The starting point
Pactio’s market puts the security questionnaire in front of the contract: enterprise customers wanted ISO 27001, US-influenced buyers wanted SOC 2, and investor due diligence wanted evidence of both. The team was small and entirely committed to shipping product. Running two certification programmes side by side in-house was not an option, and hiring someone to do it would have taken longer than the certifications.
The approach
CyPro assigned one practitioner to own both frameworks as one body of work. Where ISO 27001 and SOC 2 examine the same ground, and they mostly do, the evidence was produced once and mapped to each. Control selection stayed ruthless: measures went in because they cut genuine risk for a cloud-native FinTech, not because a template listed them. Evidence collection was designed into the team’s ordinary week, so no audit-eve scramble ever happened.
The outcome
Seven months from a standing start, both certificates were in hand, and Pactio’s measured cyber risk had fallen over the same period. That last part is the point: the audits passed because the company had become more secure, which is what an ISMS is supposed to do before it is supposed to impress anyone.