ISO 27001 readiness for growing companies, Denmark

ISO 27001 readiness, without certifying twice.

5-7 business day assessment. Annex A gap register, evidence inventory, certification-track plan calibrated to your stage.

Azure Solutions Architect Expert
15 years IT leadership
12 external AI advisory mandates since 2019

Book a scoping call (30 min)

Where to start

Wondering if you are ready to start the certification path, or still building toward it? That's the first question I answer. Half my engagements find the gap is smaller than expected once we map what already exists against the 2022 standard.

The offer

What the assessment covers

5-7 business days from first call to delivery. You get a clear, audit-defensible read of where you stand:

ISO 27001:2022 Annex A gap register: 93 controls assessed against your current state
Evidence inventory: what you already have, what's missing, where to look
Statement of Applicability draft, scoped for an external audit conversation
Certification-track plan: realistic timeline to Stage 1 audit, with named owners

From DKK 25,000 fixed for the assessment, agreed in writing before we start. Built for growing B2B SaaS and software-enabled companies. Retainer pricing discussed in the scoping call if you want me to drive the certification programme through Stage 1 + Stage 2.

Credentials and experience

One accountable operator. Senior on the work, every time.

Senior IT and security operator with 15+ years across the Nordics and EEA, working with companies from growing through enterprise scale.

External AI advisory mandates since 2019, including interim CIO leadership at PE-backed groups and AI governance for regulated enterprises.

Azure Solutions Architect Expert. Hands-on across Microsoft 365, Azure, and identity platforms.

Based in Vejle, Denmark. Mobile across Denmark for on-site work, remote-first by preference.

About Behzad Behzad Motaghi (LinkedIn)

Why generic consulting fails

Where Accel Comply fits versus the alternatives.

Approximate first-year numbers for a typical growing Danish B2B SaaS that needs senior IT, security, and AI leadership. A starting point, not a final quote.

Where Accel Comply fits versus the alternatives.
Option	First-year cost (DKK)	Time to productive	Who does the work
Accel Comply retainer	Discussed in the scoping call	1 to 2 weeks	Named senior operator, end to end
Big 4 / large consultancy	800,000-2,000,000+	6 to 12 weeks	Rotating team, partner-pitched, junior-delivered
Internal hire (Head of IT & Security)	1,200,000-1,800,000	5 to 9 months	Permanent employee, partial scope. All-in 115-130K/month
Subscription advisory platform	400,000-700,000	2 to 4 weeks	Rotating juniors on a portal

Figures in DKK, ex VAT. All-in cost for a permanent Head of IT & Security in Denmark is 115-130K/month including pension, holiday, bonus, and employer overhead. Hiring runs 5-9 months end to end.

What this looks like in practice

Three real engagements, anonymised.

Same pattern every time: a concrete trigger, focused work, a measurable outcome. No employer names, no fluff.

B2B SaaS: 120 employees

ISO 27001 certification in 4 months (single-site, narrow scope)

Trigger. The company had a growing enterprise pipeline, but every deal over a certain size required ISO 27001 certification. Without it, deals stalled in procurement. The CTO was fielding security questionnaires personally, and the answers were inconsistent. Two large prospects had explicitly said "come back when you're certified."

Work. Started with a baseline assessment against ISO 27001 Annex A controls. Built the entire documentation set from zero: information security policy, risk assessment methodology, statement of applicability, and all supporting procedures. Ran the gap analysis, prioritised remediation by audit risk, coordinated with the chosen certification body, and managed the Stage 1 and Stage 2 audits end to end. The internal team handled their own technical remediations with guidance on what actually mattered for the auditor versus what could wait.

Result. Certified in 4 months from engagement start (single-site scope, narrow Annex A, certification body calendar permitting). Three enterprise deals that had been sitting in pipeline for 3+ months moved to contract within weeks of certification. The CTO stopped spending weekends on security questionnaires.

4 mo: Single-site cert
3 deals: Unblocked
0: Non-conformities

FinTech: 80 employees

Security review pass rate: 40% to 95%

Trigger. Enterprise customers were sending detailed security questionnaires as part of their vendor assessment process. The company was failing or receiving "conditional pass" on roughly 60% of them. Each review consumed 15-20 hours of CTO and engineering time, and the responses were inconsistent across different reviewers. Two key renewals were at risk because the customer's security team flagged gaps in the previous year's responses.

Work. Audited all questionnaire responses from the previous 12 months to identify the recurring failure points. Built a structured response library covering the 200 most common questions, with evidence references for each answer. Established an internal evidence discipline: who owns each control area, where the proof lives, and how it stays current. Introduced a triage process so the right person answers each section instead of the CTO doing everything. Ran mock reviews against the two at-risk customers' known question sets before the actual renewal reviews.

Result. Pass rate went from roughly 40% to 95% within three months. CTO time spent on security reviews dropped by about 60%. Both at-risk renewals closed successfully. The response library now gets maintained by the team without external help. Individual result; your starting point and scope will differ.

95%: Pass rate
60%: Less CTO time
2: Renewals saved

HealthTech: 200 employees

NIS2 readiness in 6 weeks

Trigger. The board asked management for a compliance plan after NIS2 transposition discussions made it clear the company would likely fall under the directive's scope. Nobody internally had deep enough knowledge of the requirements to build a credible plan, and the consultancy quotes they received were six-figure projects with 6-month timelines. The board wanted answers in weeks, not months.

Work. Ran a focused gap analysis mapping their existing controls to the 10 NIS2 Article 21(2) cybersecurity risk-management measures, sized to their sector and headcount. Identified what was already covered, what had partial coverage, and what was missing entirely. Built a prioritised remediation roadmap organised into 30/60/90-day sprints, with named owners across IT, security, operations, legal, and product. Delivered an executive-ready briefing the management team presented directly to the board, including cost estimates per phase and a realistic timeline.

Result. Board-approved compliance plan delivered in 6 weeks. The company started the first implementation sprint immediately. Management went from "we don't know what NIS2 means for us" to having a concrete, budgeted plan with named owners for every action item.

6 wk: To readiness plan
Board: Approved
90-day: Sprint roadmap

See all engagement outcomes

What if you're unavailable?

What happens if I'm unavailable for a longer period?

I have working relationships with experienced peers I can hand off to during extended absence, with full briefing and documentation. You hear within 24 hours for planned absence, as fast as possible for unplanned. Your working artefacts live in your own tenancy from day one.

How it works

From form submit to scoped assessment within the same week.

Step 1
Submit the form
30 seconds. Four fields. No back-and-forth on calendars.
Step 2
30-minute scoping call
I'll work out with you if there's a fit and what the right starting point is. No pitch deck.
Step 3
Assessment starts
Fixed scope, fixed fee, agreed in writing. Typically within 5 business days of the call.

Get in touch

Tell me what's pressing.

Four fields. I respond within one business day. Same person from first reply through delivery, never handed to a junior.

Not sure if NIS2 applies to you? Read the 5-min NIS2 scope checklist first.

First name

Last name

Work e-mail address*

Company nameThe name of the company you represent.

Number of employees in company

Job titleE.g. "CTO", "Head of IT", "CIO", etc.

What do you need help with?*

MessageAnything else we should know?

Accel Comply needs the contact information you provide to contact you about our products and services. By submitting this form, you consent to Accel Comply using limited first-party campaign attribution and HubSpot, Google, and LinkedIn conversion measurement for this enquiry, as described in the Privacy Policy. You may unsubscribe from these communications at any time and can withdraw this consent at any time.

Your details stay with me. No CRM-driven nurture sequences. See our privacy policy and DPA before you submit.

Common questions

Straight answers to the questions buyers ask first.

Is NIS2 actually in scope for my company?

That's exactly the first question I answer in the scoping call. NIS2 applies to specific sectors and company sizes; the boundary cases are where most of the confusion sits. I tell you straight whether you are in scope, on the edge, or clear, and what the implication is either way.

Fixed fee or hourly?

Assessments are fixed fee, fixed scope, agreed in writing before any work starts. Retainers are monthly fixed fee with a clear scope note. Hourly billing is reserved for one-off advisory where neither side can scope upfront, and even then I quote a cap.

What do I actually receive at the end of an assessment?

A written report covering current posture, prioritised gaps, a 90-day action plan, and a recommendation on whether to continue together, take it in-house, or stop. You also get the working artefacts (control mappings, evidence inventory, risk register draft) so you own the output, not just the conclusion.

Can you only do partial scope?

Yes. Many engagements start with a single scope (one customer questionnaire, one ISO 27001 gap area, one cloud cost review) and extend later. Scope creep is on me to flag and price, not on you to manage.

Do you sign a DPA?

Yes. Standard DPA terms aligned with GDPR Art. 28, published at /dpa for review before contract signing. Custom redlines accepted within reason. For NIS2-covered entities, supply-chain security clauses aligned with Art. 21(2)(d) are included. For DORA-regulated firms, applicability is discussed in the scoping call, since DORA Art. 28 obligations depend on the nature of system access in scope.

Is ISO 27001:2022 really required, or can we still certify against the 2013 version?

The transition deadline (31 October 2025) has passed. New certifications now must be issued against ISO 27001:2022. If you are already certified to 2013, you have a transition window per your certification body. The assessment maps your current state against the 2022 standard regardless, since that is what an external auditor will use.