Skip to content
Kellwick
Get evidence map review

ISO 27001 readiness for SaaS

ISO 27001 readiness without the theatre.

Most companies do not fail ISO 27001 because they lack documents. They fail because evidence is scattered, ownership is unclear, risks are outdated, and nobody can explain what is actually working.

Kellwick turns ISO 27001 preparation into a clear, testable readiness system. No fake templates. No 80-page policy packs nobody uses. Just a practical readiness review, a clear evidence map, and a focused plan to close the gaps before the auditor sees them.

Can you prove these 5 things?

  • Scope statement
  • Risk assessment
  • Statement of Applicability
  • Access reviews
  • Supplier reviews
Start readiness check
Built for SaaS, fintech and product-led teams
Led by an ISO/IEC 27001 Lead Auditor trained advisor
Practical evidence mapping, not certification sales
Independent advisory practice, not a certification body

Why this becomes expensive late

Most teams find their evidence gaps when it is already too late to fix them cleanly.

You can be 30-60 days from an audit and still not know what evidence you can actually defend. By then, the fixes look like exactly what they are.

  • Late access reviews look reactive
  • A weak SoA creates auditor questions
  • An outdated risk register shows the ISMS is not operated
  • Missing supplier reviews become high-risk gaps
  • Management review without decisions looks cosmetic
  • Evidence created in panic is easy to spot

You do not need more documents. You need evidence that survives questions.

You probably do not have an ISO 27001 problem. You have an evidence problem. Your policies may exist. Your risk register may exist. Your access reviews may exist. But can you prove they work?

  • Who owns each control?
  • What is the current evidence?
  • Why is a control implemented that way?
  • What changed since the last review?
  • Can your team answer audit questions without panic?

If not, you are not ready. You are guessing.

Quick readiness check

Answer 8 questions. Get an instant readiness signal.

Answer 8 questions0/8
  1. 1.Do you have a current ISO 27001 scope statement?
  2. 2.Is your risk assessment updated and approved?
  3. 3.Is every Annex A control mapped to evidence?
  4. 4.Do control owners know what they own?
  5. 5.Are access reviews documented?
  6. 6.Are suppliers reviewed and classified?
  7. 7.Are incidents, changes and exceptions tracked?
  8. 8.Can you show evidence from the last 90 days?

Kellwick gives you the missing audit layer.

You do not need another folder of templates. You need a clear answer to four questions.

01

What is required?

02

What evidence proves it?

03

Who owns it?

04

What is missing?

That is the work. Walk into audit week knowing what you can prove.

Before Kellwick

  • Policies live in Google Drive
  • Evidence lives in Slack
  • Risks live in spreadsheets
  • Access reviews are half-done
  • Suppliers are not classified
  • Nobody is sure who owns what
  • Management review nobody trusts
  • "We have it somewhere."

That sentence is expensive.

After Kellwick

  • Your scope is clear
  • Your evidence is mapped
  • Your control owners are visible
  • Your weak points are ranked
  • Your remediation plan is practical
  • Your audit questions are predictable
  • Your team knows what to show
  • You stop preparing by panic

What you receive

A readiness pack, not a pile of templates.

01

ISO 27001 Readiness Snapshot

A clear summary of where you stand now.

  • Scope review
  • Key risk areas
  • Evidence maturity
  • Missing ownership
  • Weak control areas
  • Audit exposure rating
  • Next-step recommendation
02

Evidence Map

A control-by-control map of what evidence exists, what is weak, and what is missing.

  • Control reference
  • Expected evidence
  • Current evidence
  • Owner
  • Status
  • Gap
  • Remediation note
03

Gap Register

A practical list of gaps ranked by risk and audit impact. No noise, no theoretical consulting language.

  • Only items that can affect readiness
  • Ranked by risk
  • Ranked by audit impact
04

Audit Prep Plan

A short execution plan for the next 2-6 weeks.

  • What to fix first
  • Who should own it
  • What evidence to collect
  • What can wait
  • What not to waste time on
05

Optional Advisory Session

A direct review call to walk through findings and prepare the team for likely audit questions.

Want the exact structure? See sample deliverables.

Evidence map preview

This is where the problems become visible.

Control areaExpected evidenceCommon gapKellwick output
Access controlUser access reviewNo owner, no date, no approvalMapped evidence + remediation note
Supplier riskVendor register + risk ratingCritical vendors unassessedTiered register + review plan
Change / releaseTicket, review, test, deployEmergency changes not recordedTraceable change evidence
Statement of ApplicabilityJustified applicability + evidenceMarked implemented, no proofSoA reconciled to reality
Management reviewMinutes with real decisionsMeeting held, no decisionsReview pack with action log

The process

Three steps.

1

Send the current material

You share what you already have: policies, scope, risk register, SoA, access reviews, supplier records, incident and change records, internal audit notes, management review and evidence folders.

2

Kellwick maps the evidence

We review it against ISO 27001 readiness expectations and build a practical evidence map. This is where most problems become visible.

3

You receive the readiness pack

A clear report, gap register, evidence map and remediation plan. You know what to fix before audit pressure starts.

What usually breaks during audit prep

The gaps are almost always the same.

  • SoA says implemented, but evidence is missing
  • Access reviews exist, but there is no approval trail
  • Risks are old, unchanged and not linked to treatment
  • Suppliers are listed, but not assessed
  • Changes exist in tickets, but are not tied to approval and testing
  • Management review happened, but produced no decisions
  • Control owners exist on paper, but do not run the control

Book this if

  • Your audit is in the next 30-120 days
  • A customer security review is blocking a deal
  • You inherited an ISMS and do not trust the evidence
  • You passed certification but surveillance is coming
  • Your team has documents but no evidence map

Ratomir Jovanovic

IRCA Associate Auditor - ISMS. CQI Practitioner Member - PCQI. ISO/IEC 27001:2022 Auditor / Lead Auditor trained. 18 years in IT, SaaS, fintech, product and operations.

Kellwick is an independent advisory practice, not a certification body.

Typical starting points

Scoped to your ISMS maturity and timeline.

Final pricing is confirmed after a readiness call.

Readiness Snapshot

From $2,500

A fast external view before committing to a full readiness push.

  • Document review
  • High-level evidence check
  • Readiness score
  • Key gaps
  • Recommendation report
Request snapshot
Most popular

Full Readiness Review

From $7,500

SaaS and technology companies preparing for certification, surveillance, or customer-driven ISO 27001 pressure.

  • Scope review
  • Risk and SoA review
  • Evidence mapping
  • Gap register
  • Remediation plan
  • Advisory review call
Book readiness review

Ongoing Readiness Support

Custom

Teams that need structured support through remediation and audit preparation.

  • Recurring review sessions
  • Evidence quality checks
  • Audit question prep
  • Remediation tracking
  • Management-ready updates
Discuss support

This is for you if

  • You are a SaaS, fintech, cybersecurity, recruitment tech or product-led company
  • You already have some ISO 27001 material, but you are not fully confident
  • You need external pressure and structure
  • You want to avoid audit-week chaos
  • You want practical readiness, not compliance theatre

This is not for you if

  • You want someone to invent fake evidence
  • You want a certificate shortcut
  • You want generic templates and no operational change
  • You want ISO 27001 only as a logo

Why Kellwick

Kellwick is built around practical ISO 27001 readiness for technology companies. The work is led by an ISO 27001 trained audit and information security professional with deep experience across SaaS, fintech, product operations, software delivery and risk-heavy environments.

That matters because ISO 27001 is not only a documentation exercise. It touches how teams build, access, change, monitor, approve, review and respond. A good readiness review understands the system behind the evidence.

  • IRCA Associate Auditor - ISMS
  • CQI Practitioner Member - PCQI
  • ISO/IEC 27001:2022 Auditor/Lead Auditor trained

FAQ

The questions that kill objections.

No. Kellwick does not issue ISO 27001 certificates. Certification comes from an accredited certification body. Kellwick helps you prepare before that stage.

No serious advisor should guarantee that. The goal is to reduce avoidable audit risk, expose weak areas early, and help your team prepare evidence properly.

No. This works best when you already have some material and need a structured review. If you are starting from zero, we can still help - the first step becomes scope, risk and core ISMS setup.

A snapshot can be done quickly when materials are ready. A full readiness review depends on scope, evidence quality, number of systems and team availability.

No. We help your team see what is missing and what needs to be fixed. Control ownership should stay inside the company.

Templates do not prove readiness. Evidence, ownership, review history and operational consistency prove readiness. We focus on what an auditor or serious customer will expect you to show.

Stop hoping the evidence is good enough.

Find out before the audit.

Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.