About
An advisory practice for the part of compliance that actually breaks.
Kellwick is a team-led advisory practice focused on ISO 27001 readiness, ISMS maintenance and product-led security governance for regulated technology companies - SaaS, fintech, payments, FX, iGaming and credit platforms.
Most companies do not fail ISO 27001 because they lack policies. They fail because the ISMS is not operated: risks go stale, evidence is scattered, ownership is unclear, and the system only looks compliant on paper. That is the problem we work on.
Why Kellwick exists
Built by people who saw ISO 27001 fail in practice, not on paper.
Too much ISO 27001 work is sold as a documentation exercise: buy a template pack or a compliance platform, generate policies, and hope. It produces a certificate and a false sense of safety, then falls apart at the surveillance audit or the first serious enterprise security review.
Kellwick exists to close the gap between what an ISMS says and what it does. We come from SaaS, fintech, payments and QA governance environments where controls are tested daily by real product delivery, and we bring that operating mindset to readiness and maintenance. The goal is simple: an ISMS that holds up when an auditor, or your next customer, actually looks.
How we work
Evidence over paperwork
Policies do not prove control operation. Evidence does. We look at what your ISMS actually produces - access reviews, incident records, supplier assessments, management decisions - not just what it promises.
Ownership over templates
Controls fail when nobody owns them. We map every control to a real owner in product, engineering or operations, so the system keeps running after we leave.
Product-led, not audit-led
For SaaS and fintech companies, ISO 27001 touches release governance, QA evidence, access control and supplier risk. We connect the ISMS to how your product is actually built and shipped.
Honest readiness calls
If you are not ready, we say so - and show exactly what to fix first. If a readiness review is not the right first step, we tell you that too.
Credentials and background
- IRCA Associate Auditor - ISMS
- CQI Practitioner Member - PCQI
- ISO/IEC 27001:2022 Auditor/Lead Auditor trained
18+ years across SaaS, fintech, payments, enterprise software, QA governance and regulated technology environments - the places where ISMS discipline is tested daily.
What we are not
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.
We do not sell template packs, we do not guarantee audit outcomes, and we do not replace your accredited certification body. We prepare you to face them with confidence.
Confidentiality-first engagement
Confidentiality-first engagement. We can work under your NDA and use your approved document-sharing process. A readiness review does not require production access unless explicitly agreed, and we never ask for sensitive documents before an agreement is in place.