How long does an ISO 27001 ISMS preparation typically take for a mid-market German company?

Six to twelve months from kick-off to audit-ready, depending on starting maturity, scope size, and how much policy + control documentation already exists.

What ISO 27001:2022 Annex A controls does curta.solutions cover in an ISMS preparation engagement?

All 93 Annex A controls across the four themes (Organisational, People, Physical, Technological), with documentation, internal assessment, gap analysis and cybersecurity training mapped to each control.

Do you handle the actual certification audit?

No, certification audits are conducted by an accredited certification body; curta.solutions prepares the ISMS, runs internal assessments, supports management review, and coaches the team through the external audit.

Is the engagement compatible with TISAX, NIS2 or BSI Grundschutz?

Yes, the ISO 27001 control framework is the common base; mappings to TISAX, NIS2 and BSI IT-Grundschutz are produced as additional deliverables when the customer's scope requires them.

ISO 27001 ISMS Preparation: Audit Ready

Client situation

Team needed an ISO 27001-matched ISMS foundation.
Needed real docs, assessments, and training for audit readiness.
Existing safety measures lacked formal structure and docs.

Many teams reach a turning point. Informal safety practices that worked at smaller scale start to become a liability. Rule-set needs tighten. Clients demand proof of audit fit. The team wants to win contracts that need ISO 27001 cert. In this case, individual safety controls were in place. But no one had logged them, assessed them, or formally matched them to a risk-based framework. The gap study revealed that the foundation was largely sound. What was missing was the structure, proof, and docs an auditor needs.

What was delivered

Safety framework matched to ISO 27001 needs.
Logged safety processes and controls.
In-house assessments (readiness review / gap study)
Training enablement for employees (cybersecurity best practices)

The ISMS docs package covered the full mandatory set. It included an ISMS manual defining scope and context. It included a risk assessment methodology and risk list. It included a Statement of Applicability that logged the selected Annex A controls and the exclusion justifications. It included safety policies for info safety, access control, and acceptable use. It included ops steps for incident response, change control, and backup. We also developed and shipped training materials. Employees learned their duties within the ISMS.

Governance approach

Audit fit fit to ISO 27001 (ISMS) needs.
Audit-readiness oriented docs.
Risk-based approach to control selection.
Steady gains framework.

Outcome

Positioned the team to apply for ISO 27001 cert.
Set and audit-fit approach logged.
In-house skill built for ongoing ISMS upkeep.
Employee know-how elevated through training program.

Scope & Limitations

This buy-in covered ISMS prep. That meant framework design, docs, gap study, and training. We took the team up to readiness for a Stage 1 and Stage 2 cert audit. An accredited cert body conducts the actual cert audit. That was outside the scope of this buy-in. Technical rollout of specific controls was also out of scope where not already in place. That includes systems hardening, SIEM rollout, and ID control setup. The gap study flagged those items as client-owned action items. The team owns ongoing ISMS upkeep, in-house auditing, and control review cycles after first prep. The docs and in-house skill we built during the buy-in support that work.

ISMS Parts

What ISO 27001 Preparation Involves

Security Framework Design

Establishing the ISMS scope, context, leadership commitment, and organizational roles. Defining the risk assessment methodology and control objectives.

Process Documentation

Documenting safety policies, steps, and work instructions. Creating asset inventories, risk registers, and statement of applicability (SoA).

Internal Assessments

Conducting gap study against ISO 27001 Annex A controls. Performing risk assessments and finding treatment plans for found gaps.

Training & Awareness

Developing and delivering safety know-how training. Ensuring all employees understand their role in info safety.

Typical Outputs

ISMS Documentation Package

ISMS Manual — scope, context, policy framework.
Risk Assessment — methodology, risk list, treatment plans.
Statement of Applicability (SoA) — control selection and justification.
Safety Policies — info safety, access control, acceptable use.
Steps — incident response, change control, backup, access control.
Asset Stock — info assets, owners, labeling.
Training Materials — know-how program, phishing simulation, role-based training.
Audit Proof — logs, records, review docs.

FAQ

Frequently Asked Questions

How long does ISO 27001 prep take?

Depending on team size and now maturity, prep typically takes 6-12 months. This includes gap study, docs, rollout of controls, training, and in-house audit before the cert audit.

What's the difference between prep and cert?

Prep builds the ISMS foundation and docs. Cert is ran by an accredited cert body through Stage 1 (docs review) and Stage 2 (rollout audit) assessments.

Do we need to set up all 93 Annex A controls?

No. Controls are selected based on risk assessment. The Statement of Applicability docs which controls apply and provides justification for any exclusions.

Can existing safety measures be linked?

Yes. The gap study identifies what already exists and what needs to be added or formalized. Existing controls are logged and matched with ISO 27001 needs.

Book an ISMS Readiness Workshop

Start with a gap study and roadmap to understand your path to ISO 27001 cert.

Book Workshop View More Experience