Fintech
The board kept asking how good our security is and got a different answer each time. NIST CSF 2.0 profiles gave one honest picture - current state, target state, and the path between.
ISO 27001 is largely binary - you conform or you do not. NIST CSF 2.0 is built for maturity: current and target profiles, and tiers describing how rigorous and adaptive the program is. The fintech had certification but no way to express trajectory or priorities to a board in a language it could track year over year.
Finding 01
The firm could not state its posture across the CSF functions in a single, honest view.
Finding 02
There was no agreed 'where we are heading', so security investment had no anchor.
Finding 03
Nobody had placed the program on CSF implementation tiers or explained why.
Finding 04
Updates listed purchases and projects, not risk or maturity the board could weigh.
Finding 05
Roadmap items were not linked to the gaps that actually mattered most.
The fintech gave its board and investors one coherent maturity picture - current profile, target profile, tier and a prioritised path - that it can report against each cycle, built on its ISO 27001 base. Maturity is a direction of travel, not a guarantee; the board finally had a consistent way to see it.
ISO 27001 tells a board you conform. NIST CSF 2.0 tells them how mature you are and where you are heading. For a scaling fintech, the profile is the artefact that turns 'how good is our security?' into a plan.
These are representative engagements - detailed, realistic walkthroughs built from the ISO 27001 failure patterns we see most often, not accounts of specific named clients. Certification is always decided by an accredited certification body; we prepare teams for it and never guarantee the outcome.
Certification is performed by an accredited certification body through Stage 1 and Stage 2 audits. Kellwick prepares you for that process; it does not perform it and cannot guarantee its outcome.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.