Technology Compliance Consultant for ISO 27001, SOC 2, ISO 22301 and ICT Risk
I'm an independent technology compliance consultant based in Frankfurt. I help fintechs, ICT vendors, and scaling tech companies stand up the compliance programs their customers and regulators expect: ISO 27001, ISO 22301, SOC 2, ICT third-party risk frameworks, NIS2, and the outsourcing and business continuity controls that sit underneath the headline EU regulations like DORA and MiCA.
My focus is governance, program design, and audit readiness. I write policies, build control frameworks, prepare evidence packs, and conduct pre-audit readiness work. For technical implementation (penetration testing, vulnerability management, security operations), I work alongside technical partners and your engineering team.
My focus is governance, program design, and audit readiness. I write policies, build control frameworks, prepare evidence packs, and conduct pre-audit readiness work. For technical implementation (penetration testing, vulnerability management, security operations), I work alongside technical partners and your engineering team.
WHAT THIS COVERS
- Most clients arrive needing one or more of these:
- ISO/IEC 27001:2022, the international standard for information security management systems. The de facto baseline for B2B tech sales in Europe is a common starting point for everything else.
- ISO/IEC 22301, the international standard for business continuity management. Increasingly demanded in DORA-influenced procurement, even for vendors outside financial services.
- SOC 2 Type 1 and Type 2, the AICPA reporting framework for service organizations. The dominant US standard is now routinely demanded of EU companies selling into the US enterprise.
- NIS2 (Directive (EU) 2022/2555), the EU's cybersecurity directive for essential and important entities. Transposed across most Member States by late 2024, with enforcement now active.
- ICT third-party risk management, including frameworks aligned to DORA Articles 28 to 44 for financial-sector customers.
- Outsourcing governance aligned to the EBA Guidelines on Outsourcing Arrangements and equivalent rules for insurance and crypto-asset firms.
- Customer security questionnaires (SIG, SIG-Lite, CAIQ, vendor-specific). A coherent control library is often the difference between winning a deal and losing it to a competitor who responded faster.
-
Two situations bring most clients
The first is reactive. A customer has stalled a renewal pending ISO 27001 certification; a security questionnaire has surfaced control gaps the team can't answer; an internal audit has found ICT issues; or a DORA flow-down questionnaire from a financial-sector customer has triggered a wider compliance review.
The second is structural. A scaling tech company has hit the point where it can't win enterprise deals without ISO 27001, SOC 2, or both. They want to stand up the program properly the first time, rather than fail an audit and rebuild.
I work with both.
What I deliver
-
ISO 27001:2022 readiness
Full gap analysis against the 2022 version of the standard, including the updated Annex A with 93 controls grouped into four themes. Deliverables: Statement of Applicability, ISMS scope and objectives, policy framework, risk assessment methodology, internal audit program, and a pre-certification readiness review. I work with your chosen certification body on the audit, but I'm not the certifier. -
ISO 22301 business continuity management
Business Impact Analysis, recovery objectives, BCPs and DR plans, exercise and testing schedule, and the management system documentation required by ISO 22301. For financial-sector clients, the BCM programme is aligned to DORA's resilience-testing expectations from day one, so you build the controls once for both. -
SOC 2 readiness
Trust Services Criteria scoping (Security is mandatory, plus Availability, Confidentiality, Processing Integrity, and Privacy as relevant), control mapping, evidence framework, and Type 1 or Type 2 readiness. I work with your chosen CPA firm on the audit, but I'm not the auditor. -
ICT third-party risk management
A vendor risk framework that holds up to DORA flow-downs from financial-sector customers and stands on its own for tech-to-tech B2B. Vendor inventory, criticality assessment, due diligence templates, contract clauses, ongoing monitoring, exit plans, and the Register of Information where DORA applies downstream. -
NIS2 compliance
Scope assessment under national transposition, governance arrangements, risk management measures under Article 21, incident reporting workflow, supply chain security, and the cyber hygiene baseline competent authorities have started testing in inspections. -
Customer security questionnaire programme
A centralised response library mapped to your control framework. Covers SIG, SIG-Lite, CAIQ v4, and custom questionnaires from named enterprise customers. Designed so sales and legal stop chasing engineering for answers every time a deal hits procurement, which is where most lost deals actually die. -
Outsourcing governance
Frameworks aligned to the EBA Guidelines on Outsourcing Arrangements, BaFin MaRisk AT 9, and equivalent rules for insurance and crypto-asset firms. Critical and important function classification, due diligence templates, contract clauses, ongoing monitoring, exit plans, and the regulator-facing registers. -
Cloud compliance
ISO/IEC 27017, ISO/IEC 27018, CSA STAR, and the shared-responsibility framing required by AWS, Azure, and Google Cloud customers. Holding AWS Cloud Practitioner, I can engage credibly with your cloud team without claiming to do the technical implementation work that belongs to your engineers or a specialist partner.
Frequently asked questions
-
ISO 27001 or SOC 2: which do I need?
ISO 27001 if your customers are in the EU, UK, or rest of the world outside North America. SOC 2 if your customers are US enterprises, especially in financial services, healthcare, or SaaS. Most growing B2B companies eventually need both. Many controls overlap, so a unified control library cuts the second implementation by 40 to 60%. -
How long does ISO 27001 certification take?
From a standing start, 6 to 12 months: gap analysis (2 to 4 weeks), implementation (3 to 6 months), Stage 1 audit, Stage 2 audit. Aggressive timelines tied to customer deadlines are possible at 4 to 5 months if senior leadership commits and security maturity is already reasonable. -
What's the difference between SOC 2 Type 1 and Type 2?
Type 1 reports on controls at a point in time and is the fastest route to a first report, typically 3 to 6 months from readiness. Type 2 reports on operating effectiveness over a period of 6 or 12 months. Most enterprise customers eventually require Type 2. -
ICT third-party risk management
A vendor risk framework that holds up to DORA flow-downs from financial-sector customers and stands on its own for tech-to-tech B2B. Vendor inventory, criticality assessment, due diligence templates, contract clauses, ongoing monitoring, exit plans, and the Register of Information where DORA applies downstream. -
What is a SIG questionnaire?
The Standardized Information Gathering questionnaire from Shared Assessments. It's the dominant third-party risk questionnaire in financial services and a growing standard elsewhere. SIG-Lite runs around 240 questions; the full SIG is over 1,000. CAIQ v4 from the Cloud Security Alliance is the cloud-focused equivalent at around 260 questions. -
Customer security questionnaire programme
A centralised response library mapped to your control framework. Covers SIG, SIG-Lite, CAIQ v4, and custom questionnaires from named enterprise customers. Designed so sales and legal stop chasing engineering for answers every time a deal hits procurement, which is where most lost deals actually die. -
Does NIS2 apply to my company?
If you operate in one of the 18 sectors listed in Annex I (essential entities) or Annex II (important entities) and you exceed the SME thresholds (typically 50+ employees or €10M+ turnover), generally yes. Sectors include digital infrastructure, ICT service management, banking, financial market infrastructure, postal services, manufacturing, food, and research. Some entities are in scope regardless of size, including DNS service providers, TLD name registries, and certain digital service providers. -
Can you actually run my ISO 27001 certification audit?
No, and you wouldn't want me to. The certifier and the consultant must be different parties for ISO 27001 certification to be valid. I work alongside your chosen certification body (BSI, TÜV, DNV, DEKRA, Bureau Veritas, etc.) to get you through their audit. The same separation applies for SOC 2: I prepare you, your CPA firm issues the report. -
What's the difference between BCM and disaster recovery?
DR (disaster recovery) is the IT-side discipline of restoring systems and data after a disruption. BCM (business continuity management) is the broader programme covering people, processes, premises, suppliers, and recovery objectives across the whole organisation. ISO 22301 covers BCM, and DR plans sit inside it. -
When to reach out
If you've lost an enterprise deal over a failed security questionnaire, your ISO 27001 surveillance audit is approaching, and the evidence isn't ready, your customers are sending DORA flow-down questionnaires you can't answer, or you need to stand up a compliance program that scales with the next funding round, get in touch. First-call diagnostic is free.
BOOK A FREE CONSULTATION
Not sure where to start with your compliance, recovery, or security framework? Let’s talk. I offer a free consultation to discuss your challenges, identify priorities, and help you decide what to do next - no commitment required.
Prefer email? You can also reach me at dmitrii@shatovconsulting.com.
I respond within one business day.
