Payments
A card scheme and a sponsor bank required ISO 27001 alongside existing PCI DSS. The win was not new controls - it was reusing PCI evidence and finding the genuine ISO-specific gaps.
ISO 27001 and PCI DSS share a lot: access reviews, change management, cryptographic controls, incident logging. Treated in isolation, ISO becomes a duplicate project. Treated as a bridge, most of the evidence already exists - the work is scoping which PCI evidence carries across and where the genuine ISO-specific gaps are.
Finding 01
Strong PCI records for access, change and key management existed but were never mapped to the ISO controls they satisfy.
Finding 02
The proposed ISMS scope missed settlement/routing systems the scheme cares about.
Finding 03
The change-freeze discipline around reconciliation existed operationally but had no audit evidence.
Finding 04
Scheme security-program and sponsor-bank requirements were not reflected in the Statement of Applicability.
Finding 05
Management review, internal audit and risk-register discipline (not a PCI focus) were thin.
The PSP satisfied the scheme and sponsor bank's ISO 27001 requirement by reusing most of its PCI DSS evidence and closing only the genuine gaps - one evidence base answering both frameworks instead of two parallel projects.
If you already run PCI DSS, ISO 27001 is not a second project - most of the evidence carries over. Map it once, fix the genuine ISO-specific gaps, and one base answers both the scheme and the standard.
These are representative engagements - detailed, realistic walkthroughs built from the ISO 27001 failure patterns we see most often, not accounts of specific named clients. Certification is always decided by an accredited certification body; we prepare teams for it and never guarantee the outcome.
Certification is performed by an accredited certification body through Stage 1 and Stage 2 audits. Kellwick prepares you for that process; it does not perform it and cannot guarantee its outcome.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.