A SaaS company had decided it needed ISO 27001, mostly because larger prospects kept asking for it. They had started the way many do, by buying a stack of policy templates and filling in the blanks. By the time they reached us, they had a thick binder of documents that described a security programme nobody actually ran. The gap between the paperwork and the practice was wide enough that any decent auditor would have found it, and the team knew it.
The honest conversation up front was that a certificate describing controls you do not operate is worse than no certificate, because it sets an expectation you cannot meet under scrutiny. They agreed, which made the rest of the work possible.
The challenges we had to solve
- The documentation described an idealised company, not the real one. Policies referred to roles, reviews and registers that did not exist in practice.
- Risk had never been assessed in any grounded way, so the controls were a generic checklist rather than a response to what could actually go wrong here.
- The framework was being treated as a one-time project with an end date, when its whole value is the recurring rhythm of operating and reviewing controls.
- A small team could not sustain a heavyweight management system, so anything we built had to be light enough to actually keep running.
How we approached it
We set the binder aside and started from how the company actually works: what it builds, what data it holds, what would genuinely hurt if it went wrong. From that we ran a risk assessment that meant something, and chose controls because they addressed a real risk, not because a template listed them. The access cleanup, the logging, the supplier review, the change process: each one we put into real operation first, then documented as it ran, so the statement of applicability described the company rather than an aspiration.
Just as important, we set up the recurring cadence the standard really cares about: management review, internal checks, and a way to handle the things that inevitably go wrong, all sized so the team can keep them going without a dedicated department. ISO 27001 lives on a multi-year cycle with surveillance along the way, so a programme that only works the week before an audit is a programme that fails. The certificate is theirs to earn and hold; our part was making the underlying discipline real enough to stand behind it.
An auditor reads documents, but they test reality. The only safe documentation is the kind that describes what you genuinely do.
Where it stands
The company now runs a security programme that matches its paperwork, because the paperwork was written from the practice rather than the other way round. The reviews happen on a schedule the team can keep, and the controls are theirs, not a consultant’s template. When the audit comes, they will be describing something true, which is the only version worth having.