// ISO 27001 · ISMS · Information security
norm-werk builds information security management systems that fit the organisation — not the other way around. Pragmatic, plain-spoken, no paper mountain and no tool lock-in.
// Services
norm-werk focuses on what works day-to-day. No off-the-shelf packages, just a small set of sharply scoped services that complement each other.
From first scoping through certification readiness: we build your information security management system step by step — aligned with ISO/IEC 27001 and shaped around what your business actually needs.
You need accountability, not a full-time hire. I step in as your external Information Security Officer — operationally responsible, with a clear reporting line into management.
Security belongs in the project, not after go-live. For cloud migrations, vendor changes or new platforms, I bring the security perspective in early — before it gets expensive.
Security is behaviour, not paperwork. Tailored formats for leadership, IT teams and staff — clear, useful, and without the wagging finger.
Note: I deliberately do not perform external certification audits myself — independence matters. Instead I work closely with experienced certification bodies and support you all the way up to the audit.
// How we work
A clear approach is half the work. norm-werk follows a model that has proven itself in practice — lean enough for SMEs, thorough enough for certification.
Free, no strings attached. We clarify what you need, possible paths and whether we fit. Around 30 minutes.
Where are you today? We review existing structures, documents and processes — and name gaps, risks and quick wins honestly.
You receive a prioritised plan with realistic effort and timing. No castles in the sky — a list you can actually work through.
We deliver together — with your team, not around it. Responsibilities stay transparent, documents stay readable.
An ISMS is a living thing. On request I stay involved afterwards — as external ISO, in management reviews, or simply as a reliable point of contact.
// Who it fits
The collaboration is a particularly good fit for:
Mid-sized companies with 50–500 employees that need structure without corporate overhead.
Organisations facing compliance demands from customers, regulators or a parent company.
IT departments without a dedicated security role looking for an experienced external lead.
Leadership teams that want to approach ISO 27001 without getting lost in tools and paperwork.
// Myths
The same assumptions come up in nearly every first conversation. Here are the most common ones — and how I see them.
"ISO 27001 is only for large corporations."
The standard is deliberately written to scale. A well-tailored ISMS for an 80-person company looks different from a DAX-listed group — but it works.
"We first need an expensive GRC tool."
Tools help once the structure is in place. Without a concept they just produce expensive documents. For starting out, spreadsheets, templates and a clear head are usually enough.
"This will be a year of paperwork."
Documents are a means, not an end. norm-werk keeps policies short enough that people actually read — and live by — them.
"One audit is enough — then we're secure."
An audit is a snapshot. Security is a process. An ISMS lives on continuous care, not one-off heroics.
"Information security is IT's problem."
Responsibility sits with leadership. IT implements — but decisions, budgets and risk appetite belong at the top.
// portrait // About
[Placeholder] For more than [X] years I have worked at the intersection of IT, project work and information security. norm-werk bundles that experience into one clear offer: consulting that lands — technically deep, plainly spoken.
[Placeholder] My standard: security has to fit the organisation, not the other way around. A good ISMS is not the one with the most documents — it is the one still in use long after the auditor has gone home.
// FAQ
// Contact
Tell me briefly where you stand and what is coming up. I usually get back within one business day.