FAQ.

No. TobaSec is not a certification body and does not issue certificates of any kind.

ISO 27001 and ISO 42001 certificates are issued by accredited third-party certification bodies — independent organizations that perform the formal certification audit and grant the certificate when your organization passes.

A certification body (also called a registrar or CB) is an accredited organization that performs the formal Stage 1 and Stage 2 certification audits and issues the ISO certificate. They are independent evaluators. You hire them to assess you.

An audit readiness consultant like TobaSec works on your side — before the CB audit — advising on what controls are required, identifying gaps, and guiding your team on exactly what needs to be in place. Your organization owns the implementation. We make sure you know what to build, how to build it, and whether it'll hold up under scrutiny.

Think of it this way: the certification body is the exam. We're the prep.

Our entire practice is built around four frameworks:

ISO 27001:2022 — Information Security Management System (ISMS) audit readiness advisory and internal controls guidance.

ISO 42001:2023 — AI Management System (AIMS) audit readiness, governance frameworks, and AI Impact Assessment (AIIA) support.

EU AI Act — Risk classification, obligations mapping, and technical documentation for organizations deploying AI in the EU.

NIST AI RMF — Operationalizing the NIST AI Risk Management Framework across GOVERN, MAP, MEASURE, and MANAGE functions.

ISO 27001 requires you to build and operate an Information Security Management System (ISMS) that covers 93 controls across 4 themes. Audit readiness means your ISMS is genuinely implemented — not just documented — and that your evidence trail holds up under scrutiny.

In practice this means: a completed Statement of Applicability (SoA), a working risk register, policies that people actually follow, internal audit records, management review evidence, and control implementation that's testable.

It depends heavily on your starting point. An organization with some existing security controls and documentation can be certification-ready in 3–6 months. One starting from scratch in a more complex environment typically takes 6–12 months.

The gap assessment at the start of the engagement gives you a clear, honest picture of where you are and how long it realistically takes to close the gaps. We don't overpromise timelines.

Yes. A lot of our engagements come in mid-build — organizations that started with good intentions but stalled, went in the wrong direction, or are approaching their Stage 1 audit and realize they're not as ready as they thought.

We assess where you are, identify what's solid and what needs work, and help you close the remaining gaps on a realistic timeline. There's no penalty for starting — just tell us where you are.

ISO/IEC 42001:2023 is the first international standard for AI Management Systems (AIMS). It provides a framework for organizations that develop or deploy AI to manage the risks, governance, and societal impacts of that AI responsibly.

You likely need it — or will soon — if your organization deploys AI systems in regulated industries (healthcare, finance, government), serves EU customers and falls under the EU AI Act, has enterprise clients requiring supply chain AI governance, or wants to demonstrate responsible AI practices to customers and stakeholders.

ISO 27001 is about protecting information — confidentiality, integrity, availability of your data and systems. It's well understood, widely adopted, and maps to a clear set of technical and organizational controls.

ISO 42001 is about governing AI — how you design, deploy, monitor, and manage AI systems responsibly. It introduces AI-specific concepts like AI Impact Assessments (AIIAs), AI objectives, stakeholder impact analysis, and lifecycle controls that have no direct equivalent in 27001.

The two standards share the same high-level structure (Annex SL/HLS), so organizations with an existing 27001 ISMS can integrate 42001 more efficiently — but the controls are substantively different and require specialized knowledge to implement correctly.

They address overlapping concerns from different angles and can be mapped together effectively.

The EU AI Act is regulation — legal obligations imposed on organizations that develop or deploy AI in the EU, particularly around high-risk systems. ISO 42001 is a voluntary management system standard, but implementing it creates evidence of compliance with many EU AI Act requirements.

The NIST AI RMF is a US-origin voluntary framework focused on AI risk management across four functions: GOVERN, MAP, MEASURE, MANAGE. It complements ISO 42001 well and is often required by US federal clients or defense contractors.

When a client needs multiple frameworks, we map the controls so you're building once and satisfying several requirements — not duplicating effort across three separate programs.

An AI Impact Assessment is required by ISO 42001 Clause 8.4 for each AI system you deploy. It's a structured analysis of how that system could impact individuals, groups, and society — covering likelihood, severity, and your mitigation measures.

It's one of the most time-consuming and organizationally challenging parts of an ISO 42001 implementation. Most organizations underestimate the scope until they try to do one for the first time.

Every engagement starts with a no-obligation discovery call. We learn about your organization, your existing controls, your target framework, and your timeline. From there, we scope and fix-fee the engagement before any work begins.

A typical ISO 27001 or ISO 42001 readiness engagement runs in three phases: assess (gap analysis, current state), advise (control-by-control guidance, documentation requirements, evidence expectations), and verify (internal audit advisory, pre-certification review). Your team does the implementation throughout — we direct the work, not do it.

You work directly with the principal consultant throughout. No account managers, no junior handoffs.

We work best with mid-market and growth-stage organizations — typically 50 to 2,000 employees — that are serious about getting certified or compliant and want a senior expert doing the work, not a big firm billing junior hours at senior rates.

Fixed fees, scoped upfront. You know the cost before any work begins. We don't bill hourly and we don't do open-ended retainers.

Scope is defined by deliverables — what we produce, what we test, what we hand off. Any work outside the agreed scope requires a signed change order. No surprises.

Pricing varies by engagement size, framework, and your current state. The discovery call gives us enough information to produce a proposal with a fixed number attached.

Fill out the contact form on our homepage or email us directly at hello@tobasec.io. Tell us your organization, the framework you're targeting, and where you are in the process — even if the answer is "no idea, just starting."

We'll schedule a discovery call, learn about your situation, and come back with a clear proposal. No obligation, no sales pressure.