Case study · FinTech

ISO 27001 and SOC 2 as a single programme

One CyPro practitioner took Pactio from no ISMS to ISO 27001 and SOC 2 together, with every control earning its place.

Client

Pactio

Pactio logo

Outcome

ISO 27001 and SOC 2 both landed inside seven months

The starting point

Pactio’s market puts the security questionnaire in front of the contract: enterprise customers wanted ISO 27001, US-influenced buyers wanted SOC 2, and investor due diligence wanted evidence of both. The team was small and entirely committed to shipping product. Running two certification programmes side by side in-house was not an option, and hiring someone to do it would have taken longer than the certifications.

The approach

CyPro assigned one practitioner to own both frameworks as one body of work. Where ISO 27001 and SOC 2 examine the same ground, and they mostly do, the evidence was produced once and mapped to each. Control selection stayed ruthless: measures went in because they cut genuine risk for a cloud-native FinTech, not because a template listed them. Evidence collection was designed into the team’s ordinary week, so no audit-eve scramble ever happened.

The outcome

Seven months from a standing start, both certificates were in hand, and Pactio’s measured cyber risk had fallen over the same period. That last part is the point: the audits passed because the company had become more secure, which is what an ISMS is supposed to do before it is supposed to impress anyone.

"Within 7 months Pactio achieved both ISO and SOC2 compliance, as well as reduced overall cyber risk."
Sophie Fallen , Operations Lead, Pactio
3D rocket illustration for booking a free ISO 27001 scoping call

Take the first step

Get to ISO 27001 without the guesswork

Book a free 45 minute scoping call: where your ISMS stands today, what the UKAS audit will demand, and one fixed fee for getting there. No obligation, no hard sell.