ISO 27001 readiness for FX, prop trading and fintech brokers
ISO 27001 readiness for FX brokers and trading firms.
Your broker is not a normal SaaS company. Stop preparing for ISO 27001 like one.
Client money workflows, KYC documents, trading accounts, partner portals, IB networks, PSP integrations, withdrawal controls, admin permissions, vendor exposure, and audit pressure from every direction. A generic template pack will not understand that.
Kellwick prepares FX brokers for ISO 27001 with readiness reviews, evidence mapping and gap remediation built around how broker operations actually work. Just a clear answer to one brutal question: can your broker prove control when someone asks?
Your real environment
Nine systems. Each one creates access, data, change, supplier and evidence risk. One evidence map, or nine blind spots.
Explore the systems →The audit will not care that things are handled.
Every broker says the same thing. Access is handled. KYC is handled. Withdrawals are handled. Vendor access is handled. Client data is handled. Fine. Show the evidence.
- Who approved access?
- When was it reviewed?
- Who can export client data?
- Who can touch payment settings?
- Who can change IB terms?
- Who can see KYC files?
- Who can access platform admin roles?
- What happens when someone leaves?
That is where weak readiness shows up. Not in the policy. In the proof.
FX audit risk is operational
Your real environment has layers. Click each one.
Most ISO 27001 prep treats a broker like a clean SaaS app with a simple user table. It is not. Each layer creates access, data, change, supplier and evidence risk.
Trading platform
- Access risk
- MT4 / MT5 / cTrader manager and admin roles, server access, dealer desk permissions.
- Client data risk
- Account balances, positions, trade history, leverage settings.
- Evidence expected
- Platform admin access list with owner and last review date.
- Common broker gap
- Manager and admin access shared, no periodic review, dealers with standing admin rights.
You do not need more ISO documents. You need control evidence that matches broker operations.
A policy can say access is reviewed. That means nothing if:
- MT4 / MT5 admin access is not clearly owned
- CRM permissions are not reviewed
- Former staff still have tool access
- KYC file access has no evidence trail
- Partner portal roles are not documented
- PSP access is shared
- Support inbox access is too broad
- Supplier reviews are outdated
- Incident records are informal
- Change approvals are scattered
- SoA decisions are not tied to real systems
- Management review is just a meeting note
That is not readiness. That is exposure with nicer formatting.
Broker readiness check
Answer these before you say you are ready.
- 1.Can you show current access reviews for CRM, trading platform, PSP, support tools and back office?
- 2.Can you prove who owns each critical system?
- 3.Can you show how KYC data access is controlled?
- 4.Can you show supplier reviews for PSP, KYC, hosting, CRM and support vendors?
- 5.Can you show change approvals for critical production systems?
- 6.Can you show incident records and lessons learned?
- 7.Can you explain your ISO 27001 scope without hiding operational reality?
- 8.Can you map Annex A controls to actual broker evidence?
- 9.Can your team answer audit questions without guessing?
- 10.Can you show evidence from the last 90 days?
If the answer is not clear, you are not ready. You are hoping.
What we check
Readiness through the lens of broker operations.
Access control
Who has access to what, why, and when it was last reviewed.
- Trading platform admin access
- CRM access
- Client and IB portal access
- PSP access
- KYC vendor access
- Shared inboxes and privileged accounts
- Leavers and movers
- Emergency access
Client data protection
Where client data lives, who can access it, and how it moves.
- KYC documents
- Client profiles
- Payment and trading records
- Support tickets
- Exported reports
- Screenshots and attachments
- Shared folders
- Vendor data access
Supplier and vendor risk
Who touches your environment or client data.
- PSPs
- KYC providers
- Hosting providers
- CRM and platform vendors
- Support and analytics tools
- Affiliate tools
- External developers
- Outsourced operations
Change and release control
How critical changes get approved, tested, released and recorded.
- Client portal changes
- Back-office changes
- Payment workflow changes
- CRM and reporting changes
- Permission model changes
- Production fixes
- Vendor-driven changes
Incident readiness
Can your team show what happened, who responded and what changed after.
- Client data incidents
- Account access incidents
- Payment workflow issues
- Phishing
- Vendor incidents
- Support inbox compromise
- Suspicious exports
- Failed controls
Management evidence
Can leadership prove the ISMS is reviewed, funded and improved.
- Management review
- Risk acceptance
- Security objectives
- Internal audit actions
- Supplier risk decisions
- Control exceptions
- Audit preparation status
What you receive
The missing broker readiness layer.
Broker Readiness Snapshot
A direct view of your current ISO 27001 readiness.
- Scope clarity
- Key broker risk areas
- Evidence maturity
- Critical gaps
- Ownership issues
- Audit exposure rating
- Next-step recommendation
FX Evidence Map
A practical evidence map built around broker systems and ISO 27001 expectations.
- Control area
- Expected evidence
- Current evidence
- System owner
- Evidence owner
- Status, gap, remediation note
Gap Register
A ranked list of issues that can hurt readiness. No academic noise, no fake maturity model.
- Only gaps that matter
- Ranked by risk
- Ranked by audit impact
Audit Prep Plan
A short execution plan for the next 2-6 weeks.
- What to fix first
- Who should own it
- What evidence to collect
- What needs approval
- What can wait
Advisory Review
A direct walkthrough with your team: what is weak, what is defensible, what needs action before audit pressure starts.
FX evidence map preview
Built around broker systems, not a generic checklist.
| Area | Evidence expected | Common broker gap | Kellwick output |
|---|---|---|---|
| Trading platform access | MT4 / MT5 admin access review | Manager access shared, no review | Owned access list + review cadence |
| KYC documents | Access trail + retention evidence | Files in shared drive, no log | Controlled KYC access trail |
| PSP integration | Vendor review + access owners | Shared logins, no supplier review | Tiered vendor review + owners |
| Withdrawals | Change approval trail | Support changes settings, no approval | Approval workflow evidence |
| IB portal | Role docs + change approvals | Terms changed with no record | Documented IB roles + change log |
| Leavers | Timely access removal proof | Ex-staff retain tool access | Joiner / mover / leaver evidence |
Before Kellwick
- The CTO says security is covered
- Compliance says documents exist
- Operations says access is controlled
- Support says client data is safe
- Finance says PSP access is limited
- Product says releases are approved
- HR says leavers are removed
- Everyone is probably right - but nobody has one evidence map
Nobody has one evidence map. That is the problem.
After Kellwick
- Scope is clear
- Systems are mapped
- Owners are visible
- Evidence is checked
- Gaps are ranked
- Actions are practical
- Audit questions are predictable
- Leadership knows the real status
No guessing.
Typical starting points
Scoped to your systems and timeline.
Final pricing is confirmed after a readiness call.
Broker Readiness Snapshot
From $2,500
FX brokers and trading firms that need a fast external view before certification, surveillance, customer review or board pressure.
- Scope review
- High-level evidence check
- Critical system review
- Readiness score
- Key gaps
- Recommendation report
Full Broker Readiness Review
From $7,500
Firms preparing seriously for ISO 27001 certification or surveillance.
- Scope review
- Risk and SoA review
- Broker system mapping
- Evidence mapping
- Gap register
- Remediation plan
- Advisory review call
Ongoing Readiness Support
Custom
Teams that need support through remediation, audit preparation and evidence improvement.
- Recurring review sessions
- Evidence quality checks
- Audit question prep
- Remediation tracking
- Leadership-ready updates
This is for you if
- You run or support an FX broker, prop trading firm, trading platform, fintech brokerage or broker technology company
- You already have some ISO 27001 material, but you are not confident in the evidence
- You have pressure from customers, partners, regulators, auditors, banks or PSPs
- You need a practical readiness view before someone else finds the gaps
This is not for you if
- You want fake evidence
- You want a certificate shortcut
- You want a template pack and no operational work
- You want to pretend FX is simple SaaS
- You want ISO 27001 only as a logo
Why Kellwick
Kellwick is built for practical ISO 27001 readiness in high-risk technology environments. We understand SaaS, fintech, product operations, security, delivery, and the operational pressure inside broker environments.
ISO 27001 is not only about policies. It is about how access, data, vendors, changes, incidents and ownership work in the real company. FX firms need readiness support that understands the business model, not just the standard.
Ratomir Jovanovic
IRCA Associate Auditor - ISMS. CQI Practitioner Member - PCQI. ISO/IEC 27001:2022 Auditor / Lead Auditor trained. 18 years in IT, SaaS, fintech, product and operations.
Kellwick is an independent advisory practice, not a certification body.
FAQ
Straight answers.
No. Kellwick does not issue ISO 27001 certificates. Certification comes from an accredited certification body. Kellwick helps you prepare before that stage.
No. Nobody serious should guarantee that. We reduce avoidable audit risk by finding weak evidence, unclear ownership and missing control proof before the audit.
No. We support your team with structure, review, evidence mapping and readiness planning. Control ownership should stay inside the company.
Usually no. Most readiness work starts with documents, screenshots, exports, access review evidence, system owner input and structured interviews. Sensitive access should stay controlled.
No. It works for companies preparing for first certification, surveillance audit, customer security review or internal readiness pressure.
That is common. Weak documents are fixable. The bigger issue is weak evidence - that is what we find and map.
Your broker does not need more confidence. It needs proof.
Find the gaps before the auditor, bank, PSP, customer or board does.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.