Example engagement — illustrative
Guiding a SaaS provider to first-time ISO 27001 certification
UK SaaS provider (~50 staff) · ISO 27001
The challenge
A growing software company kept losing enterprise deals at the security-review stage because it could not show a recognised information security certification, and needed ISO 27001 to unlock larger contracts.
What we did
- Defined the ISMS scope around the product platform and the teams that build and run it
- Ran a gap analysis against ISO 27001:2022 and prioritised the missing controls
- Built a right-sized set of policies, a risk assessment and a Statement of Applicability
- Embedded operational routines — access reviews, supplier assessments, internal audit and management review
- Prepared the team for the Stage 1 and Stage 2 certification audits with a mock audit
The outcome
The provider passed its Stage 2 audit and gained a certification it could put in front of enterprise buyers during procurement.
Background
For a B2B software company, security questionnaires are part of every enterprise sale — and “we take security seriously” no longer satisfies a procurement team. In this illustrative example, a UK SaaS provider of around 50 people had strong engineering instincts but no formal management system, and kept stalling at the security-review stage of larger deals. Prospects wanted ISO 27001, the internationally recognised standard, and the absence of it was quietly capping the company’s growth.
What we did
We began with scope, because an over-broad scope is the fastest way to make certification painful. We drew the boundary around the product platform and the teams that build and operate it, then ran a gap analysis against ISO 27001:2022. That produced a clear, prioritised list rather than a vague ambition to “get certified”. Our explainer on what an ISMS is helped the leadership team understand what they were committing to.
From there we built a proportionate information security management system: policies that matched how the company actually worked, a risk assessment tied to real threats, and a Statement of Applicability documenting each Annex A control and the justification for including or excluding it. Crucially, we embedded the operational rhythm the auditors look for — periodic access reviews, supplier security assessments, an internal audit and a management review — so the ISMS was demonstrably running, not just written down. A mock audit before the certification body arrived surfaced the last few gaps.
Result
The company cleared the Stage 1 documentation review and the Stage 2 audit of the working system, achieving certification. Just as importantly, it now had a credible answer at the procurement stage, turning security from a deal-blocker into something it could evidence on demand.
This is an illustrative example of the kind of work we do. Details are representative, not a specific named client.