norm·anker

// ISO 27001 · ISMS · Information security

Information security, properly built.

norm-anker builds information security management systems that fit the organisation — not the other way around. Pragmatic, plain-spoken, no paper mountain and no tool lock-in.

// ISO 27001 / ISMS / Risiko­management / Awareness / Externer ISB

// Three anchors

What the work is anchored on.

  1. 01 / Anker

    Clear

    Policies anyone in the company can read. Reports that fit on a coffee break.

  2. 02 / Anker

    Right-sized

    As much structure as needed, as little as possible. An ISMS for 80 people looks different to one for a corporation.

  3. 03 / Anker

    Reliable

    What gets agreed here also holds up under audit pressure — and in the day-to-day after.

// Services

Four tools. One shared goal: information security that actually holds up.

norm-anker focuses on what works day-to-day. No off-the-shelf packages, just a small set of sharply scoped services that complement each other.

01
norm·anker

ISMS consulting & implementation

From first scoping through certification readiness: we build your information security management system step by step — aligned with ISO/IEC 27001 and shaped around what your business actually needs.

  • Scope, context and stakeholder clarity
  • Risk assessment and prioritised treatment
  • Lean policies and procedures
  • Support up to the external certification audit
02
norm·anker

External ISO / ISMS officer

You need accountability, not a full-time hire. I step in as your external Information Security Officer — operationally responsible, with a clear reporting line into management.

  • Management reviews and reporting
  • Single point of contact for auditors and authorities
  • Action and risk tracking
  • Continuous improvement of your ISMS
03
norm·anker

Security in IT projects

Security belongs in the project, not after go-live. For cloud migrations, vendor changes or new platforms, I bring the security perspective in early — before it gets expensive.

  • Requirements and architecture reviews
  • Vendor and cloud assessments
  • Hands-on support inside running IT projects
  • Sparring partner for CIO/CTO
04
norm·anker

Training & awareness

Security is behaviour, not paperwork. Tailored formats for leadership, IT teams and staff — clear, useful, and without the wagging finger.

  • Management briefings (60–90 min)
  • Team awareness workshops
  • Onboarding modules for new hires
  • Phishing and incident exercises on request

Note: I deliberately do not perform external certification audits myself — independence matters. Instead I work closely with experienced certification bodies and support you all the way up to the audit.

// How we work

Five steps from idea to structures that hold.

A clear approach is half the work. norm-anker follows a model that has proven itself in practice — lean enough for SMEs, thorough enough for certification.

  1. 01

    Intro call

    Free, no strings attached. We clarify what you need, possible paths and whether we fit. Around 30 minutes.

  2. 02

    Baseline assessment

    Where are you today? We review existing structures, documents and processes — and name gaps, risks and quick wins honestly.

  3. 03

    Roadmap

    You receive a prioritised plan with realistic effort and timing. No castles in the sky — a list you can actually work through.

  4. 04

    Implementation

    We deliver together — with your team, not around it. Responsibilities stay transparent, documents stay readable.

  5. 05

    Holding the anchor

    An ISMS is a living thing. On request I stay involved afterwards — as external ISO, in management reviews, or simply as a reliable point of contact.

// Who it fits

For organisations that take security seriously — and effort realistically.

The collaboration is a particularly good fit for:

  • 01

    Mid-sized companies with 50–500 employees that need structure without corporate overhead.

  • 02

    Organisations facing compliance demands from customers, regulators or a parent company.

  • 03

    IT departments without a dedicated security role looking for an experienced external lead.

  • 04

    Leadership teams that want to approach ISO 27001 without getting lost in tools and paperwork.

// Lessons

Three lessons from 30 years in regulated industries.

What I have learned in the cockpit, in banking and at the helm of a business — and which of those carry over into an ISMS.

Lesson 01

From the cockpit: checklists save lives.

// Takeaway

I have held a private pilot's licence since 1993. In aviation nobody accepts "we'll do that from memory". The same applies to an ISMS — and the discipline is good for the day job, too.

Lesson 02

From banking: risks get managed by writing them down.

// Takeaway

If you have built platforms for credit processes and wholesale contracts, you know: short, checkable documents are not red tape, they are how you still know in the morning what you are dealing with.

Lesson 03

From 20+ years of running a business: an ISMS lives on care, not heroics.

// Takeaway

Software platforms that run for two decades don't collapse on audit day — they collapse in the quiet weeks before and after. That is where an ISMS is decided.

Portrait of Oliver Müller — norm-anker // portrait
ISO/IEC 27001 Foundation certificate — APMG International

// About

Behind norm-anker there is a person — not a consulting machine.

For more than 30 years I have built and operated software platforms for regulated industries — aviation, banking and sustainability among them. As Managing Director and CTO at TEQneers GmbH & Co. KG I led an ISO/IEC 27001 certification project from the inside: audits, day-to-day operation and the ongoing care of the ISMS included. I have also backed that hands-on experience with the formal ISO/IEC 27001 Foundation certification. norm-anker bundles that double perspective — practitioner and accountable lead — into one clear consulting offer.

My standard: security has to fit the organisation, not the other way around. A good ISMS is not the one with the most documents — it is the one still in use long after the auditor has gone home. Alongside the consulting work I have lectured at the Baden-Württemberg Cooperative State University (DHBW) in Stuttgart since 2005 in IT security, web development and databases — experience that also feeds into training and workshops for clients.

// Qualifikation
  • Certified: ISO/IEC 27001 Foundation — examined, first-hand knowledge of the standard
  • Implementation, audits and operation of an ISMS under ISO/IEC 27001 — own certification co-built from the inside
  • 30+ years as CTO and managing director across regulated industries (aviation, banking, sustainability)
  • Lecturer in IT security, web development and databases at DHBW Stuttgart (since 2005)
  • Diploma in business administration (BA), business informatics — DHBW Stuttgart

// FAQ

Questions that come up in almost every first call.

01 What sets norm-anker apart from a larger consultancy?
You talk directly to the person delivering. No pyramid of juniors, no project overhead. In return you get a view from the engine room — software and operations background included — instead of a slide-deck show.
02 How long does it take to be ready for certification?
Realistically six to twelve months — depending on size, maturity and the capacity you can free up internally. In the baseline assessment you get an honest estimate instead of a wish number.
03 You're really a developer — why hire you for an ISMS?
Exactly because of that. After 30 years of running platforms for banks and aviation, I know what security looks like in the day-to-day — and where it breaks against reality. That is the difference between a binder with a certificate and an ISMS that holds.
04 Can we book you for a single touchpoint — say an audit briefing or an architecture review?
Yes. Not every request needs a six-month engagement. Half-day reviews, single workshops or sparring before an audit work just as well as a longer engagement.
05 How does the collaboration actually work?
After a free intro call you receive a clear proposal with an effort estimate. Work happens remote, hybrid or on-site — depending on need and location.

// Contact

Let's talk for 30 minutes — no commitment.

Tell me briefly where you stand and what is coming up. I usually get back within one business day.

Send an email Prefer a phone call? That works too — the number is in the footer.