Skip to content

From TISAX to ISO 27001

Case Study from 1 July 2026
TISAX to ISO 27001

Building a Resilient Management System from Existing Structures

Leveraging its TISAX foundation, CQSE achieved ISO 27001 certification in just five months. The key success factor was a partner who consistently integrated existing structures, operated on a peer-level technically, and provided reliable support that extended beyond the audit itself.

For IT & Security Teams
The existing TISAX framework was mapped to ISO 27001, and the current ISMS was strategically expanded without disrupting the existing system landscape. A crucial element was an auditor with experience in cloud and software environments who conducted the audit process entirely remotely and in English. This resulted in a tailored audit setup that fit the technical reality of a software company, rather than a generic approach.

For Management & Decision Makers.
Companies that are already certified and looking to take the next step face a critical question: How can we build upon existing structures without tying up internal resources long-term or creating a parallel project?

Tags
Security & Compliance
Industries
Software (ISV)
Share it
Achieving ISO 27001: Permanently Embedding Information Security

The Company

CQSE is a Munich-based software company whose platform, Teamscale, provides transparency and control over software quality for developers, testers, and managers. Its clients include companies from regulated industries, such as the automotive sector where software quality is considered a business-critical factor. With its existing TISAX certification, CQSE already had a functioning ISMS in place. Processes, responsibilities, and documentation were established and integrated into the existing tool landscape. Therefore, the challenge was not to build a new structure from scratch but to strategically develop the existing one. For Management & Decision Makers. Companies that are already certified and looking to take the next step face a critical question: How can we build upon existing structures without tying up internal resources long-term or creating a parallel project?

CQSE‘s story demonstrates how an existing security foundation can be purposefully enhanced to create a system that is not only audit-ready but also functional in daily operations and built to last.

The Situation

  • Five locations, ~80 employees, internal team already at full capacity.
  • TISAX established due to automotive clients, with simultaneously increasing demand for ISO 27001 from other customers.
  • Existing ISMS structures, processes, and documentation were already in place.
  • Previous certification partner lacked unders- tanding of cloud and software environments.
  • Post-certification goal: Ensure the ongoing operation of the ISMS without requiring an additional full-time position.
CQSE Building

The challenge

CQSE already had a functioning structure for information security. However, with a growing customer base, the requirements changed. While TISAX was sufficient for the automotive sector, ISO 27001 was increasingly becoming a prerequisite for other clients—and thus a decisive factor for future sales and growth opportunities. It was clear that a classic greenfield approach was not an option. A parallel system would have duplicated existing processes, created additional complexity, and permanently tied up internal resources. Experience with the previous certification provider amplified this risk: an audit process detached from the technical reality might have fulfilled formal requirements but would not have driven genuine progress for the company. This led to a clear requirement: The existing security foundation had to be developed to meet rising demands without creating additional organizational overhead or disrupting ongoing operations.

The Solution

The project began with a GAP assessment to evaluate the existing ISMS against ISO 27001 requirements. This provided a transparent overview of which TISAX structures were already audit-ready and where targeted action was needed. Based on this, the existing framework was mapped to ISO 27001 and systematically enhanced, focusing on audit-critical topics and clear responsibilities and processes. The implementation was carried out in close collaboration with relevant stakeholders as a structural evolution of the existing system—not as an isolated compliance project. Finally, CQSE was specifically prepared for the certification audit and supported throughout the entire process. A key success factor was an auditor with experience in cloud and software environments who conducted the audit entirely remotely and in English.

The Collaboration

Looking back, CQSE particularly emphasizes the clarity and reliability of the collaboration throughout the entire process. The initial GAP assessment defined a clear path with a fixed scope and timeline, executed as a fixed-price project, rather than an open-ended one. Substantive leadership was provided by experienced ex-auditors and CISOs, not project managers. This allowed for well-founded decisions to be made and implemented directly, even on detailed technical questions.

The collaboration was designed for minimal internal effort. Topics were structurally prepared, prioritized, and implemented jointly, avoiding the creation of an additional parallel project within the company. This approach transformed a series of individual tasks into an end-to-end guided process, with clear direction, continuous progress, and a high degree of confidence regarding the certification audit.

What does it look like now and where do we go from here

For CQSE, the ISO 27001 certification means one thing above all: information security is no longer a project but a part of daily operations. Requirements can be addressed structurally, audits can be prepared predictably, and new customer demands can be met without additional project overhead. The difference is also evident in sales. ISO 27001 is no longer an obstacle in the sales process but the foundation for engaging with enterprise customers, partners, and investors on a peer-to-peer level. Evidence is available, processes are established, and deals no longer fail due to a lack of organizational maturity. At the same time, the internal effort remains low. Clear structures and defined processes ensure that the ISMS functions in daily operations without permanently tying up additional resources.

On this basis, CQSE can continuously develop its ISMS and implement future requirements such as NIS2, SOC 2, or C5—without starting from scratch each time. To secure this long-term development, PCG assumes the role of an extended arm of the internal security team through a vCISO mandate.

About PCG

Public Cloud Group (PCG) supports companies in their digital transformation through the use of public cloud solutions.

With a product portfolio designed to accompany organizations of all sizes in their cloud journey and competence that is a synonym for highly qualified staff that clients and partners like to work with, PCG is positioned as a reliable and trustworthy partner for the hyperscalers, relevant and with repeatedly validated competence and credibility.

We have the highest partnership status with the three relevant hyperscalers: Amazon Web Services (AWS), Google, and Microsoft. As experienced providers, we advise our customers independently with cloud implementation, application development, and managed services.

Get more Insights

Oliver Gehrmann in a black T-shirt in front of a light blue and white background.

Your Contact Person:

Oliver Gehrmann
Business Lead Security & Compliance

Contact