cycleqa.com
ISO 27001:2022 · CycleQA AS · Moss, Norway

Built for the journey
we're on ourselves.

CycleQA AS runs its own compliance programme in CycleQA. Not a demo. The real system — the same risks, NCRs, supplier relationships, and policy documents that any regulated company manages. This is what that looks like.

Ferry crossing open water at dawn.
The crossing. The same journey our customers make when entering a regulated market.

The situation every regulated company knows

You build a product. You find customers. You enter a regulated market — or your customer is already in one and asks about your security posture. Then someone hands you the ISO 27001 control list and the gap between where you are and where you need to be becomes very concrete, very fast.

CycleQA AS was incorporated on 8 May 2026. The compliance programme started the same week. That is exactly where CycleQA AS is today. A SaaS company serving precision manufacturers in regulated industries across DACH and Scandinavia — customers who hold their suppliers to the same standard they hold themselves. We are on the same journey. We manage it in the same system.

The tool doesn't assume you're already compliant. It helps you get there — by making open items visible, owned, and moving. We built that because we needed it ourselves.

Our own QMS, running our own compliance

CycleQA AS was created in May 2026 and immediately started a realistic ISO 27001 gap closure programme. Not as a sales demonstration — as an active compliance project that we are working through in production.

10
Identified risks — scored, owned, reviewed
7
Open NCRs — 3 critical, 3 major, 1 minor
7
Policy documents — in draft, moving toward approval
15
Standards referenced — ISO 27001, GDPR, and more

Every one of those items is live in the system right now, with due dates, assigned owners, and links connecting risks to NCRs to documents to the overarching situation. When we sit down with you for a pilot conversation, we open the app — not a slide deck.

How the system works in practice

ISO 27001 is not just a list of controls to tick. It requires you to identify risks, raise findings against your own procedures, track them to closure, and maintain evidence that you did. CycleQA structures that workflow across five interconnected modules — and we use all five of them for our own programme.

Risks Live
10 risks identified, scored, and assigned
2 high-severity risks (score 15 and 12), covering data availability and incident response. Each risk has a category, owner, score, and review date. All linked to the ISO 27001 gap closure situation.
NCRs Live
7 non-conformances raised against our own company
Opened against CycleQA AS using the same 5W2H D2 problem description format we recommend to customers. NCR-004 has a full 8D populated — D1 through D8. Due dates, owners, and linked standards for every item.
Documents Live
7 policy documents — from draft to approval
Information Security Policy, Incident Response Plan, Backup Procedure, Data Classification Policy, Asset Inventory, Change Management, Privacy Policy. All in draft state, each linked to the NCR that requires it.
Suppliers Live
5 critical suppliers — mapped, located, DPA status tracked
Each with compliance status, and links to the open DPA non-conformance.
Situation Live
One situation linking everything
SIT-CQA-2026-001 connects all 7 NCRs, all 10 risks, all 7 documents, and 5 suppliers in a single timeline view. 4 phases defined with milestones and owners. 26 situation links — nothing falls through the cracks.

The closure programme — a real project, not a plan

Compliance programmes fail when they exist only in spreadsheets and meeting notes. Ours exists in CycleQA — with a situation number, phase milestones, and every open item linked to an owner and a due date. The system is the accountability mechanism.

Phase 1 · May–June 2026 · Active
Critical gap closure
Backup procedure documented and restore-tested against the production database. Incident response plan written, including Datatilsynet 72-hour notification procedure. Data Processing Agreements signed with Root server provider, Email hoster , and AI systems. Parts inventory formalised as the ISO 27001 control 5.9 asset inventory. Data classification policy — four levels, all data assets mapped.
Phase 2 · July–September 2026
Partial control completion
Penetration test by Norwegian security firm. Change management procedure and secure development lifecycle documented. Endpoint security policy. Target: 70%+ controls fully implemented.
Phase 3 · Q4 2026–Q1 2027
External audit readiness
Gap assessment by accredited Norwegian certification body. Formal ISO 27001:2022 audit when pilot customer volume justifies the investment. Full audit readiness — the same milestone our customers in regulated industries work toward.
📋
Phase 1 due dates — in the system
NCR-001 (backup procedure) · NCR-005 (DPAs) → 2026-06-01
NCR-002 (incident response) · NCR-003 (asset inventory) · NCR-004 (data classification) → 2026-06-15

What this means when you're evaluating us

Every QMS vendor will tell you their platform is secure, auditable, and built for regulated environments. We can show you ours — live, in the same production system your data would run on, with the same workflows your team would use.

More importantly: we understand where you are. If you are entering a regulated market, preparing for a supplier audit, or responding to a customer's ISO 27001 questionnaire — we have been in that exact position. The tool was built to solve it, because we needed to solve it ourselves.

Discipline fades. Good people leave. The companies that endure are where the workflow carries the standard — where doing it right is faster than not doing it right, because the system makes it easy. That applies to us too.

When we meet for a pilot conversation, we will open the app and walk you through our own risk register, our own open NCRs, our own policy documents. Not a curated demo database. The real system. The honest picture. You can judge the tool by how we use it.

ISO 27001:2022 GDPR ISMS SaaS security CycleQA AS Moss, Norway Regulated industries Hidden champions
Start the conversation
Ask us anything about how we handle security and compliance.
We read every question personally and respond directly from — not a support queue, not an automated reply.
Can I see a live demo of your own compliance data in the system?
How does CycleQA handle our data under GDPR and Norwegian law?
We need our QMS vendor to be ISO 27001 certified — what is your timeline?
What happens to our data if we stop using CycleQA?
Received — thank you. Markus will read this personally and reply directly if you left an email.
Your question and email are stored securely in our own QMS and used only to respond to you. No marketing lists, no automated follow-up.