Skip to content
Kellwick
Get broker readiness review

ISO 27001 readiness for FX, prop trading and fintech brokers

ISO 27001 readiness for FX brokers and trading firms.

Your broker is not a normal SaaS company. Stop preparing for ISO 27001 like one.

Client money workflows, KYC documents, trading accounts, partner portals, IB networks, PSP integrations, withdrawal controls, admin permissions, vendor exposure, and audit pressure from every direction. A generic template pack will not understand that.

Kellwick prepares FX brokers for ISO 27001 with readiness reviews, evidence mapping and gap remediation built around how broker operations actually work. Just a clear answer to one brutal question: can your broker prove control when someone asks?

Your real environment

Trading platformCRMClient portalIB portalPSPKYCSupportBack officeVendors

Nine systems. Each one creates access, data, change, supplier and evidence risk. One evidence map, or nine blind spots.

Explore the systems →

The audit will not care that things are handled.

Every broker says the same thing. Access is handled. KYC is handled. Withdrawals are handled. Vendor access is handled. Client data is handled. Fine. Show the evidence.

  • Who approved access?
  • When was it reviewed?
  • Who can export client data?
  • Who can touch payment settings?
  • Who can change IB terms?
  • Who can see KYC files?
  • Who can access platform admin roles?
  • What happens when someone leaves?

That is where weak readiness shows up. Not in the policy. In the proof.

FX audit risk is operational

Your real environment has layers. Click each one.

Most ISO 27001 prep treats a broker like a clean SaaS app with a simple user table. It is not. Each layer creates access, data, change, supplier and evidence risk.

Trading platform

Access risk
MT4 / MT5 / cTrader manager and admin roles, server access, dealer desk permissions.
Client data risk
Account balances, positions, trade history, leverage settings.
Evidence expected
Platform admin access list with owner and last review date.
Common broker gap
Manager and admin access shared, no periodic review, dealers with standing admin rights.

You do not need more ISO documents. You need control evidence that matches broker operations.

A policy can say access is reviewed. That means nothing if:

  • MT4 / MT5 admin access is not clearly owned
  • CRM permissions are not reviewed
  • Former staff still have tool access
  • KYC file access has no evidence trail
  • Partner portal roles are not documented
  • PSP access is shared
  • Support inbox access is too broad
  • Supplier reviews are outdated
  • Incident records are informal
  • Change approvals are scattered
  • SoA decisions are not tied to real systems
  • Management review is just a meeting note

That is not readiness. That is exposure with nicer formatting.

Broker readiness check

Answer these before you say you are ready.

Answer 10 questions0/10
  1. 1.Can you show current access reviews for CRM, trading platform, PSP, support tools and back office?
  2. 2.Can you prove who owns each critical system?
  3. 3.Can you show how KYC data access is controlled?
  4. 4.Can you show supplier reviews for PSP, KYC, hosting, CRM and support vendors?
  5. 5.Can you show change approvals for critical production systems?
  6. 6.Can you show incident records and lessons learned?
  7. 7.Can you explain your ISO 27001 scope without hiding operational reality?
  8. 8.Can you map Annex A controls to actual broker evidence?
  9. 9.Can your team answer audit questions without guessing?
  10. 10.Can you show evidence from the last 90 days?

If the answer is not clear, you are not ready. You are hoping.

What we check

Readiness through the lens of broker operations.

Access control

Who has access to what, why, and when it was last reviewed.

  • Trading platform admin access
  • CRM access
  • Client and IB portal access
  • PSP access
  • KYC vendor access
  • Shared inboxes and privileged accounts
  • Leavers and movers
  • Emergency access

Client data protection

Where client data lives, who can access it, and how it moves.

  • KYC documents
  • Client profiles
  • Payment and trading records
  • Support tickets
  • Exported reports
  • Screenshots and attachments
  • Shared folders
  • Vendor data access

Supplier and vendor risk

Who touches your environment or client data.

  • PSPs
  • KYC providers
  • Hosting providers
  • CRM and platform vendors
  • Support and analytics tools
  • Affiliate tools
  • External developers
  • Outsourced operations

Change and release control

How critical changes get approved, tested, released and recorded.

  • Client portal changes
  • Back-office changes
  • Payment workflow changes
  • CRM and reporting changes
  • Permission model changes
  • Production fixes
  • Vendor-driven changes

Incident readiness

Can your team show what happened, who responded and what changed after.

  • Client data incidents
  • Account access incidents
  • Payment workflow issues
  • Phishing
  • Vendor incidents
  • Support inbox compromise
  • Suspicious exports
  • Failed controls

Management evidence

Can leadership prove the ISMS is reviewed, funded and improved.

  • Management review
  • Risk acceptance
  • Security objectives
  • Internal audit actions
  • Supplier risk decisions
  • Control exceptions
  • Audit preparation status

What you receive

The missing broker readiness layer.

01

Broker Readiness Snapshot

A direct view of your current ISO 27001 readiness.

  • Scope clarity
  • Key broker risk areas
  • Evidence maturity
  • Critical gaps
  • Ownership issues
  • Audit exposure rating
  • Next-step recommendation
02

FX Evidence Map

A practical evidence map built around broker systems and ISO 27001 expectations.

  • Control area
  • Expected evidence
  • Current evidence
  • System owner
  • Evidence owner
  • Status, gap, remediation note
03

Gap Register

A ranked list of issues that can hurt readiness. No academic noise, no fake maturity model.

  • Only gaps that matter
  • Ranked by risk
  • Ranked by audit impact
04

Audit Prep Plan

A short execution plan for the next 2-6 weeks.

  • What to fix first
  • Who should own it
  • What evidence to collect
  • What needs approval
  • What can wait
05

Advisory Review

A direct walkthrough with your team: what is weak, what is defensible, what needs action before audit pressure starts.

FX evidence map preview

Built around broker systems, not a generic checklist.

AreaEvidence expectedCommon broker gapKellwick output
Trading platform accessMT4 / MT5 admin access reviewManager access shared, no reviewOwned access list + review cadence
KYC documentsAccess trail + retention evidenceFiles in shared drive, no logControlled KYC access trail
PSP integrationVendor review + access ownersShared logins, no supplier reviewTiered vendor review + owners
WithdrawalsChange approval trailSupport changes settings, no approvalApproval workflow evidence
IB portalRole docs + change approvalsTerms changed with no recordDocumented IB roles + change log
LeaversTimely access removal proofEx-staff retain tool accessJoiner / mover / leaver evidence

Before Kellwick

  • The CTO says security is covered
  • Compliance says documents exist
  • Operations says access is controlled
  • Support says client data is safe
  • Finance says PSP access is limited
  • Product says releases are approved
  • HR says leavers are removed
  • Everyone is probably right - but nobody has one evidence map

Nobody has one evidence map. That is the problem.

After Kellwick

  • Scope is clear
  • Systems are mapped
  • Owners are visible
  • Evidence is checked
  • Gaps are ranked
  • Actions are practical
  • Audit questions are predictable
  • Leadership knows the real status

No guessing.

Typical starting points

Scoped to your systems and timeline.

Final pricing is confirmed after a readiness call.

Broker Readiness Snapshot

From $2,500

FX brokers and trading firms that need a fast external view before certification, surveillance, customer review or board pressure.

  • Scope review
  • High-level evidence check
  • Critical system review
  • Readiness score
  • Key gaps
  • Recommendation report
Request snapshot
Most popular

Full Broker Readiness Review

From $7,500

Firms preparing seriously for ISO 27001 certification or surveillance.

  • Scope review
  • Risk and SoA review
  • Broker system mapping
  • Evidence mapping
  • Gap register
  • Remediation plan
  • Advisory review call
Book readiness review

Ongoing Readiness Support

Custom

Teams that need support through remediation, audit preparation and evidence improvement.

  • Recurring review sessions
  • Evidence quality checks
  • Audit question prep
  • Remediation tracking
  • Leadership-ready updates
Discuss support

This is for you if

  • You run or support an FX broker, prop trading firm, trading platform, fintech brokerage or broker technology company
  • You already have some ISO 27001 material, but you are not confident in the evidence
  • You have pressure from customers, partners, regulators, auditors, banks or PSPs
  • You need a practical readiness view before someone else finds the gaps

This is not for you if

  • You want fake evidence
  • You want a certificate shortcut
  • You want a template pack and no operational work
  • You want to pretend FX is simple SaaS
  • You want ISO 27001 only as a logo

Why Kellwick

Kellwick is built for practical ISO 27001 readiness in high-risk technology environments. We understand SaaS, fintech, product operations, security, delivery, and the operational pressure inside broker environments.

ISO 27001 is not only about policies. It is about how access, data, vendors, changes, incidents and ownership work in the real company. FX firms need readiness support that understands the business model, not just the standard.

Ratomir Jovanovic

IRCA Associate Auditor - ISMS. CQI Practitioner Member - PCQI. ISO/IEC 27001:2022 Auditor / Lead Auditor trained. 18 years in IT, SaaS, fintech, product and operations.

Kellwick is an independent advisory practice, not a certification body.

FAQ

Straight answers.

No. Kellwick does not issue ISO 27001 certificates. Certification comes from an accredited certification body. Kellwick helps you prepare before that stage.

No. Nobody serious should guarantee that. We reduce avoidable audit risk by finding weak evidence, unclear ownership and missing control proof before the audit.

No. We support your team with structure, review, evidence mapping and readiness planning. Control ownership should stay inside the company.

Usually no. Most readiness work starts with documents, screenshots, exports, access review evidence, system owner input and structured interviews. Sensitive access should stay controlled.

No. It works for companies preparing for first certification, surveillance audit, customer security review or internal readiness pressure.

That is common. Weak documents are fixable. The bigger issue is weak evidence - that is what we find and map.

Your broker does not need more confidence. It needs proof.

Find the gaps before the auditor, bank, PSP, customer or board does.

Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.