Run every ISO 27001 engagement from one shop floor.
AFEND consultant mode gives you a portfolio of client workspaces on one login. Your methodology, your templates, your audit scripts - applied consistently across every engagement. The client owns the data and the subscription; you own the delivery.
The four things that make consultant engagements fall apart. Removed.
Context-switching across clients
Four clients means four shared drives, four Notion pages, four policy templates drifting apart. Consultant mode consolidates all four into one portfolio with one set of house templates. You stop paying the switching tax.
The 'which control was this for?' archaeology
Evidence that floats without a control is not evidence. AFEND insists on the link at upload time, which means six months later when the auditor asks you can answer in seconds. Client by client.
The last-minute audit-prep scramble
When the external audit is three weeks out and the policy pack is scattered across four documents in three folders, everyone loses. The readiness pack is always one click away. There is nothing to assemble.
Chasing the client for tool spend
You fronting Excel licenses, Notion seats, or a compliance-tool subscription is the worst bit of an engagement. In AFEND, the client pays the subscription directly on their Stripe - you just arrive, do the work, deliver.
Every client on one screen.
The portfolio is the working surface you return to every morning. One login, every engagement - status, next action, open risks, and one-click drill-down into the workspace that needs you.
Portfolio dashboard
Every client workspace in one list with live program progress, current phase, next gate, and the number of open blockers. Sort by urgency, filter by status, jump in directly to whichever engagement needs you next.
Progress you can trust
Not vanity percentages. Each client's number is computed from 11 weighted milestones in their actual workspace - scope approved, risks registered, SoA approved, policies approved, evidence coverage, internal audit, management review. Real signal, not self-report.
Inbox-free coordination
Every client's open blockers, overdue evidence, and unapproved documents surface in your portfolio. You no longer chase email threads to find out which client is stuck on what.
Role-based access per client
Invited as consultant to a client workspace, separate from their internal team. You see what you need to drive the engagement; the client keeps ownership of the data. Access is revocable the moment the engagement ends.
Your methodology, applied consistently - not reinvented per client.
AFEND ships with the platform-level opinions. Consultant mode lets you layer your shop above, so every new engagement starts from your library instead of a blank page.
Your risk library, forked per client
Start every engagement from your curated risk set instead of a blank register. Each client workspace forks a copy - tuned for that company's scope, owned and evolved in their workspace - while your master library stays yours.
Your policy templates
The 17 AFEND policy templates are the starting point. Consultant mode lets you layer your own house style, clauses, and review cadences on top - applied uniformly across every client instead of copy-pasted from the last engagement.
Your risk methodology
Likelihood and impact scales, thresholds, treatment pathways. Set your house methodology once; apply it to every new client so your deliverables are consistent and defensible across the portfolio.
Reusable audit scripts
Internal audit programs, finding templates, and corrective action workflows. Run the same audit protocol you've refined over years, faster, with less manual setup per engagement.
Versioning + changelog
Every policy edit, SoA approval, and evidence review is timestamped and attributed. When a client asks how we got here, the trail is there - and it survives consultant turnover on your side.
Multi-language UI
English, Spanish, French, German. Client teams read the workflow in the language they operate in, while you stay in English if you prefer. Nothing translates mid-engagement.
Five moves from client invite to handoff.
The 10 ISO phases stay the same - AFEND runs them for you. What changes in consultant mode is who holds the pen: you, authored as a named participant, with every decision attributed.
- 01
Client signs up, invites you in
Client creates the workspace on their account and invites you as Consultant. Takes five minutes. You appear in their workspace and in your portfolio view on the same login.
- 02
You pick the overlay, you set scope
SaaS, Financial Services, iGaming, IT Services / MSP. The overlay pre-loads the industry-specific risks, high-scrutiny controls, and policy seeds. You walk the client through scope items, interested parties, and obligations. Executive sponsor approves, the gate unlocks.
- 03
You drive the 10 phases
Risk methodology → register → Annex A decisions → SoA → policy pack → evidence → internal audit → management review → readiness pack. At every phase you work in the client's workspace with your templates, your methodology, and your review cadences. The readiness engine names the blockers so you can drive them out in order.
- 04
You run the internal audit
As an auditor on the client workspace you execute the Clause 9.2 audit independently of whoever drafted the policies. Findings, severities, corrective actions, and closure are tracked in-product. No separate spreadsheet, no lost records.
- 05
Executive review, then handoff
Management review (Clause 9.3) captures the sponsor's sign-off. You export the 8-artifact readiness pack and the client hands it to their accredited certification body. You keep read access for continuity into year two.
A clean 8-artifact readiness pack. Auditor-facing. Signed.
The same readiness pack every AFEND workspace ships, assembled from the work you ran. No reformatting, no late-stage reassembly.
- 01
Scope statement
Clause 4.3.
- 02
Risk register + approved methodology
Clause 6.1.2 / 6.1.3.
- 03
Statement of Applicability
All 93 Annex A controls, reasoned. Clause 6.1.3 d.
- 04
17-document policy pack
Approved, owned, dated. Clause 7.5.
- 05
Evidence map
Every applicable control linked to evidence with a review cycle.
- 06
Internal audit report
Findings, severities, corrective actions, verification. Clause 9.2.
- 07
Management review record
Executive sign-off, decisions, action items. Clause 9.3.
- 08
Readiness summary + cover letter
Signed and dated by the sponsor. Auditor-facing.
The client pays. You do not front a cent.
Consultant engagements where the consultancy pays for the client’s tooling end badly. AFEND is built the other way: the client subscribes on one of three tiers - Core, Growth, or Regulated - and you are invited in as Consultant on their workspace. Your seat is attached to their subscription at no extra cost. Month-end is clean.
Client owns the Stripe subscription
Billed directly to the client on the plan they choose. They upgrade or cancel on their schedule, not yours.
Consultant seat included
No per-consultant surcharge. Invite yourself, your associates, and your auditor role at no additional line item.
Engagement ends, access ends
Client revokes your access in one click when the engagement closes. Data stays with the client; you simply step out.
Continuity into year two
If the client keeps you on for recertification, stay as Consultant - state is preserved, gates re-evaluated, recertification is a fraction of the year-one effort.
Questions consultants ask before they bring their first client.
Not here? ratomir@ratomir.com - direct to someone who has walked programs through audit.
Who pays for AFEND - me or the client?
The client. Every client workspace is billed to the client's Stripe subscription, on their AFEND plan (Core / Growth / Regulated). Consultant seats attach to their workspace at no extra cost to you. You do not front spend to participate, and the client retains the license if your engagement ends. One less thing to chase on the month-end invoice.
What if the client wants to leave me halfway through?
Client-owned data, client-controlled access. If the engagement ends, the client revokes your consultant access in one click and the workspace stays with them with every decision, every policy, every evidence item intact. No export drama, no held-hostage artifacts. It is one of the reasons clients find it easier to hire you in the first place.
Can I keep access after the readiness pack is exported?
Yes - if the client keeps you as Consultant. Year two recertification reuses the workspace state, so staying on as a continuity advisor is the natural next step. If the client does not renew consultant access, you simply leave the workspace the moment the engagement formally ends.
Does AFEND replace my methodology?
No. AFEND carries the platform-level opinions (10 phases, hard gates, the readiness engine, the Annex A catalog, evidence linkage, audit workflow). Your methodology - risk scales, policy house style, audit scripts, review cadences - layers on top. Think of AFEND as the shop floor; your methodology is the technique.
How many clients can I run in parallel?
No hard cap. Early-access consultants are running 3-12 workspaces. The portfolio view and the readiness engine scale - the limit is your own capacity, not the platform. If you run a firm with more than 20 consultants, we have a firm tier with SSO and finer-grained role delegation - email ratomir@ratomir.com.
Can I white-label the platform?
Not at MVP. Your client sees AFEND branding in the app and in transactional emails. Buyers tell us they prefer it this way - it signals that the readiness platform is independent of the consultancy, which helps when the external auditor arrives. If you need a fully branded experience we can discuss firm-tier options.
Does it work with my existing client deliverables?
Yes. Scope documents, risk registers, and existing policies can be imported into a new client workspace and mapped to the SoA + evidence room. You keep the state you already have; AFEND makes it auditable and gate-enforced. Most consultants find the state actually improves once it lives in one system instead of fragmented decks and shared drives.
What about data residency?
Every client workspace is hosted in the EU (Frankfurt region) on Supabase + Vercel with row-level security scoped per workspace. One client's data is cryptographically isolated from every other client, including other clients of yours. A current sub-processor list is available on request.
Bring your first three clients. We’ll get you up in a week.
Email ratomir@ratomir.com with your firm, the industries you work in, and the number of engagements you’re running now. Onboarding is white-glove while we’re in early access.