Healthcare Sector · Austria · July 2025
Healthcare Sector · Austria · July 2025
A medical diagnostics company specialising in protein analysis for the pharmaceutical industry was preparing for its ISO 27001:2022 external Stage 2 certification. The ISMS had been implemented the previous year. The CIO needed an independent internal audit to verify compliance, surface any remaining gaps, and produce an evidence-ready report the external auditor would review.
The CIO had one clear requirement: a structured, transparent process that produced a defensible audit record — not a formal exercise that added friction without adding value.
The engagement ran as a two-week Compliance Sprint. I was granted read-only access to the company's Vanta GRC environment as an authorised internal auditor — reviewing each control directly against the Statement of Applicability, rather than relying on self-reported status.
Fifteen specific evidence gaps were identified across business continuity testing, development procedures, container vulnerability management, and management review documentation. Every finding was mapped to a specific ISO 27001:2022 control. The audit report was delivered on day fourteen and uploaded directly to Vanta — visible to the external auditor with a timestamped audit trail.
The engagement led directly to a six-month Virtual CISO retainer covering ISO 27001 ongoing compliance, NIS2 readiness, and ISO 42001 preparation.
| Controls assigned | 100% |
| Controls fully completed | 85% |
| Evidence gaps identified | 15 specific items |
| Corrective action deadline | August 1, 2025 |
| Audit report delivered | Day 14 ✓ |
| External auditor visibility | Immediate via Vanta |
| Follow-on engagement | 6-month vCISO retainer |
Role-based access rights correctly enforced. Network segregation well-executed. "Need to know" principle consistently applied. Admin rights restricted to a small, well-managed group. Document quality across the ISMS audit-ready.
"I would like to express my sincere appreciation and gratitude to Axel for the excellent work he did in our recent internal ISO 27001 audit. His structured approach was clearly noticeable from start to finish and contributed significantly to ensuring the entire process ran smoothly and efficiently. I was particularly impressed by Axel's pragmatic and honest manner — at a time when other internal audits often try to extract the maximum for themselves, Axel focused on creating maximum value for us."— CEO, Medical Diagnostics Provider, Austria
Fixed scope. Fixed timeline. Audit-ready deliverables from day one.
Schedule a 30-minute scoping call to confirm fit and start date.
