At a Glance
| Sector | Financial Technology (seed-to-Series-A) |
| Starting point | Basic security practices, but no ISMS scope, risk linkage, or repeatable evidence |
| Timeline | 12 weeks from kick-off to certification |
| Frameworks | ISO 27001:2022 |
| Environment | Microsoft 365 (SharePoint, Entra ID, Defender, Intune) |
The Challenge
As the business scaled toward Series-A, the pressure came from two directions simultaneously: investors conducting security due diligence, and enterprise procurement teams requiring ISO 27001 before contract execution.
The team had good security instincts — MFA was in place, data was encrypted, access was controlled — but nothing was structured, documented, or defensible. Every security questionnaire meant a multi-week scramble. Every procurement gate was a potential deal-stopper.
The specific gaps were:
- No defined ISMS scope — the boundaries of what was “in scope” for security management had never been formally established
- Fragmented policies — documents existed but weren’t linked to risks, controls, or each other
- No Statement of Applicability — Annex A controls hadn’t been assessed, justified, or mapped to the risk register
- Manual evidence collection — responding to a single security questionnaire consumed two to three weeks of senior time
- No internal audit process — the team had never formally reviewed their own controls
The timeline pressure was real. A Series-A round was in progress. Two enterprise contracts were pending. Certification couldn’t wait six months.
Our Approach
We built a pragmatic, growth-compatible ISMS — structured to satisfy ISO 27001:2022 without creating bureaucratic overhead that slowed a fast-moving team.
1. Scope and foundation
Defined the ISMS scope with precision — covering the systems, processes, and locations relevant to certification, and excluding what genuinely wasn’t in scope. Established leadership roles, security objectives, and the operating cadence for management review.
2. Risk assessment and treatment
Developed a lightweight, repeatable risk methodology suited to a startup environment. Built a live risk register with named owners, risk ratings, and treatment decisions — linked directly to the Statement of Applicability. The SoA was mapped to actual risks, not completed as a checkbox exercise.
3. Control implementation
Prioritised the controls with the highest risk-reduction value and the most visibility in audits and procurement questionnaires:
- MFA enforcement and Conditional Access policies
- Centralised logging and alerting
- Backup and disaster recovery with tested restore procedures
- Supplier security assessments for critical third parties
- Incident response procedure, tested via tabletop exercise
4. Evidence automation
Built a repeatable evidence collection structure inside Microsoft 365 — SharePoint registers, automated policy acknowledgement workflows, and export-ready audit packs. Responding to a security questionnaire dropped from weeks to hours.
5. Internal audit and certification readiness
Conducted a structured internal audit against the ISO 27001:2022 requirements, closed the findings, and prepared the team for the certification audit — including walkthrough of auditor sampling approach and evidence presentation.
Results
ISO 27001 certified in 12 weeks — first-time pass, from fragmented policies to a fully auditable ISMS.
The commercial outcomes were immediate:
- Two enterprise contracts that had been pending on security questionnaires moved forward within weeks of certification
- Series-A investors cited ISO 27001 in due diligence as evidence of operational maturity
- Evidence preparation time dropped 50–60% — questionnaires that previously took weeks now took hours
- The live risk register gave leadership a clear, ongoing view of security posture — not a static document reviewed once a year
The ISMS was designed to scale. As the team grew and the product expanded, the scope, risk register, and controls could extend without rebuilding from scratch.
Key Deliverables
- Defined ISMS scope, context of the organisation, and interested parties register
- Risk assessment methodology and live risk register with owners and treatment status
- Statement of Applicability mapped to risks, with justification for each included and excluded control
- Policy suite covering all ISO 27001:2022 Annex A domains
- Evidence collection structure in Microsoft 365 with repeatable export capability
- Internal audit report and corrective action register
- Certification audit support — evidence presentation, assessor Q&A, finding response
The Bottom Line
This FinTech didn’t need a heavy, consultant-led programme that consumed six months and disrupted the team. They needed a structured, defensible ISMS that satisfied ISO 27001 auditors, cleared enterprise procurement gates, and could be maintained by a lean team without ongoing external dependency.
12 weeks. First-time pass. Inside the existing Microsoft 365 environment — with no new tools and no ongoing platform licence.
