+49 155 609 62044contact@vamisec.com
Book an Appointment
GRC · Audits & Certifications

Demonstrable security — building trust.

Auditing, certifying, building trust — with structured preparation, professional depth and regulatory certainty.

In an increasingly regulated environment, auditable evidence of information security and compliance is no longer a plus — it is a prerequisite for market access, customer onboarding and operational security. We support you comprehensively in conducting internal audits, preparing for external certifications and operating audit programs sustainably.

Check audit readinessOur services
  • ISO 27001
  • BSI IT-Grundschutz
  • TISAX®
  • BSI C5
  • ISO 42001
  • NIS2
  • DORA
  • EU AI Act
5+
standards in one audit program
90%
overlapping controls between ISO 27001 + TISAX + BSI
12 mo.
realistic path to first certification
3y
recertification cycle including surveillance
Our services at a glance

What we deliver in the audit.

From the first target/actual comparison to successful recertification — five building blocks that structure your audit program and keep it audit-ready.

Covered standards

One audit program — many standards.

ISO 27001, TISAX and BSI IT-Grundschutz share around 80–90% of their controls. In an integrated audit program you reuse the same evidence multiple times — instead of auditing each regulation in isolation.

ISO/IEC 27001
Information security (ISMS)
BSI IT-Grundschutz
Standard 200-x · building-block compendium
TISAX®
Automotive · VDA ISA
BSI C5:2020
Cloud security · Type 1/2
ISO/IEC 42001
AI management system (AIMS)
NIS2
EU cybersecurity directive
DORA
Digital Operational Resilience Act
CRA
Cyber Resilience Act
EU AI Act
Conformity assessment Art. 43
ISO 22301
Business Continuity (BCMS)
ISO 27017 / 27018
Cloud extensions to 27001
KAIT · VAIT · BAIT
BaFin IT supervisory requirements
Approach

The path to successful certification.

Six steps from scoping to recertification — modular, evidence-oriented and aligned to your maturity.

  1. 01

    Scoping & gap analysis

    Scope, protection need and target/actual comparison against the target standard. Output: prioritized action plan.

  2. 02

    Implementation & controls

    Build-up of policies, processes and technical controls. We accompany asset inventory, risk analysis, protection-need determination.

  3. 03

    Evidence structure

    Documents, evidence, KPIs and audit-day templates are bundled in an auditable package — on request in the IMS tool.

  4. 04

    Internal audit

    Dry run before the external assessment: findings, management review, effectiveness assessment and final corrections.

  5. 05

    External audit & certificate

    We accompany you on-site through the Stage-1 and Stage-2 audits of the certification body up to issuance of the certificate.

  6. 06

    Surveillance & recertification

    Multi-year audit cycle with surveillance audits, continuous improvement and prepared recertification.

FAQ

Frequent questions on audits & certifications.

Which standards do you cover as audit support?

We accompany audits and certifications per ISO/IEC 27001, ISO/IEC 27017/27018, ISO/IEC 22301, ISO/IEC 42001, TISAX®, BSI IT-Grundschutz, BSI C5 as well as regulatory evidence obligations from NIS2, DORA, CRA, EU AI Act and the BaFin supervisory requirements (KAIT/VAIT/BAIT). Feel free to reach out for industry-specific standards as well.

How does an internal audit differ from external certification?

The internal audit is a mandatory part of an effective management system and audits one's own organization against the standard — typically in preparation for the external assessment. External certification is performed by an accredited certification body whose audit team must be independent of the auditee. We can take on both roles — as internal audit support, but not simultaneously as external certification body.

How long does the path to first certification take?

Realistically 9 to 18 months. Of these, typically 2–4 months for gap analysis and roadmap, 4–9 months for implementation, control effectiveness testing and documentation, plus 2–3 months for internal audit, Stage-1 and Stage-2 audits. With already established management systems the path shortens considerably.

Can you bundle multiple audits into one program?

Yes — and that is often economically sensible. ISO 27001, TISAX and BSI IT-Grundschutz share around 80–90% of the controls. In an integrated audit program, evidence, audit dates and reports can be synchronized so the same evidence is reusable multiple times. The VamiSec IMS Framework supports this multiple use systematically.

What happens with non-conformities in the audit?

Findings are classified as Major and Minor Nonconformities and Observations. Major findings must be fully corrected before issuance of the certificate; minor findings come with a correction deadline (typically 90 days). We steer the remediation, document the effectiveness and align evidence with the certification body.

Protect Your Organization Now!

Contact us for an individual consultation and security solution tailored to your requirements.

Valeri Milke, CEO of VamiSecCONTACT US NOW

Valeri Milke, CEO of VamiSec

"Only when all instruments are well-tuned does your organization become secure and compliant."