ISO 27001 readiness for payments companies, PSPs and payment technology
Card schemes, sponsor banks and enterprise merchants now require ISO 27001 alongside PCI DSS. The good news: most of your evidence already exists.
Settlement, routing, key management, access reviews, change control, incident logs - all built for PCI. Most of it maps directly to ISO 27001 Annex A. The work is mapping what carries across and closing the genuine ISO-specific gaps: management review, internal audit and risk register. You do not rebuild evidence twice.
Kellwick prepares payment companies for ISO 27001 with readiness reviews, PCI-to-Annex A evidence mapping and gap remediation built around how payment operations actually work.
Your real environment
Nine systems. Each one creates access, data, change, supplier and evidence risk. One evidence map, or nine blind spots.
Explore the evidence map →PCI DSS proves you protect cardholder data. ISO 27001 proves you operate a managed information security system. The controls overlap, but the questions are different. Show the evidence.
That is where weak ISO readiness shows up in a payments company. Not in the PCI report. In the evidence that sits outside it.
The PCI DSS ↔ ISO 27001 bridge
PCI DSS and ISO 27001 share a large control surface. Access reviews, change management, cryptographic controls, incident logging, supplier assurance - built properly for PCI, these satisfy corresponding ISO Annex A controls directly. Treating ISO 27001 as a separate project is expensive and unnecessary. A readiness review maps exactly where PCI evidence carries across and where the genuine ISO-specific gaps are.
PCI evidence that maps to ISO Annex A
Built correctly for PCI, these carry across - they do not need to be rebuilt.
Genuine ISO-specific requirements - not in PCI
These are the controls PCI does not require. They are the common audit blocker for PCI-mature payment companies.
One evidence base. Two frameworks. No duplication.
A Kellwick readiness review maps your existing PCI DSS evidence onto ISO 27001 Annex A, identifies exactly which controls carry across as-is, which need formatting or supplementation, and which are genuinely absent. Then we close only the genuine gaps. You do not rebuild what PCI already proves.
The most common ISO readiness failures in payment companies are not about missing PCI controls. They are about the ISO layer that PCI does not address:
That is not readiness. That is a PCI programme with an ISO label on the folder.
Payments readiness check
Takes two minutes. No sign-up, no call required.
Not ready to answer? Get the evidence checklist →If the PCI-to-ISO map does not exist yet, the gaps will appear in the audit room.
What actually blocks Stage 1
These are the blockers we find most often. None of them are exotic - which is exactly why they are missed until an auditor is in the room.
We do not guarantee outcomes and we are not a certification body. What we do is find these before the auditor does - while there is still time to fix them cheaply.
Not ready for a full review?
Start with a 2-day Mini Gap Review.
Scoped and priced on a short call. We hand back your top Stage 1 blockers and the single next step that matters most.
What we check
Where PAN data flows, who touches it, how tokenisation reduces scope, and whether the evidence is organised for both PCI and ISO review.
Change-freeze discipline, approval evidence for production payment changes, and traceability of who changed what and when.
Who holds admin access to routing, settlement and reconciliation systems, how it is reviewed, and what the approval trail looks like.
Key ceremony records, rotation schedules, dual-control evidence and HSM access mapped to ISO Annex A cryptographic controls.
Incident logs, fraud event records, escalation evidence and lessons-learned records structured so they survive ISO and scheme review.
Card scheme security programme requirements and sponsor bank onboarding obligations mapped into the ISMS scope, SoA and supplier register.
What you receive
A direct view of your current ISO 27001 readiness built around payment operations and PCI DSS position.
A practical map showing which PCI DSS evidence satisfies which ISO Annex A controls and where the genuine new requirements are.
A ranked list of the evidence gaps and missing controls that can hurt readiness. No academic noise - only what matters for audit and scheme review.
A short execution plan covering the next 4-8 weeks to close the genuine ISO-specific gaps without rebuilding what PCI already proves.
A direct walkthrough with your team covering what the auditor will probe in a payments environment and how your evidence holds up.
Payments evidence map preview
| Area | Evidence expected | Common payments gap | Kellwick output |
|---|---|---|---|
| Key management | Ceremony records, rotation schedule, dual-control evidence | Records exist for PCI, never mapped to Annex A | PCI-to-ISO key management evidence map |
| Settlement change control | Change approvals covering settlement windows | Change-freeze discipline exists operationally, no audit trail | Evidenced change-freeze and approval records |
| Routing / payment rail access | Access review for privileged users on routing systems | Access granted, never formally reviewed or signed off | Owned access list + periodic review evidence |
| Scheme security programme | Scheme obligations mapped into SoA | Scheme requirements not reflected in ISMS scope or SoA | Scheme-requirement-to-Annex A mapping in SoA |
| Internal audit | Completed internal audit - mandatory ISO clause | PCI audit completed; ISO internal audit never performed | First ISO internal audit with findings and actions |
| Management review | Recorded management review of ISMS performance | No management review - not required by PCI, mandatory in ISO | Management review pack with payment-specific risk agenda |
The regulatory and commercial picture
ISO 27001 for payments has moved from a differentiator to a commercial prerequisite. The pressure is not only from auditors - it is coming from card schemes, sponsor banks, acquirers and enterprise merchants simultaneously, and the evidence base that satisfies ISO 27001 is the same base that answers most of their security questions.
Visa and Mastercard operate dedicated security programmes for service providers and technology partners - including the Visa Global Registry of Service Providers and Mastercard's Site Data Protection programme. Both schemes have expanded their security requirements beyond PCI DSS. ISO 27001 certification or demonstrable readiness is increasingly referenced alongside PCI as a requirement for scheme membership, processor registration and technology-partner contracts. Schemes running their own security audits expect to see ISMS documentation, access review evidence and management-level security governance - exactly what ISO 27001 readiness produces.
Sponsor banks hold regulatory responsibility for the payment companies they support. Their third-party risk management frameworks require them to assess security governance at onboarding and periodically thereafter. In practice, ISO 27001 certification or evidence of readiness is a fast-track signal that a PSP or payment company has a managed security programme. Sponsor bank security questionnaires ask directly about ISMS scope, access reviews, incident management and management oversight - all of which ISO 27001 readiness evidences directly. A payment company that cannot provide this evidence risks delaying or losing sponsor bank access.
DORA applies to EU financial entities and critical ICT third-party providers from January 2025. Payment companies processing for EU entities - or providing critical ICT services to them - fall within scope or their clients' supply-chain review scope. DORA's ICT risk management, third-party ICT risk, and incident classification requirements map closely to ISO 27001 controls. Firms with ISO 27001-grade evidence are not starting from zero on DORA - the risk register, incident records, supplier assurance and management review structure translate directly.
Enterprise merchants, aggregators and PSP counterparties include security requirements in their contracts with increasing specificity. ISO 27001 certification or demonstrated readiness is referenced alongside PCI DSS in technology-partner and processor agreements. Where it is not an explicit contractual requirement, it is routinely asked for in annual or onboarding security questionnaires. A payment company that can show ISO 27001 readiness - with a real evidence base behind it - reduces friction in every commercial relationship that involves a security review, without running the same evidence-gathering exercise repeatedly.
ISO 27001 readiness as a unified evidence base for payments.
The evidence that satisfies an ISO 27001 auditor - access reviews, change approvals, key management records, incident evidence, supplier assessments, risk treatment decisions, management review - is the same evidence a card scheme security programme audit, a sponsor bank review, a DORA risk assessment and an enterprise merchant questionnaire will ask for. Building this evidence base once, anchored in PCI DSS and extended for ISO, is more efficient and more defensible than maintaining separate responses for each audience.
Before Kellwick
PCI gives confidence. ISO 27001 requires evidence. Not the same thing.
After Kellwick
One evidence base. Both frameworks. No duplication.
Typical starting points
Final scope and pricing are confirmed after a readiness call.
Scoped on a call
PSPs and payment companies that need a fast external view before a scheme review, sponsor bank audit or ISO 27001 Stage 1.
Scoped on a call
Payment companies preparing seriously for ISO 27001 certification with PCI DSS already in place.
Scoped on a call
Teams that need support through remediation, scheme reviews, surveillance and evidence quality maintenance.
This is for you if
This is not for you if
Why Kellwick
Kellwick is built for practical ISO 27001 readiness in high-complexity technology environments. We understand payments infrastructure, PCI DSS control environments, scheme security requirements, settlement and reconciliation operations, and the evidence discipline that payment auditors expect.
ISO 27001 for a payment company is not the same as ISO 27001 for a SaaS product. Settlement change freezes, HSM access, sponsor bank obligations and scheme security programmes require readiness support that understands the business - not just the standard.
Led by a certified ISO 27001 Lead Auditor
CQI/IRCA certified ISO/IEC 27001:2022 Lead Auditor. IRCA Associate Auditor - ISMS. CQI Practitioner Member - PCQI. 18 years in IT, SaaS, fintech, product and operations.
Kellwick is an independent advisory practice, not a certification body.
FAQ
Yes, but the work is much smaller than starting from scratch. PCI DSS and ISO 27001 share significant ground - access reviews, change management, cryptographic controls, incident logging, supplier assurance. Most of that evidence carries across. The genuine ISO-specific requirements are management review, internal audit, a risk register, a Statement of Applicability and an explicit ISMS scope. Kellwick maps your PCI evidence onto Annex A and closes only the genuine gaps.
Visa, Mastercard and sponsor banks have tightened third-party and partner security requirements under their own regulatory obligations. Their security programmes increasingly name ISO 27001 alongside PCI as a condition for scheme membership, onboarding and contract maintenance. The demand is driven by their own regulators requiring them to demonstrate supply-chain security governance.
Most of it can, with mapping. Access reviews, change approval records, key management evidence, incident logs and supplier assurance documents built for PCI all satisfy corresponding ISO Annex A controls. The work is organising the evidence so it is legible to an ISO auditor and closing the controls PCI does not address at all.
The main ISO-specific requirements are: a formal management review of ISMS performance (documented and evidenced), a completed internal audit (mandatory ISO clause, not a PCI requirement), a risk register specific to the business and its context, a Statement of Applicability covering all Annex A controls with justification, and explicit ISMS scope documentation. These are the most common gaps for PCI-mature payment companies approaching ISO.
No. Kellwick provides ISO 27001 readiness advisory, evidence mapping and gap remediation. PCI QSA assessments are conducted by Qualified Security Assessors. Where PCI evidence is relevant to ISO 27001, we help map and organise it - we do not assess PCI compliance itself.
No. ISO 27001 certificates are issued only by accredited certification bodies. Kellwick prepares payment companies for that certification process - closing gaps, mapping evidence, completing internal audit and advisory - but the certification decision is always the certification body's alone.
Usually no. Readiness work starts with documents, evidence records, access review exports, key management records, change logs, incident records and control-owner interviews. Sensitive system access should stay under your control; we work with what you can safely share.
Yes. We help structure accurate, evidence-backed answers and identify gaps before you overclaim or submit weak responses. Questionnaire answers without evidence behind them create risk with scheme and bank reviewers - the same evidence that satisfies ISO also answers most of their questions.
From the blog
Evidence, access control, PCI DSS and ISO 27001 for payment companies and PSPs.
Most risk assessments are theatre that engineers ignore. Here is how to run one that reflects real threats and actually changes what your team builds.
Read →ISO 27001 ReadinessScoping is the single decision that shapes cost, timeline and audit risk. For multi-product SaaS, getting it wrong is expensive in both directions.
Read →ISO 27001 ReadinessA practical, end-to-end guide to getting a SaaS company genuinely ready for ISO 27001 - scope, risk, SoA, evidence, control ownership and the operating rhythm that survives an audit.
Read →Not ready to talk?
Start with the ISO 27001 evidence checklist - a practical list of what ISO 27001 expects from a payments company, mapped to the controls auditors, schemes and sponsor banks check first.
Map the evidence once. Close the genuine gaps. Satisfy the scheme, the standard and the sponsor bank.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.