FX & Trading
A liquidity provider and the broker's bank both demanded ISO 27001. With eight weeks to Stage 1 and no owner for the management system, the risk was failing on the basics - not the technology.
The broker had policies and a compliance platform, but nobody owned the ISMS as a system. Access across MT4/MT5, PSPs and the IB portal had grown organically over years, and no one could answer the questions an auditor asks first: who approved this access, who can export client data, who can change IB terms. With Stage 1 eight weeks out, the real exposure was the management system, not the trading platform.
Finding 01
Several people held platform admin rights with no approval record and no periodic review. Two belonged to staff who had changed roles.
Finding 02
Leavers retained access to the CRM and a PSP portal months after departure - an evidence hole an auditor finds in minutes.
Finding 03
One PSP back-office login was shared across the payments team, so no action could be attributed to a person.
Finding 04
The SoA was a draft that did not map to how the broker actually operates. Stage 1 stops here, every time.
Finding 05
Downloaded from a template, it never mentioned liquidity providers, IB terms, withdrawal controls or PSP dependency - the risks that define this business.
Finding 06
A mandatory clause requirement, and a hard Stage 2 blocker, had simply not happened.
The broker went into Stage 1 with the six blockers closed and an evidence index that matched its SoA - instead of discovering the gaps in the room. The certification decision remained with the accredited body, but the management-system failures that most often stop Stage 1 were no longer there.
Brokers rarely fail on technology. They fail because access grew faster than the evidence, and nobody owned the management system. Find that eight weeks out and it is fixable; find it on audit day and it is not.
These are representative engagements - detailed, realistic walkthroughs built from the ISO 27001 failure patterns we see most often, not accounts of specific named clients. Certification is always decided by an accredited certification body; we prepare teams for it and never guarantee the outcome.
Certification is performed by an accredited certification body through Stage 1 and Stage 2 audits. Kellwick prepares you for that process; it does not perform it and cannot guarantee its outcome.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.