Home / Services / ISMS

Information security management and certification readiness

From current state to certification-ready. Practical gap analysis, risk assessment, control selection, documentation, and structured audit preparation.

Built for organisations that need to meet real certification body expectations, not just pass a checklist. Every engagement is scoped to your operations, your risk profile, and your timeline.

ISO 27001 SOC 2 TISAX
Audit-ready

ISMS readiness tracker

Last updated: April 2026

Scope and context defined
Risk assessment complete
Statement of Applicability
Controls implemented
Internal auditIn progress
Stage 1 preparation
93
Controls
8
Gaps
4
NCNs closed

Illustrative example. Not live client data.

ISO 27001 implementation and certification support

AuditVantage® takes you from current state to certification-ready. That means a practical gap analysis, risk assessment tailored to your business, control selection that fits your operations, documentation auditors can follow, and structured Stage 1 and Stage 2 preparation.

ISO 27001 internal audit

Independent, objective evaluation of your ISMS to certification-body standard. Findings categorised per ISO 19011, structured for direct inclusion in your clause 9.3 management review. Delivered as a standalone service, including for organisations whose ISMS was implemented by another consultancy, built in-house, or inherited through acquisition or merger.

SOC 2 implementation (Type I and Type II)

AuditVantage® maps your controls to AICPA Trust Services Criteria, identifies gaps, builds the evidence base, and confirms examination readiness. Type I for point-in-time assurance, Type II for operating effectiveness over time.

TISAX assessment readiness

Scope definition, Assessment Level selection (AL 1 through 3), gap analysis against VDA ISA controls, remediation support, and full preparation for accredited assessment.

Built for automotive suppliers and technology providers working with OEM partners.

Ready to start?

A focused conversation about your priorities, the frameworks most relevant to your context, and where to begin.

Get in Touch

AuditVantage® provides advisory and implementation services only. AuditVantage® is not a law firm; matters requiring legal advice or formal legal opinion are referred to qualified counsel. ISO/IEC 27001 certification decisions rest with accredited certification bodies.

Related services

ISO 42001 - AI Governance NIS 2 and EU AI Act vCISO Advisory
ISO 27001 FAQ

Common questions about ISO 27001.

Straight answers to what buyers most often ask. The rest is for the discovery call.

ISO/IEC 27001:2022 is the international standard for Information Security Management Systems. It sets the requirements for establishing, operating, and continually improving an ISMS, and is the most widely recognised certification for information security across enterprise procurement, regulated industries, and public sector contracts.
Annex A was restructured from 114 controls into 93, organised under four themes: organisational, people, physical, and technological. Eleven new controls were introduced, including threat intelligence, information security for cloud services, ICT readiness for business continuity, data masking, and web filtering. Organisations holding a 2013 certificate transition to 2022 within the window set by their certification body.
The Statement of Applicability lists every Annex A control, states whether it applies, and justifies each decision against the risk register. It is the single document a certification auditor reads first to understand how your ISMS is structured. An SoA that is vague, defensive, or inconsistent with the risk register is the most common cause of a Stage 1 nonconformity.
An internal audit is conducted by or for the organisation itself to verify its own ISMS conforms to ISO/IEC 27001:2022 and is operating effectively. It is a requirement of clause 9.2 and feeds into management review. An external audit is conducted by an accredited certification body to decide whether to grant, maintain, or withdraw certification. The two serve different purposes, are governed by different independence requirements, and are not interchangeable.
Timelines depend on the organisation's specific set-up and requirements, including starting maturity, scope size, integration complexity, and internal stakeholder availability. A realistic timeline is confirmed on the discovery call.
Total cost splits into three categories: consulting and implementation support, internal tooling and remediation, and certification body audit fees. Consulting is scoped and fixed-fee after the discovery call. Certification body fees are set directly by the body you engage.
Almost always, yes. Organisations with SOC 2, ISO 9001, TISAX, or mature internal programmes already satisfy a significant portion of Annex A. Phase 1 gap analysis identifies what carries over, what needs hardening, and what is missing. Existing controls are strengthened, not rebuilt unnecessarily.
Any organisation genuinely committed to improving its security posture and protecting the confidentiality, integrity, and availability of data. In practice, the organisations most frequently pursuing ISO 27001 are SaaS companies, fintechs, consulting firms, and service providers whose enterprise customers require it as a procurement condition.
Yes. AuditVantage® works with organisations of all sizes, from small teams through to mid-size and large enterprises. Small companies have specific requirements: leaner scope, fewer stakeholders, proportionate controls, and a pragmatic implementation approach that fits limited internal capacity. The ISMS is scoped and scaled to match the size and risk profile of your organisation, not designed to a template.
Clause 9.2 requires internal audits at planned intervals, conducted by personnel independent of the activity being audited. AuditVantage® delivers independent internal audit as a dedicated service, including for organisations whose ISMS was implemented by another consultancy, built in-house, or inherited through acquisition or merger. Audits are conducted to ISO 19011, with findings written in the form certification auditors expect, and feed directly into management review and Stage 2 readiness.
Yes. Independent internal audit is a standalone service and is often preferred by clients where a clean separation from the implementer is required. The audit applies ISO/IEC 27001:2022 requirements, ISO 19011 audit principles, and nonconformity and opportunity-for-improvement language consistent with external certification audit practice.
Yes, with diligent separation of duties. The Lead Auditor assigned to the internal audit is not the consultant who led the implementation. This preserves independence from the activity being audited under clause 9.2 and ISO 19011 principles, and is documented as part of the engagement. The AuditVantage® contract covers the entire scope, so you do not need to engage multiple suppliers.
No. AuditVantage® is not a certification body. Certification decisions are made independently by accredited certification bodies. AuditVantage® prepares you for audit and supports selection of a certification body appropriate to your market and sector.
Contact

Based in Düsseldorf. Working across Germany and the EU.

Address

Breite Str. 27
40213 Düsseldorf
Germany

Start here

Get in Touch

Connect

Registered office, Düsseldorf

AuditVantage® GmbH is not a law firm and not a certification body. The Managing Director is an IT and information security consultant and ISO/IEC 27001 Lead Implementer and Lead Auditor, not a Rechtsanwältin, and does not provide legal services. Content on this site is general information and does not create an advisory relationship. Full disclaimer in the Impressum.

Auditor impartiality. The Managing Director of AuditVantage® GmbH serves as a contracted Lead Auditor for accredited certification bodies. To preserve impartiality required under ISO/IEC 17021-1, AuditVantage® operates under a formal Conflict of Interest Policy. The Managing Director does not audit organisations that AuditVantage® has advised within the past two years, and AuditVantage® does not advise organisations the Managing Director has audited within the same window. Audit assignments are scheduled by the certification body. AuditVantage® takes no part in that selection.