SaaS
A large US customer wanted the vendor mapped to NIST CSF 2.0. The team had ISO 27001 but no crosswalk, and the framework's new Govern function was exactly where the evidence ran thin.
NIST CSF 2.0 (2024) added the Govern function and reframed the rest around it. ISO 27001 maps heavily onto the framework, but not one-to-one, and a certificate is not a CSF profile. The vendor could not show the crosswalk, could not evidence governance the way CSF 2.0 expects, and had no current-versus-target profile to demonstrate a trajectory.
Finding 01
The team could not show which Annex A controls satisfied which CSF categories, so real evidence looked like no evidence to the buyer.
Finding 02
Roles, risk appetite, cybersecurity strategy and oversight cadence were not documented the way CSF 2.0's headline new function expects - the single biggest 2.0 change.
Finding 03
Third-party risk was handled deal by deal, not as a governed, repeatable process the framework calls for.
Finding 04
Logging existed, but response playbooks were not written down or mapped to the Respond categories, so 'we would handle it' had nothing behind it.
Finding 05
There was no way to show the buyer where the vendor was today versus where it was heading - the artefact a CSF review actually wants.
The vendor answered the buyer with a NIST CSF 2.0 profile, a crosswalk from its ISO 27001 evidence and a short, honest gap list - turning a stalled security review into a manageable roadmap. NIST CSF 2.0 is a framework Kellwick maps and aligns to; it is not a certification, and the profile was a self-assessment, not an attestation by a third party.
NIST CSF 2.0 is a language, not a certificate. If your ISO 27001 evidence is real, most of it already answers the framework - the work is the crosswalk and the new Govern function, which is where teams that skipped governance get caught.
These are representative engagements - detailed, realistic walkthroughs built from the ISO 27001 failure patterns we see most often, not accounts of specific named clients. Certification is always decided by an accredited certification body; we prepare teams for it and never guarantee the outcome.
Certification is performed by an accredited certification body through Stage 1 and Stage 2 audits. Kellwick prepares you for that process; it does not perform it and cannot guarantee its outcome.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.