The failure
I was CTO at a U.S. health‑services scale‑up. Enterprise deals required ISO 27001 and SOC 2. We hired a global consultancy.
Four months and a six‑figure invoice later, TÜV’s auditors left one verdict: fail.
- Mis‑mapped requirements. Documents referenced the wrong clauses.
- Partial implementation. Controls incomplete; evidence missing.
- No plan. No usable path to remediate.
Our pipeline stalled that week.
The pivot
That Friday, we ended the engagement and reset.
“We become security experts now — or we hand the market to someone else.”
- Rewrote the control set from first principles.
- Hardened infrastructure; centralized logs and access reviews.
- Tracked evidence line‑by‑line in a living register.
The system we used — and you’ll reuse
- Map: Align SoA to reality; document scope and ownership.
- Implement: Close the gaps; instrument logs, access, backups.
- Evidence: Schedule proofs; attach artefacts as you go.
- Rehearse: Short, precise answers to expected audit questions.
End‑to‑End Implementation Guide (Waves 0–5)
A practical, ~30‑day plan that gets you to audit‑ready without consultants. Governance first, then people/assets/vendors, identity & endpoints, build & change, detect/respond/recover, and finally privacy + assurance.
| Week 1 | Wave 0 — Scope, Top Policy, Risk method, SoA v1, document control, thin audit loop. |
| Week 2 | Waves 1–2 — HR/JML, Asset Register & AUP, Data Classes, Suppliers, MFA & IdP, Devices (MDM), Physical. |
| Week 3 | Waves 3–4 (part) — Secure baselines (OS/DB/Cloud), SSDLC gates, Change & Release, start Vuln/Patch, Crypto/Keys. |
| Week 4 | Wave 4–5 — Logging/SIEM, Backups + Restore test, Incident Response tabletop, BCP run, Privacy artifacts, metrics & IA finalize. |
The result
| Timeline | Milestone |
| Day 90 | ISO 27001:2022 passed with TÜV — no major findings |
| Day 120 | SOC 2 Type I cleared by a Big 4 audit team |
| Scope | GDPR, CCPA, HIPAA controls aligned and documented during the work |
Enterprise contracts reopened. Cash returned. No consultants — just a system that worked.
What you can download today
- 120+ ISO 27001 & SOC 2 policies, cross‑referenced and field‑tested
- Ready‑to‑ship Statement of Applicability and Risk Register
- End‑to‑End Implementation Guide (Waves 0–5) with detailed walkthroughs
- Audit‑interview notes used with TÜV and Big 4 reviewers
- Evidence tracker that flags gaps before an auditor does
Time to audit‑ready: often under 30 days.
Consultant cost avoided: typically €30k–€70k.
Guarantee: fatal gap ➜ we patch within five business days or refund 100% + €1 000.
Is this for you?
Best fit
- Founder‑led teams on a sales or audit deadline
- Modern SaaS stacks (cloud‑first, minimal on‑prem)
- Need to show competence to enterprise buyers quickly
Not ideal
- On‑prem heavy environments seeking bespoke consulting
- Teams expecting “done‑for‑you” with no involvement
- Companies without an internal owner for security operations
Frequently asked
- Will auditors accept documentation that started from templates?
- Yes. Auditors check suitability and operation. You adapt the policies to your environment and provide evidence that controls run as described.
- How much editing is typical?
- Most teams map the SoA, set owners, and tailor a handful of policies to stack specifics (access, backups, logging). The pack includes examples and prompts.
- Type I vs Type II?
- Type I attests to design at a point in time; Type II covers operating effectiveness over a period. The system and evidence tracker help you prepare for both.
- How does the guarantee work?
- If your auditor issues a written finding that a fatal gap stems from our documentation, we patch within five business days or refund 100% and pay €1 000.
Questions? Email the author — the CTO who wrote every line: [email protected]