Axel Hoehnke
About Services Insights Case Studies Contact Get a Quote
en EN — English de DE — Deutsch
Sign in
← All Case Studies
Case Study 01 · ISO 27001:2022 Stage 2

Legal AI Technology Company
— Certification Sprint

British Assessment Bureau · Zürich, Switzerland · September 2025

Case Study 01 · ISO 27001:2022 Stage 2

Legal AI Technology Company
— Certification Sprint

British Assessment Bureau · Zürich, Switzerland · September 2025

Download PDF + Save
Sector
Legal Technology / AI Software
Size
Scale-up, ~50–100 employees
Engagement
Stage 2 Readiness Bootcamp + Live Audit Support
Duration
Two weeks + audit day
The Situation

A Legal AI company in Zürich had completed Stage 1 with the British Assessment Bureau and was scheduled for Stage 2 within weeks. The Head of People & Operations — a returning client from a prior ISO 27001 Stage 1 engagement — needed two things: a structured two-week sprint to address open findings, and an experienced advisor available on audit day itself.

Two priority gaps emerged from the Stage 1 report: the server room was unlocked (Clause 7 / Annex A.7.3), and several Annex A controls had been excluded from the Statement of Applicability without sufficient justification (5.5, 5.12, 5.31, 7.8, 7.11, 7.12).

A third issue surfaced mid-sprint: Management Review minutes from May 2025 did not reflect the required discussion items — the auditor had flagged potential escalation to a Minor or Major non-conformity. It was resolved before it became a finding.

Both non-conformities raised at Stage 2 were resolved via corrective action records prepared during the sprint. Certification was confirmed within ten days of audit close.

Results
Stage 1 findings addressed 100% prior to Stage 2
Non-conformities raised at Stage 2 2 — both minor
Non-conformities resolved Both accepted
Management review escalation Prevented mid-sprint
Certification outcome Confirmed ✓
Certification body British Assessment Bureau
Corrective Actions

NC-1 — Clause 7 / Annex A.7.3 (Physical Security)
Network cabinet locked immediately. ISMS procedure updated with quarterly access control checks. Annual physical security re-evaluation added to risk cycle.

NC-2 — Clause 6.1.3 (Statement of Applicability)
Controls 7.11 and 7.12 reinstated. Evidence remapped in Vanta. SoA Governance Checklist and dual sign-off process introduced.

"Thank you Axel — everything worked out. We should receive the report within the next ten days. I'll let you know as soon as the certification is finally confirmed — but it looks good."
— Head of People & Operations, Legal AI Technology Company, Switzerland · Personal reference available upon request
Relevant for your organisation if
  • Preparing for ISO 27001 Stage 2 with open Stage 1 findings
  • Vanta ISMS has SoA exclusions that may not withstand auditor scrutiny
  • Certification body is already scheduled and the timeline is fixed
  • You need an advisor present on audit day, not just in the weeks before
  • You need a fixed-scope sprint — not an open-ended retainer
Next: Medical Diagnostics Audit →
Ready to Start
Your Certification
Sprint Starts Here

Fixed scope. Fixed timeline. Audit-ready deliverables from day one.
Schedule a 30-minute scoping call to confirm fit and start date.

Schedule a Scoping Call meet@axelhoehnke.com
All Case Studies
Legal AI · ISO 27001 Stage 2 Medical Diagnostics · Internal Audit Mystery Box · OSINT TV Documentary Luxury Kitchen · Brand Intelligence ← Back to all case studies