The Challenge
A fast-growing SaaS company was pursuing ISO 27001 certification to win enterprise customers who required it. They had hired an audit firm but were struggling with the access control requirements in Annex A. Their existing authentication was basic — single-factor passwords for most systems with MFA only for the AWS console.
The Approach
I offered to conduct a complimentary gap analysis specifically focused on the access control requirements of ISO 27001 Annex A (A.9). The analysis revealed 12 gaps that needed remediation before their certification audit. I mapped each gap to a specific capability in our platform and created a remediation timeline that aligned with their audit schedule.
Beyond the product, I provided advisory guidance on access control policies, user access reviews, and privilege management processes that the audit firm would expect to see. This positioned me as a compliance partner rather than a vendor trying to sell product into their audit timeline.
The Result
The SaaS company purchased our platform at $1.5M for 2,000 employees plus the professional services to deploy before their audit date. They achieved ISO 27001 certification on their first attempt, and the certification helped them close three enterprise customers in the following quarter. The CISO credited our advisory approach as instrumental to their certification success.
Key Takeaway
Compliance certifications are buying events. When a company is pursuing ISO 27001, SOC 2, or any other certification, they have budget allocated and a deadline to meet. Providing genuine advisory value during their preparation process builds trust and positions your product as part of the solution, not an additional burden.
Get new posts in your inbox
No noise. Tactical field notes when something worth sharing comes up.