[maximilianburke]

We've been ISO 27k certified for years now. ISO 27001 relies heavily on risk documentation and mitigation; you can get around the separation-of-roles by calling them out as individual risks and making sure the appropriate authority signs off on them (ie: have an email from the CEO saying "I delegate Bob to create policies and sign off on them, and also perform our internal audits. I recognize the risks this creates but due to our size we accept them at this time.")

[xyzzy123]

Right but at n=1 you are writing the policies, reviewing them, signing off on them yourself, raising risks, then ducking out the back and running out again with a fake mustache so you can accept the risks you raised... regarding yourself... lol.

Audits rely on a _certain_ amount of ceremony and theatre.

However, since you typically pay for audits / certifications yourself you might find someone who is willing to entertain the charade if you shop around enough. Probably a solo auditing firm :)