The Challenge #
A regulated technology company found itself without dedicated GRC staff, six months before a scheduled ISO 27001 certification audit. The ISMS had fallen into disarray: governance meetings had gone dormant, policies had proliferated without coherence, evidence collection processes had broken down, and several required technical controls were either missing or incomplete.
The company also needed to maintain SOC 2 and HIPAA compliance on the same audit timeline, with a separate HITRUST assessment running in parallel. They needed someone to step in and drive all four frameworks to completion.
The Starting Point #
The state of the program when I took over:
Governance had stalled. The ISMS steering committee, a cross-functional leadership body, hadn’t met in months. There was no active management review process, no risk treatment tracking, and no executive visibility into the program’s status.
Policies had accumulated rather than evolved. The previous team’s approach was to create a new policy for every requirement rather than updating existing ones. This resulted in approximately 45 policies, many overlapping, some contradictory, and few aligned with how the organization actually operated. The documentation looked comprehensive on paper but didn’t reflect reality.
Evidence integrity was compromised. Existing evidence packages contained inconsistencies that would not have withstood auditor scrutiny. The entire evidence collection process needed to be rebuilt to ensure every artifact was current, verifiable, and traceable to a live control.
Technical controls had gaps. AWS security controls and software development lifecycle practices had not kept pace with the framework requirements. There was no formal threat modeling program, and security tooling in the development pipeline was incomplete.
Approach #
Governance and Leadership #
I restarted the ISMS steering committee with cross-functional leadership participation, reestablishing the governance cadence the certification required. I served as the primary point of contact with the external auditor for all frameworks, managed audit calls, and presented program status and results to the executive leadership team.
Policy Consolidation #
Rather than patching the existing policy library, I consolidated it, reducing 45 policies to 25 by merging overlapping documents, eliminating redundancy, and rewriting each policy to reflect actual operational practices. The result was a leaner, more maintainable policy set where every document served a clear purpose and mapped cleanly to Annex A controls.
Evidence Collection #
I rebuilt the evidence collection process from the ground up and directed evidence gathering across the organization, managing a team member dedicated to evidence collection while coordinating directly with directors and managers across departments to source artifacts. Every piece of evidence was validated as current and traceable before it went into the audit package.
Risk Assessment and Business Impact Analysis #
I conducted a comprehensive risk assessment aligned with ISO 27001 Clause 6.1.2 requirements, identifying and evaluating information security risks across the organization. This included establishing the risk criteria, risk acceptance thresholds, and a repeatable assessment methodology the organization could maintain independently.
I also performed a business impact analysis to identify critical business processes, their dependencies on information systems, and the potential impact of disruption. The BIA directly informed the risk treatment plan and ensured that control investments were prioritized based on actual business impact, not just technical severity.
Technical Control Implementation #
AWS security controls. Implemented missing controls across the cloud environment to close gaps identified during the internal assessment, covering areas including encryption, access management, logging, and network segmentation.
Secure development lifecycle. Introduced SAST and DAST tooling into the CI/CD pipeline, established secure code review practices, and implemented formal threat modeling using the STRIDE methodology. Threat modeling was entirely new to the organization and required both process design and team training.
Multi-Framework Coordination #
ISO 27001, SOC 2, and HIPAA were bundled into a single audit engagement to maximize efficiency and minimize disruption to the business. HITRUST was managed as a separate assessment on its own timeline. Control mappings across all four frameworks ensured that work done for one framework satisfied requirements across the others wherever possible.
Results #
ISO 27001 certified on the first attempt. The audit resulted in zero major nonconformities, one minor nonconformity and two opportunities for improvement. For a program that was in disarray six months prior, this outcome reflected the depth of the rebuild.
SOC 2 and HIPAA audits completed successfully on the same timeline, with the bundled approach reducing duplicate evidence collection and audit fatigue across the organization.
HITRUST assessment completed on its separate track without delays.
What the Client Retained #
Beyond the certifications themselves, the organization came out of the engagement with:
- A consolidated, maintainable policy library (25 policies, down from 45)
- An active ISMS steering committee with established governance cadence
- A clean, verifiable evidence collection process
- A repeatable risk assessment methodology and completed business impact analysis
- Threat modeling integrated into the development lifecycle
- SAST/DAST tooling embedded in CI/CD
- Teams trained on what to expect, and what to maintain, for the next surveillance audit
The program was designed to be sustainable without a dedicated GRC team, with clear ownership, documented processes, and a framework that the organization could maintain going forward.