Harald Messemer

Most software companies don't "just" need ISO 27001. They need ISO 27001 plus something else: GDPR, SOC 2, NIS2, customer security questionnaires, industry requirements, or internal governance frameworks. Volume 4 shows how to design one security system that satisfies multiple obligations without duplicating work or fragmenting evidence. What you'll get:- Mapping + harmonization patterns ("control reuse"): one control, many outputs- Stable control library + evidence model that scales across audits and frameworks- Guidance on overlapping domains (access control, vendor risk, incidents, data protection, secure development)- Exception handling + compensating controls without breaking governance coherence- Strategy: what to certify vs.
attest, sequencing audits, avoiding recurring last-minute chaosWhat it helps you produce: a single control system and evidence baseline that supports multiple audiences - auditors, regulators, customers, and procurement. Typical questions this volume answers:- How do we map ISO 27001 controls to GDPR/SOC 2/NIS2 without creating duplicate work?- What should be "one global control" vs. "framework-specific add-on"?- How do we handle exceptions and compensating controls without undermining governance?- What's a sane sequencing strategy for certifications/attestations in a scaling company?Who it's for: teams facing multi-framework reality (customers, regulators, enterprise procurement) that want to reduce compliance overhead while improving security consistency.