A client of ours, a logistics software provider selling into larger enterprises, kept stalling at the same point in every deal: the prospect’s security questionnaire. Each one asked for evidence of controls the team mostly had in practice but had never written down, alongside a few they genuinely did not. The deals slowed while the founders filled in spreadsheets from memory, and a couple were lost to competitors who could simply hand over a SOC 2 report.
They did not come to us asking for a certificate. They came asking why every promising conversation went quiet the moment procurement got involved, and what it would take to stop that happening. The honest answer was a mix of work they could be proud of and a few things they would rather not have found.
The challenges we had to solve
- The questionnaires spanned systems nobody had inventoried. There was no confident answer to a simple question: who can reach production, and how.
- Access had accreted over years. Ex-contractors still held live credentials, and a couple of shared logins were doing the rounds because they were convenient.
- Some gaps were real and material: no tested backups, no logging anyone could actually use. Dressing those up would have been dishonest, and useless the first time an assessor probed.
- Whatever we put in place had to be sustainable by a small team, not a second full-time job bolted onto people already shipping a product.
How we approached it
We started with an honest inventory of systems, data and access. That single exercise answered most of the questionnaire on its own, and it surfaced the access that should never have persisted. We cleaned it up to least privilege, put real joiner and leaver steps in place, and ended the shared logins. Then we closed the gaps that carried real risk, in priority order: backups that were actually restored and verified, centralised logging with basic monitoring on top, and security folded into how the team ships code rather than inspected at the end.
Only then did we map the work to the SOC 2 and ISO 27001 controls the customers kept asking about, and document the controls the team genuinely operated, so the eventual report would describe something true. A Type II report attests to how controls ran over a period, not how they looked on one good day, so there was no point claiming anything we could not sustain. The certificate is theirs to hold; our part was helping them earn it without it becoming a second job.
The aim was never a clean-looking binder. It was an account of the business the founders could sit in front of and defend, line by line.
Where it stands
The client now answers a security questionnaire from a single, current account of what they run and how it is protected, rather than from memory under deadline. The controls that were once theatre are real, the access that should not have existed is gone, and the security review has stopped being the place deals go to die. They still have plenty to keep improving, but they no longer dread the question.