Fintech
The certificate was on the wall and the ISMS stopped moving. Risk aged, reviews lapsed, DORA obligations piled up. A managed ISMS retainer turned surveillance from a scramble into a routine.
Certification is a moment; conformity is continuous - and DORA makes maintenance non-optional for a financial entity. The fintech had no one keeping the ISMS operated between audits, so evidence went stale and DORA obligations that are continuous by design were handled in bursts, if at all.
Finding 01
The register had not moved since certification and no longer matched the business.
Finding 02
Reviews that need a cadence had simply stopped happening between audits.
Finding 03
Incident-reporting readiness, resilience testing and the ICT third-party register were treated as one-offs, not ongoing duties.
Finding 04
Control evidence was current at audit time and untended afterwards, so each surveillance became a scramble.
Finding 05
Management review happened just before the auditor arrived, not as a running governance habit.
Surveillance became a routine checkpoint rather than a scramble, and the fintech's DORA obligations were maintained continuously instead of in bursts - one team keeping the ISMS operated between audits. Certification and DORA supervision remain with the certification body and the regulator.
An ISMS that only moves at audit time fails the year in between - and for a DORA entity, maintenance is not optional. A managed retainer keeps risk, evidence and DORA obligations current, so surveillance is a checkpoint, not a crisis.
These are representative engagements - detailed, realistic walkthroughs built from the ISO 27001 failure patterns we see most often, not accounts of specific named clients. Certification is always decided by an accredited certification body; we prepare teams for it and never guarantee the outcome.
Certification is performed by an accredited certification body through Stage 1 and Stage 2 audits. Kellwick prepares you for that process; it does not perform it and cannot guarantee its outcome.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.