The Challenge: A Tight Clock and High Stakes
ASMIP Medical Center "St. Panteleymon" is a Bulgarian medical institution. They handle sensitive patient data, operate critical healthcare services, and fall squarely under NIS2 as an essential entity. That means the compliance bar is high, and the consequences of not meeting it are serious.
When they reached out to us, they had a clear problem. An audit window was opening in roughly a month, and they didn't have a formal compliance framework in place. No ISO27001. No mapped NIS2 controls. No documented evidence package. Just a team that knew they needed to act fast and wanted to do it right.
We sat down, looked at the timeline, and told them it was tight but doable. Then we got to work.
Month One: What Actually Happened
Here's the thing about a 30-day runway. You don't have time for theoretical discussions or drawn-out planning cycles. Every week needs a clear deliverable. So we broke it into four phases.
Week 1: Gap Analysis and Roadmap
We started by mapping everything they already had against NIS2 requirements and ISO27001 control objectives. Some controls were in place informally. Staff knew the right things to do, they just hadn't documented them. The gaps we found were concentrated in three areas: incident response documentation, supply chain risk assessments, and recovery testing evidence.
We built a prioritised roadmap. Week by week, owner by owner. No ambiguity about who was doing what.
Week 2: Documentation and Evidence Building
This was the heaviest week. Policies needed writing. Procedures needed formalising. The evidence package for the audit needed to show not just that controls existed, but that they were actively used and reviewed.
We drafted the core documents together: an information security policy aligned to NIS2 Art. 21, an incident response plan covering Art. 20 requirements, a business continuity framework, and a third-party risk management process. Their internal team reviewed, adjusted, and approved as we went. No speedboats. It had to be their policy, not ours.
Week 3: Remediation and Hardening
With the documentation in place, we turned to the technical side. Access controls were tightened. Logging configurations were reviewed and extended. Backup verification procedures were tested and documented. We ran a controlled recovery test to prove the restore process worked end to end.
The team found 11 minutes from detection to containment on a simulated phishing scenario during that week. Not bad for a medical centre that hadn't run a tabletop exercise before.
Week 4: Pre-Audit Walkthrough
The week before the audit, we ran a full mock audit. Every control, every piece of evidence, every interview question. We walked the team through what the auditor would ask, what to show, and how to frame their responses.
We found three minor documentation gaps during the walkthrough. Fixed them same day.
The Result: Zero Findings
The audit came and went. Zero findings. Not a single non-conformity.
That's not common for a first-time audit, especially in healthcare. Most organisations coming in fresh expect partial compliance or a remediation plan. ASMIP Medical Center "St. Panteleymon" went in ready and came out clean.
The auditor's closing comments were notable: they specifically highlighted the clarity of the incident response documentation and the evidence of tested recovery procedures as strengths.
Beyond the Audit: Maintaining the Standard
Passing the audit was the milestone, not the finish line. NIS2 and ISO27001 aren't once-and-done checkboxes. They require ongoing control maintenance, periodic reviews, and continuous monitoring.
We now manage that entire lifecycle for ASMIP Medical Center "St. Panteleymon". Regular control reviews. Patch cycle verification. Access recertification. Tabletop exercises. Quarterly reporting. The team at St. Panteleymon doesn't need to worry about compliance drift, because it's being caught before it happens.
They focus on running a medical centre. We focus on keeping their security posture audit-ready at all times.