Payments
The breach was contained and the fix shipped. What was missing was the security leadership to make sure it did not happen the same way again. A vCISO turned a one-off scare into a governed program.
The team handled the incident well technically, but the incident exposed governance gaps: unclear ownership, uneven detection and response discipline, and no one steering security improvement against risk. Fixing the bug is not the same as governing so the class of problem is managed - and that needs leadership the firm did not have.
Finding 01
The technical fix had an owner; the governance improvement did not.
Finding 02
The incident revealed gaps in monitoring and a response process that existed only informally.
Finding 03
The immediate cause was fixed, but the governance conditions that allowed it were not addressed.
Finding 04
Directors had no regular, structured view that security was improving against risk.
Finding 05
The certified ISMS did not absorb what the incident taught, because no one was steering it.
The firm turned a one-off scare into a governed security program with an owner, a tested response capability and board-level assurance - built on its ISO 27001 base and aligned to its DORA incident-reporting duties. Security leadership is provided as a service; accountability stays with the firm.
Containing an incident is not governing security. The technical fix has an owner; the governance behind it often does not. A vCISO makes sure the conditions that allowed the incident are owned and closed, not just the bug.
These are representative engagements - detailed, realistic walkthroughs built from the ISO 27001 failure patterns we see most often, not accounts of specific named clients. Certification is always decided by an accredited certification body; we prepare teams for it and never guarantee the outcome.
Certification is performed by an accredited certification body through Stage 1 and Stage 2 audits. Kellwick prepares you for that process; it does not perform it and cannot guarantee its outcome.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.