Fintech / Payments
Lots of polished policy documents, a consultant who reviewed uploads to a shared drive, and a Head of Security who was no longer confident any of it would survive a real auditor.
The company had spent real money and produced a thick paper trail. The worry was not effort - it was whether the paper mapped to anything operating. A Mini Gap Review was the low-risk way to test that without tearing up the existing work.
Finding 01
Half the SoA asserted controls that had no operating evidence behind them.
Finding 02
Well-written policies that named no accountable owner and were not reflected in day-to-day process.
Finding 03
It existed, but leadership had never seen it, so it drove no decisions.
Finding 04
The person who wrote the controls was lined up to audit them - a finding waiting to happen.
Finding 05
The most sensitive system had the weakest evidence trail.
The engagement turned a box-ticking paper trail into evidence that could survive Stage 2. The prior consultant's usable work was kept; the gaps that would have caused nonconformities were closed before the auditor found them.
A consultant who reviews uploads to a shared drive produces documents, not readiness. If you cannot show the evidence behind each control, you do not have a control - you have a policy about one.
These are representative engagements - detailed, realistic walkthroughs built from the ISO 27001 failure patterns we see most often, not accounts of specific named clients. Certification is always decided by an accredited certification body; we prepare teams for it and never guarantee the outcome.
Certification is performed by an accredited certification body through Stage 1 and Stage 2 audits. Kellwick prepares you for that process; it does not perform it and cannot guarantee its outcome.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.