MAKE A FINTECH ISO 27001 AND SOC II COMPLIANT WITHIN 1 YEAR

Customer type: a small fintech with tier 1 banks as customers

Challenge: if this company could not provide ISO 27001 and SOC II certificates to their customers, they would need to subject to extensive audits from each and everyone of their customers to prove they had their business under control in order to keep their business.

Approach: This was a relatively small fintech, so hiring a CISO, a DPO and a project team to implement the necessary controls for ISO27001 and SOC II was impossible. Instead, we started from the idea that we needed to have control over our developments and that we needed to be able to deliver proof of that control as part of our normal business operation. So instead of setting a goal of becoming ISO and SOC certified, we set the goal as being in control of our development/delivery and ISO and SOC became a means to an end. In the end, this proved to be the way to get the die hard developers on board and give their full support to the project. We than signed a contract with a company that offered CISO and DPO as a service; be doing this, we got access to very experienced CISO and DPO people without the need to carry them 100% on our payroll. And only then we brought on board a very senior and very experienced consultant to set up and deliver the ISO27001 and SOC II projects. That external consultant brought on board all the knowledge we needed, he implemented the necessary (SaaS) tooling to support the project and the ongoing controls and proof points and we as line management took care of the change management part.

Result: within 1 year of starting the project, we had our ISO27001 certificate, and 3 months later we got our SOC II certificate for a minimal project cost.