Case study · FinTech

Two certifications, one evidence trail, seven months

CyPro ran Pactio's ISO 27001 and SOC 2 as a single programme, with each control chosen for the risk it cut, not the box it ticked.

Client

Pactio

Pactio logo

Outcome

ISO 27001 and SOC 2 both landed inside seven months

Why certification mattered

In Pactio’s market the security questionnaire lands before the contract does: enterprise buyers and investors both expect ISO 27001 and SOC 2 before serious conversations progress. The team was small, shipping product at pace, and had no spare capacity to run two certification programmes in parallel. Recruiting someone to do it would have taken longer than the certifications needed to.

What CyPro did

A single CyPro practitioner owned both frameworks and treated them as one body of work. Wherever ISO 27001 and SOC 2 ask overlapping questions, the evidence was produced once and mapped to both. Control decisions favoured substance over ceremony, prioritising the measures that genuinely reduce risk for a cloud-native FinTech, and evidence collection was folded into the team’s normal week so no pre-audit scramble was ever needed.

The result

From a standing start, both certificates arrived within seven months, and Pactio’s measured cyber risk fell across the same period. That is the outcome certification programmes are supposed to produce and often do not: the audits passed because the business became more secure, not because the paperwork said so.

"Within 7 months Pactio achieved both ISO and SOC2 compliance, as well as reduced overall cyber risk."
Sophie Fallen , Operations Lead, Pactio
3D rocket illustration for booking a free certification discovery call

Take the first step

Get Cyber Essentials Plus without the guesswork

Book a free 45 minute discovery call to scope your certification: what the audit will test, what needs fixing first, and exactly what it will cost. No obligation, no hard sell.