What does certification with Kopexa cost compared to the manual path?

Total cost = Kopexa platform licence + external auditor fees (TÜV, DEKRA). The decisive difference is opportunity cost: a manual ISMS eats hundreds of hours of internal IT time for screenshots and Excel upkeep. Kopexa automates the drudgery and drastically reduces consultant cost. A Kopexa-powered ISMS often pays for itself before the first audit.

Do we still need an external ISO consultant despite Kopexa?

For first-time certifiers: usually yes, but the role changes. Instead of spending weeks on manual inventories or writing documents, you use the consultant for strategic fine-tuning and the internal audit. We reduce consulting needs from months to a few days. If you don't have a consultant, we connect you with vetted experts from our partner network.

How quickly are we actually audit-ready with Kopexa?

The technical foundation lands very fast: thanks to API-based discovery, your scope and first gap analysis are often visible within days. What dictates the overall timeline is the organisational side — policies, roles, training, internal reviews — and that depends heavily on your starting point. Greenfield startups can get through in a few weeks, established mid-sized companies realistically need several months to put the organisational layer in place. What we guarantee is that the data foundation is correct from day one and stays current.

How does automatic evidence collection work technically?

We connect via read-only APIs to your infrastructure (AWS, Azure, M365, GitHub, Jira). Our sensors continuously query the security state of your assets — is MFA active on all admin accounts? Are backups encrypted? These technical checks are logged and serve as audit-ready evidence. We published our audit standard (KSPEC) openly on GitHub.

What happens when the ISO standard changes (like the 2022 revision)?

Nothing dramatic. That is the benefit of a dynamic system over static Word folders. When standards change, we update the mappings and control requirements centrally in the platform. You immediately see in the dashboard where new gaps have emerged and can address them specifically, without manually touching hundreds of documents.

ISO 27001:2022 · Flagship framework

ISO 27001 certification. Without the Excel madness.

Say goodbye to screenshot safaris and audit panic. Kopexa automates your ISMS from asset discovery via API to audit-ready evidence. Less busywork, more engineering.

Get started Book demo

ISO 27001 certifiedHosted in EuropeSOC 2 Type IIKSPEC open source

ISO 27001:2022 Annex A

Your control catalogue. Interactive.

All 93 Annex A controls, filtered by theme or cross-framework mapping. Click a control and see instantly how it maps to NIS2, TISAX, GDPR, and BSI IT-Grundschutz.

Controls

Themes

Cross-Mappings

Explore all 93 controls

Why Kopexa is different

A dynamic tech company meets a static standard.

Most companies fail at ISO 27001 because they try to squeeze a dynamic tech company into static folders. We flip the script.

The old way

Engineering with Kopexa

Manual inventory

Weeks of Excel upkeep, outdated lists, a scope that is never quite right.

Assets in minutes

API discovery for AWS, Azure and M365. Your scope is ready before the coffee is.

Asset Management

Screenshot safari before the audit

Days of manual evidence collection. Screenshots here, exports there, panic in the audit room.

Continuous sensors

Controls are checked continuously. Evidence sits in the system before the auditor asks.

Dead documents

A PDF for the reporting date, then gathers dust in the drawer until recertification.

Living risk analysis

When infrastructure changes, the risk profile adapts dynamically. Always current, never stale.

Black-box voodoo

No transparency into how other tools check controls or what runs in the background.

Open-source check logic

Our audit standard KSPEC is open on GitHub. See exactly how we validate technical controls.

KSPEC on GitHub

Timeline

The engineering path to certification.

Day 1

Instant scope & discovery

Connect your cloud and tech stacks via read-only API. Kopexa builds the asset inventory automatically, defines the technical scope, and delivers a first gap analysis typically within the first 48 hours.

Foundation

Risk ops & SoA

We map the Annex A controls directly to your infrastructure. Your risk assessment is based on real asset data, not gut feeling. The Statement of Applicability generates itself from technical facts.

Always-OnEngineering-first roadmap

Continuous monitoring

Kopexa runs permanently in always-on mode. Sensors validate configurations continuously. S3 bucket suddenly public? MFA disabled? We know immediately. Evidence collection is no longer a to-do, it is a permanent state of your infrastructure.

Go-Live

Audit & certificate

For the external audit, you give the auditor read-only access to the Kopexa dashboard. They see live that the technical controls work. When you get there depends on your starting point. Our job is making sure the data foundation is right from day one.

Day 1

Instant scope & discovery

Foundation

Risk ops & SoA

We map the Annex A controls directly to your infrastructure. Your risk assessment is based on real asset data, not gut feeling. The Statement of Applicability generates itself from technical facts.

Always-OnEngineering-first roadmap

Continuous monitoring

Go-Live

Audit & certificate

Ready to start? We'll find your starting point.

Free consultation

All Frameworks. One System.

Built by GRC Experts for European Mid-Market Companies

ISO 27001NIS2TISAXDORABSI GrundschutzDSGVOSOC 2KRITISPCI-DSSNIST CSF

Kopexa is built on OSCAL, the open NIST standard for machine-readable compliance frameworks. Every framework, every standard, every regulation: available instantly or custom-built with our Framework Builder.

Common questions about ISO 27001 with Kopexa

About the normative text

ISO/IEC 27001:2022 is a trademark of the International Organization for Standardization. This page contains Kopexa's own educational interpretation, cross-framework mapping and implementation guidance and is not affiliated with ISO or DIN. The binding normative text is available from ISO and DIN.

iso.org/standard/27001 ↗beuth.de ↗

ISO 27001 does not have to hurt.

Start today with automatic asset discovery, continuous evidence collection, and a control catalogue that grows with your infrastructure.

Start for free Book demo

ISO 27001 certification. Without the Excel madness.

Your control catalogue. Interactive.

A dynamic tech company meets a static standard.

Manual inventory

Assets in minutes

Screenshot safari before the audit

Continuous sensors

Dead documents

Living risk analysis

Black-box voodoo

Open-source check logic

The engineering path to certification.

Instant scope & discovery

Risk ops & SoA

Continuous monitoring

Audit & certificate

Instant scope & discovery

Risk ops & SoA

Continuous monitoring

Audit & certificate

Built by GRC Experts for European Mid-Market Companies

Common questions about ISO 27001 with Kopexa

01What does certification with Kopexa cost compared to the manual path?

02Do we still need an external ISO consultant despite Kopexa?

03How quickly are we actually audit-ready with Kopexa?

04How does automatic evidence collection work technically?

05What happens when the ISO standard changes (like the 2022 revision)?

ISO 27001 does not have to hurt.