ISO 27001 & ISO 42001 Consulting

From gap analysis
to certification
with someone who's done it.

Moonlight helps companies, entrepreneurs, and businesses of every kind build information security and AI management systems that actually work — not just for the auditor, but for the business.

M
Moonlight GRC ISO 27001 · ISO 27005 · ISO 42001 expertise
Expertise
ISO 27001
ISO 42001
ISO 27005
EU AI Act
100% Remote
Async First
0+
Core Standards
0
Target Markets
0
ISO 42001 Experts Globally
0%
Async Delivery

What Moonlight delivers

Every engagement is designed around a real outcome — a certification, a working system, or ongoing compliance confidence.

Core Focus

ISO 42001 AIMS Implementation

Build a compliant AI Management System from scratch — policies, risk assessment, controls, and audit preparation aligned with ISO 42001 and EU AI Act.

Gap Analysis Documentation Audit Prep EU AI Act
Core Focus

ISO 27005 Risk Assessment

Structured information security risk assessment following ISO 27005 — risk register, treatment plan, and evidence-ready documentation your auditor will accept.

Risk Register Treatment Plan ISO 27005
Most Popular

vCISO Retainer

Ongoing monthly support — ISMS or AIMS management, compliance monitoring, incident response, surveillance audit preparation. Your security leader, without the full-time cost.

10–20 hrs/month Monthly Reports Async

ISO 27001 ISMS Implementation

Full-cycle implementation: documentation, process design, team training, internal audit, and Stage 1 + Stage 2 certification support.

Full Cycle 4–8 Months Cert Ready

Gap Analysis

Understand where you are vs. where you need to be. Detailed findings report, prioritized roadmap, and a clear picture of what certification will actually take.

2–4 Weeks Report + Roadmap Presentation

Team Workshop

4–8 hour online sessions: "What is ISO 27001 and how to live with it", "ISO 42001 & EU AI Act for your team", or "Preparing for internal audit". Practical and human.

4–8 Hours Online Custom Topics

The bridge between security and AI governance

01

ISO 27001 + ISO 42001 together

Most consultants specialize in one or the other. Moonlight covers both — and understands how they interact, which matters as EU AI Act compliance overlaps directly with your ISMS.

02

Real implementation, not theory

The deliverables are built to be used — by your team, by your auditor, by your next client. Not documents that sit in a folder and do nothing.

03

You get the founder, every time

No junior handoffs. Every project is run personally by a senior practitioner. You get senior-level expertise throughout — not just at kickoff.

04

Async-first, globally compatible

Designed for teams across time zones. Clear written communication, no unnecessary meetings, documented decisions. Works whether you're in Amsterdam or Austin.

Our mission

Help organizations build genuinely working ISMS and AI management systems — not just for the auditor, but for real business protection and growth.

"We go from zero to certificate together. And we make the system live, not just paperwork."

Built for companies ready to certify

Primary focus on high-value markets where ISO 27001 and ISO 42001 demand is growing fastest.

🇺🇸

United States

Largest market. Strong demand from SaaS and fintech companies preparing for enterprise sales or Series A/B due diligence.

🇨🇦

Canada

Strong fintech and SaaS ecosystem. Growing compliance awareness across Ontario and BC tech corridors.

🇦🇺

Australia

Rising ISO 42001 adoption. Healthtech sector with strong compliance culture and growing AI governance requirements.

🇳🇱

Netherlands

EU AI Act compliance urgency. Dense fintech cluster in Amsterdam with high compliance maturity and EU regulatory pressure.

Ideal client profile

Startups & scale-ups Small & mid-size businesses Entrepreneurs No internal CISO Going for ISO 27001 / 42001 EU AI Act in scope Enterprise client pressure Investor or customer ask

Clear process, no surprises

From first contact to signed certificate — every step is documented and communicated in writing.

01

Discovery

We map your current state, business context, and certification goals. No calls required — async intake form works perfectly.

02

Gap Analysis

Full assessment vs. the standard. You get a prioritized findings report and implementation roadmap with realistic timelines.

03

Implementation

Documentation, process design, and team training. Milestones tracked weekly. You always know what's done and what's next.

04

Audit Ready

Internal audit, evidence review, mock assessment. Then we support you through Stage 1 and Stage 2 with the certification body.

Find the right fit.

Every engagement is scoped and quoted up front, so you always know exactly what's included before we start.

Gap Analysis

Understand exactly where you stand vs. ISO 27001 or ISO 42001, what it'll take to get there, and in what order.

  • Current-state assessment vs. standard
  • Detailed findings report
  • Prioritized implementation roadmap
  • Results presentation

Full Implementation

Complete ISMS or AIMS implementation — from gap analysis through certification. Everything included.

  • Gap analysis (included)
  • Full documentation package
  • Process implementation & training
  • Internal audit
  • Stage 1 + Stage 2 support

Founding Client Offer

Taking on 2–3 founding clients at a reduced rate, in exchange for a written testimonial and permission to share an anonymized case study. Same work, same deliverables.

Apply for Founding Spot

A practice built on doing the work

Moonlight is an independent GRC practice founded by Kateryna Basenko — with ISO 27001, ISO 27005, and ISO 42001 expertise, serving clients internationally.

The practice is built around one principle: quality over speed. We take one new client at a time, which means every engagement gets full attention. We don't pass projects to juniors, don't use boilerplate that doesn't fit, and don't disappear after handing over documents.

We work completely async — no standing calls, no unnecessary meetings. Communication is written, decisions are documented, and you always know what's happening and why.

If you understand why you need an ISMS or AIMS (not just "because an enterprise client asked"), have a realistic budget and timeline, and have someone on your side who owns the project — we'd love to talk.

ISO 27001 Auditor ISO 27005 Auditor ISO 42001 (in progress)
Quality over speed

Better to do less, but do it right. We never deliver unfinished work.

Responsibility

If we take a project, we see it through. Our success equals your certificate.

Honest timelines

If something is outside scope or timelines are unrealistic — we say so before signing, not after.

Continuous development

Standards evolve — we stay current. ISO 42001 Lead Auditor certification in progress for 2026.

Common questions

Not necessarily — it depends on whether you use AI systems in a meaningful way. ISO 27001 is the foundational standard for information security. ISO 42001 builds on top of it for organizations developing or deploying AI. If you use AI tools for customer-facing decisions or internal operations, the combination is increasingly expected — especially in EU markets with the AI Act in effect.
For a company starting from scratch, realistic timeline is 4–8 months — this includes gap analysis, full documentation, process implementation, internal audit, and Stage 1 + Stage 2 with the certification body. Companies that already have some controls in place can move faster. Anyone promising certification in 6–8 weeks is cutting corners that will show up in the audit.
No. Moonlight is designed to work completely asynchronously — all communication happens via email and written updates. Decisions are documented so nothing is lost. This also means we can work with any time zone without scheduling headaches. If you strongly prefer a kickoff call, we can accommodate that, but it's not the default.
A gap analysis tells you where you are vs. where the standard requires you to be, and what it will take to close the gap. Full implementation means actually closing those gaps — building the documentation, training the team, running the internal audit, and guiding you through certification. Most clients start with a gap analysis and then move to implementation.
Once you have an ISMS or AIMS in place, it needs to be maintained — policies updated, risks reviewed, incidents handled, surveillance audits passed. A vCISO retainer is 10–20 hours per month of senior-level support to keep your system working and your certification valid. It's the difference between a system that helps your business and one that expires on a shelf.

Let's talk about your project

Tell us where you are, what standard you're targeting, and your timeline. We'll get back to you within 48 hours — in writing.

or reach out directly

Response within 48 hours · Fully async · No calls required to get started