Financial services firm achieves ISO 27001 on first attempt
Achieved ISO 27001 certification on the first audit attempt with zero major non-conformities.
A 60-person wealth management firm needed ISO 27001 certification to satisfy the requirements of institutional clients who were making it a condition of continued business. The firm had good security practices in many areas but lacked the formal documentation and structured approach that ISO 27001 demands.
The challenge was not starting from scratch, but formalising what already existed, filling the gaps, and building the evidence base that auditors would need to see. The team needed guidance on what auditors actually look for and how to present their controls effectively.
Industry
Company size
Timeline
The challenge
What we found when we assessed the existing environment.
Client requirements
Institutional clients were making ISO 27001 certification a condition of continued business. Without it, the firm risked losing key accounts that represented a significant portion of revenue.
Documentation gaps
Many good security controls were in place but poorly documented. Evidence was scattered across emails, spreadsheets, and informal processes. Nothing was structured for audit.
Control gaps
Several areas required new controls: formal access management processes, a complete asset inventory, supplier security management, and documented business continuity procedures.
First-time certification
The internal team had no experience with ISO 27001 audits. They needed guidance on what auditors would expect, how to present evidence, and how to handle the assessment process.
“ISO 27001 seemed daunting at first, but Bigfoot made the technical side straightforward. They knew exactly what the auditors would look for and made sure we were ready. Passing on our first attempt was a huge relief.”
Head of Compliance
Our approach
How we delivered the solution, phase by phase.
Gap analysis
Conducted a detailed assessment against every ISO 27001 Annex A control. Identified what was already in place, what needed formalising, and what was missing entirely. Prioritised remediation based on risk and audit readiness.
Technical controls
Implemented missing technical controls including formal access management with joiner, mover, and leaver processes, a complete asset register, centralised logging and monitoring, and regular backup testing with documented results.
Documentation
Formalised all IT and security policies. Documented every control with evidence that auditors could verify. Created the management system documentation including the Statement of Applicability and risk treatment plan.
Audit preparation
Ran internal audits to test readiness. Prepared evidence packs organised by control area. Briefed all staff on their roles and responsibilities during the assessment. Addressed any findings before the external audit.
Certification audit support
Attended both Stage 1 and Stage 2 audits alongside the firm. Answered technical questions, provided supporting evidence, and addressed minor non-conformities in real time during the assessment.
Attempt certification success
Major non-conformities
Controls documented and evidenced
Client requirements met
Key controls implemented
The specific technical and process controls we put in place.
Access management
Formal joiner, mover, and leaver processes with complete audit trails. Regular access reviews and privileged access management to ensure only the right people have access to sensitive systems.
Asset management
Complete hardware and software register with defined ownership for every asset. Automated discovery to ensure the register stays current as the environment changes.
Logging and monitoring
Centralised logging across all critical systems with 12-month retention. Security event monitoring with alerting for suspicious activity and regular log reviews.
Business continuity
Documented backup procedures with regular testing and verified recovery. Defined recovery time objectives for every critical system and a tested continuity plan.
Vulnerability management
Regular vulnerability scanning across all systems. Patch management with defined SLAs for critical, high, and medium severity vulnerabilities. Annual penetration testing.
Supplier management
Security requirements defined in all supplier contracts. Regular supplier security reviews and assessments. Risk-based approach to managing third-party access to systems and data.
Want results like these?
Every business starts somewhere. Whether you need ISO 27001 certification, compliance support, or strategic IT guidance, we can help.