Credit & Collections
A large client's vendor due diligence required ISO 27001. Under FCA and ICO scrutiny, the exposure was call-recording governance, DSAR handling and the audit trail of collection decisions.
In collections, the sensitive-data surface is unusual: affordability data, recorded calls, and decisions that a regulator or an aggrieved customer can challenge later. The work was to make access, retention, disclosure and the decision audit trail provable - in a way that satisfies both ISO 27001 and the regulator.
Finding 01
Recordings containing personal and financial data had broad access, no review, and no disclosure discipline.
Finding 02
Subject requests were handled ad hoc with no evidence of what was found, disclosed or erased.
Finding 03
Sensitive data was kept indefinitely with no evidenced retention or destruction control.
Finding 04
Collection actions could not always be reconstructed for a regulator or a disputing customer.
Finding 05
Data shared with debt-purchase and outsourced partners had no reviewed assurance evidence.
The firm could show a regulator and a demanding client that sensitive data is accessed, retained and disclosed under control, with a reconstructable decision trail. The due-diligence ISO 27001 requirement was answered on the same evidence base.
In collections the risk is not one audit - it is a regulator or a customer challenging a decision months later. Make access, retention, disclosure and the decision trail provable, and ISO 27001 readiness falls out of the same work.
These are representative engagements - detailed, realistic walkthroughs built from the ISO 27001 failure patterns we see most often, not accounts of specific named clients. Certification is always decided by an accredited certification body; we prepare teams for it and never guarantee the outcome.
Certification is performed by an accredited certification body through Stage 1 and Stage 2 audits. Kellwick prepares you for that process; it does not perform it and cannot guarantee its outcome.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.