Compliance365 At a glance
- Client: Seed-to-Series-A FinTech handling payment data and sensitive PII
- Goal: Achieve ISO 27001 rapidly without creating heavy bureaucracy
Problem
The team needed investor and enterprise trust quickly. Policies existed, but scope, SoA, and risk linkage were incomplete, and evidence collection was ad-hoc.
Approach
- ISMS foundation
- Defined scope, interested parties, roles, and cadences (KPIs, reviews).
- Risk & SoA
- Adopted a lightweight risk method; produced a current SoA mapped to real risks and treatments.
- Controls & suppliers
- Prioritised MFA, logging, backups, hardening; tightened supplier due diligence and clauses.
- Evidence automation
- Centralised evidence in M365 (SharePoint, Entra, Defender, Intune) with retention and repeatable exports.
- Internal audit & readiness
- Ran internal audit; tracked corrective actions; prepped certification body walkthroughs.
Outcome
- ISO 27001 certification in 12 weeks
- Improved sales velocity; fewer security questionnaire escalations
- Clear, sustainable operating rhythm for security
Key Results
- Live risk register with owners/SLAs
- SoA aligned to real risks
- Evidence automation reduced prep time by 50–60%
What we delivered
- ISMS design, policies, cadences
- Risk methodology, register, and SoA
- Evidence register & exports
- Internal audit and certification support