From 0 to ISO 27001: security transformation at fast-growing scale-up
About the organisation
SaaS scale-up with 280 employees and a platform processing financial data for 1,200 business clients in the Benelux. Received Series B funding of 35 million euros, but enterprise clients such as banks and insurers required ISO 27001 certification as a prerequisite for contracts above 100,000 euros per year.
The Challenge
The scale-up had no security team, no formal security governance, and no ISMS (Information Security Management System). The CTO handled security 'on the side', but with growth from 80 to 280 employees in 2 years, this was unsustainable. An enterprise deal worth 2.2 million euros per year was on hold until ISO 27001 certification was achieved.
The CEO set a deadline of 9 months for certification. This meant working in parallel: building a security team, implementing an ISMS, deploying technical controls in the AWS environment, and preparing the organisation for the certification audit. Combining the speed of a scale-up with the discipline of an ISO implementation is one of the toughest challenges in cybersecurity.
Our Solution
MVPeople Group deployed a combination of MVPeople (interim) and MVProjects (statement of work). The interim CISO — an experienced professional with 3 previous ISO 27001 certification journeys at scale-ups — started immediately with setting up the ISMS and gap analysis. Four security engineers were deployed via MVProfessionals for technical implementation: AWS security hardening, SIEM setup (Datadog Security), CI/CD pipeline security, and endpoint protection rollout.
MVProjects delivered project management and ISO 27001 implementation as a defined work package: from initial gap analysis and risk assessment, through drafting 28 policy measures, to guiding the internal audit and preparing for the Stage 1 and Stage 2 audit by the certification body. Simultaneously, MVPrentice helped recruit a junior security engineer who would remain as a permanent team member after certification.
Results
- ISO 27001 certification achieved within 9 months (on deadline)
- Security team built from 0 to 6 FTE (CISO + 5 engineers)
- Enterprise deal of 2.2 million euros per year signed within 2 weeks of certification
- AWS Security Hub score increased from 23% to 94%
- Enterprise segment client portfolio tripled within 6 months of certification
“MVPeople was not just our recruiter, but our trusted advisor. The interim CISO they delivered had completed exactly this journey three times before at similar scale-ups. That experience was the difference between certification on time or a six-month delay.”
What the team says
“The combination of interim CISO, security engineers and the ISO project as a statement of work was exactly what we needed. One partner for everything, no hassle with multiple suppliers.”
“Our AWS Security Hub score went from 23% to 94%. The security engineers MVPeople delivered knew our type of platform and could get started immediately.”