SaaS
Growth had outrun the security function. The board wanted a CISO-level view and a plan; a full-time hire was 6-9 months and a big salary away. A vCISO retainer filled the gap in weeks.
Security had been run part-time and reactively. There was no owned risk picture, no roadmap tied to risk, and no one translating security into terms the board could govern. The company did not need a full-time CISO yet - it needed CISO-level leadership, right-sized, without the hire.
Finding 01
Risk lived in scattered heads and tickets, with no single view the board could rely on.
Finding 02
Security work was reactive; there was no prioritised plan linked to the risks that mattered.
Finding 03
The board heard about security only when something went wrong, with no regular, structured view.
Finding 04
An engineering lead carried security alongside delivery, so neither got full attention.
Finding 05
The certified ISMS was maintained mechanically, without someone steering it against real risk.
The board got a CISO-level owner, a risk view and a roadmap within weeks instead of quarters, without a full-time hire - and a clear marker for when to bring one in. Kellwick provides security leadership as a service; accountability for decisions remains with the company.
Most scale-ups need CISO-level leadership long before they can justify a full-time CISO. A vCISO gives you the owned risk view, the roadmap and the board reporting now - and tells you honestly when it is time to hire.
These are representative engagements - detailed, realistic walkthroughs built from the ISO 27001 failure patterns we see most often, not accounts of specific named clients. Certification is always decided by an accredited certification body; we prepare teams for it and never guarantee the outcome.
Certification is performed by an accredited certification body through Stage 1 and Stage 2 audits. Kellwick prepares you for that process; it does not perform it and cannot guarantee its outcome.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.