SaaS
A large enterprise contract stalled on a security questionnaire the team kept answering inconsistently. The problem was not the questions - it was that the answers were not backed by evidence.
Enterprise security reviews stall deals when the answers cannot be backed by evidence. The team was improvising responses under time pressure, contradicting itself, and had no reusable library - so every questionnaire started from scratch and eroded buyer trust.
Finding 01
Sales, engineering and ops answered overlapping questions differently, which the buyer's security team noticed immediately.
Finding 02
Several 'yes' answers described controls that were aspirational, not in place - a fast way to lose credibility.
Finding 03
Nothing ready to attach when the buyer asked to see proof behind an answer.
Finding 04
Every questionnaire was answered from memory, so quality never improved.
Finding 05
No trust page or coherent narrative to point the buyer to.
The questionnaire went back with consistent, evidence-backed answers and the deal moved forward. The answer library and evidence pack were reused across the next several enterprise RFPs, so each one got faster instead of starting over.
Security questionnaires do not stall on the hard questions. They stall when answers are inconsistent and cannot be proven. Answer once, back every answer with evidence, and reuse it - the next review gets easier, not harder.
These are representative engagements - detailed, realistic walkthroughs built from the ISO 27001 failure patterns we see most often, not accounts of specific named clients. Certification is always decided by an accredited certification body; we prepare teams for it and never guarantee the outcome.
Certification is performed by an accredited certification body through Stage 1 and Stage 2 audits. Kellwick prepares you for that process; it does not perform it and cannot guarantee its outcome.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.