SaaS
The buyer did not just want the vendor to be secure. It wanted evidence the vendor governs its own suppliers - the GV.SC part of NIST CSF 2.0 the team had never treated as a program.
NIST CSF 2.0 elevated supply-chain risk into the Govern function (GV.SC): entities are expected to run cybersecurity supply-chain risk management as a governed, repeatable program - roles, requirements, monitoring and incident coordination with suppliers. The vendor was itself a link in someone else's chain and could not show that program.
Finding 01
There was no governed program and no consistent set of requirements across suppliers.
Finding 02
A critical sub-processor and a minor tool received the same light scrutiny.
Finding 03
Expectations of suppliers were assumed rather than written into agreements.
Finding 04
Nothing defined how a supplier's incident would reach the vendor or trigger a joint response.
Finding 05
Dependencies were not inventoried or assessed as part of supply-chain risk.
The vendor could show its buyer a governed supply-chain risk program mapped to GV.SC, turning an assurance flag into evidence, on top of its existing ISO 27001 supplier controls. Whether that satisfied the buyer was the buyer's call; the program was real and repeatable.
In NIST CSF 2.0, being secure is not enough if you cannot show you govern your own suppliers. When you are a link in someone else's chain, GV.SC is the outcome they check - and it is a program, not a questionnaire answer.
These are representative engagements - detailed, realistic walkthroughs built from the ISO 27001 failure patterns we see most often, not accounts of specific named clients. Certification is always decided by an accredited certification body; we prepare teams for it and never guarantee the outcome.
Certification is performed by an accredited certification body through Stage 1 and Stage 2 audits. Kellwick prepares you for that process; it does not perform it and cannot guarantee its outcome.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.