audit record — not a formal exercise that added friction without adding value.
The engagement ran as a two-week Compliance Sprint. I was granted read-only access to the company's Vanta GRC environment as an authorised internal auditor — reviewing each control directly against the Statement of Applicability, rather than relying on self-reported status.
Fifteen specific evidence gaps were identified across business continuity testing, development procedures, container vulnerability management, and management review documentation. Every finding was mapped to a specific ISO 27001:2022 control. The audit report was delivered on day fourteen and uploaded directly to Vanta — visible to the external auditor with a timestamped audit trail.
The engagement led directly to a six-month Virtual CISO retainer covering ISO 27001 ongoing compliance, NIS2 readiness, and ISO 42001 preparation.
| Controls assigned | 100% |
| Controls fully completed | 85% |
| Evidence gaps identified | 15 specific items |
| Corrective action deadline | August 1, 2025 |
| Audit report delivered | Day 14 ✓ |
| External auditor visibility | Immediate via Vanta |
| Follow-on engagement | 6-month vCISO retainer |
Role-based access rights correctly enforced. Network segregation well-executed. "Need to know" principle consistently applied. Admin rights restricted to a small, well-managed group. Document quality across the ISMS audit-ready.
"I would like to express my sincere appreciation and gratitude to Axel for the excellent work he did in our recent internal ISO 27001 audit. His structured approach was clearly noticeable from start to finish and contributed significantly to ensuring the entire process ran smoothly and efficiently. I was particularly impressed by Axel's pragmatic and honest manner — at a time when other internal audits often try to extract the maximum for themselves, Axel focused on creating maximum value for us."— CEO, Medical Diagnostics Provider, Austria
Broadcast Journalism · Germany · Broadcast December 2025
An investigative journalist at a German TV production company was developing a documentary on mystery boxes — the consumer trend of buying packages of unknown, returned e-commerce goods. The story needed to show the infrastructure: who controls the supply chains, where goods originate, how distribution networks are structured, and whether systematic consumer fraud could be documented.
Investigative intuition is not evidence. The documentary required verifiable, source-documented intelligence that could withstand editorial and legal scrutiny before broadcast. I was brought in to build that evidence base.
The investigation ran in two structured phases. Phase 1 used Shodan and Censys to identify server networks associated with mystery box operators. DNS analysis via crt.sh and DNSlytics traced relationships between domains sharing infrastructure, registrar patterns, or SSL certificate chains. Phase 2 used Sherlock, WhatsMyName, and OpenCorporates to correlate usernames and trace corporate relationships between operators, and TgStat and MaveKite to map the Telegram and TikTok influencer networks amplifying the ecosystem.
The investigation also incorporated physical intelligence: AirTag tracking to document actual product flows, and forensic address recovery — chemical treatment and specialised lighting to restore redacted shipping labels and reconstruct supply chain origin points operators had deliberately obscured. A whistleblower provided corroborating evidence of systematic fraud.
| Mystery box articles in circulation annually | 15+ million |
| CO₂ impact from returns logistics | 240,000+ tonnes/year |
| Primary supply chain routing | Polish warehouse network → German distribution |
| Operator structure | Coordinated networks presenting as independent sellers |
| Consumer harm documented | Systematic fraud: fake labels, adulterated contents |
| Physical verification | AirTag tracking + forensic address recovery |
| Broadcast outcome | Prime-time, major German public broadcaster ✓ |
PDF summary report with source verification · Technical annex with domain lists and infrastructure diagrams · Structured source archive (Excel/CSV) for editorial and legal review · Full OSINT dossier: actor networks, supply chain documentation, platform analysis · Methodology documentation to broadcast compliance standard · Visual assets and story frameworks for multiple publication formats.
"Super thanks — forwarding it. Results coming Friday."— Lead Investigative Producer, German Television · Personal reference available upon request
Luxury Kitchen Appliances · Germany / Switzerland · Delivered October 2025
A luxury kitchen brand with more than 110 years of engineering heritage was planning a B2B market activation in Germany — a series of exclusive networking events in Munich designed to deepen relationships with kitchen studios, interior architects, premium carpenters, and design media. The goal was 90 qualified participants across three events.
The challenge was not the event itself. It was the data behind it. The Brand team needed to identify and qualify 270 brand-aligned contacts in the Munich metropolitan region. No existing database met this requirement. The segmentation logic did not yet exist. And the outreach infrastructure needed to be DSGVO-compliant from the ground up.
I developed a five-segment target model (80 km radius): exclusive kitchen studios, interior architects without competing product lines, premium custom carpenters, appliance consultants, and design media. Each segment had defined qualification criteria. Using AI-supported OSINT — search engine queries, social network analysis, digital footprint assessment, and reference project review — I identified and qualified 270 candidates. I also ran a cross-reference analysis between the Swiss partner network and the German market to anchor Phase 1 outreach with warm introductions.
The contact database was designed to be a reusable strategic asset: full specification covering database structure, segmentation logic, brand conformity matrix, DSGVO-compliant processing documentation, competitor exclusion mechanisms, and an access management framework.
| Qualified contacts identified | 270 |
| Target segments covered | 5 (studios, architects, carpenters, consultants, media) |
| Geographic scope | Munich + 80 km radius |
| Participant target per event | 30 (× 3 events = 90 total) |
| Competitor exclusion | Systematic — competing brands and trade partners excluded |
| DSGVO compliance | Full — processing documentation, opt-in logic, deletion protocols |
| Data architecture delivered | Database spec, segmentation logic, brand conformity matrix ✓ |
40% kitchen studios and brand trade partners · 33% architects and interior designers · 20% premium carpenters · 7% design media and multipliers.
Events planned: three identical premium formats — brand showroom Munich, November 2025, with live cooking by a Michelin-starred chef and Swiss heritage catering.
Fixed scope. Fixed timeline. Audit-ready deliverables from day one.
Schedule a 30-minute scoping call to confirm fit and start date.