SaaS
European buyers knew ISO 27001. The first serious US enterprise deal spoke a different language - NIST CSF 2.0 - and the team had no way to translate one into the other.
US enterprise and financial-services buyers increasingly frame security expectations in NIST CSF 2.0 terms. ISO 27001 maps heavily onto the framework, but a certificate is not a CSF profile, and the SaaS could neither show the crosswalk nor speak the buyer's language. The deal stalled on a translation gap, not a security gap.
Finding 01
The team could not show which ISO 27001 controls answered which CSF categories, so real evidence read as no evidence.
Finding 02
The trust page and questionnaire answers spoke ISO, not the CSF language the US buyer was using.
Finding 03
Governance existed in ISO terms but was never framed as CSF's Govern function a US reviewer looks for first.
Finding 04
Nothing showed the buyer where the firm stood today or where it was heading.
Finding 05
Expectations the buyer implied were not connected to the controls the firm already ran.
The SaaS answered the US buyer in its own framework with a mapped profile and a short gap list, so the conversation moved on substance rather than stalling on vocabulary. The buyer's decision was still the buyer's; the translation was no longer the blocker.
Crossing into the US market is often a translation problem, not a security problem. If your ISO 27001 is real, NIST CSF 2.0 is largely a relabelling exercise plus governance - do the crosswalk before the buyer does.
These are representative engagements - detailed, realistic walkthroughs built from the ISO 27001 failure patterns we see most often, not accounts of specific named clients. Certification is always decided by an accredited certification body; we prepare teams for it and never guarantee the outcome.
Certification is performed by an accredited certification body through Stage 1 and Stage 2 audits. Kellwick prepares you for that process; it does not perform it and cannot guarantee its outcome.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.