Background

A mid‑size fintech firm providing solutions for small‑to‑medium enterprises sought to align its information‑security posture with international standards and EU regulatory mandates. The client needed to demonstrate compliance with ISO 27001:2022, the General Data Protection Regulation (GDPR), and the NIS 2 Directive while maintaining the agility required for rapid product development. The engagement was structured around a PDCA cycle (Plan, Do, Check, Act) to embed continuous improvement into the organization’s governance framework.

 

Industry Sector-Specific Challenges

1. Rapidly evolving product pipelines and cloud‑native architectures made it difficult to map legacy security controls to new ISO 27001 clauses.
2. The firm’s customer base spanned multiple EU jurisdictions, amplifying the complexity of GDPR data‑processing and cross‑border transfer obligations.
3. NIS 2’s expanded scope to include critical financial services required a robust incident‑response capability that exceeded the existing incident‑management process.
4. Internal stakeholders, from developers to product managers, had limited awareness of compliance requirements, necessitating a cultural shift toward security‑first thinking.

 

Approach and Methodology

The project began with a context‑of‑the‑organisation assessment to identify boundaries, stakeholder expectations, and risk appetite. A risk‑based audit framework was then applied, integrating audit‑based and process‑based thinking to surface gaps across the organization’s controls. An ISO 27001 checklist guided the implementation of policies, roles, and responsibilities, ensuring that every control from 5.1 to 7.2.3 was addressed and documented.

The GDPR component involved a data‑mapping exercise to identify personal data flows, followed by a privacy impact assessment for each new service. To comply with NIS 2, we needed to set up a critical infrastructure register, a process for reporting cyber incidents, and a cyber risk assessment that aligned with the ISO 27001 risk matrix.

 

Tool Usage
ServiceNow GRC was used for referencing compliance artifacts.
The platform was leveraged to:

1. Automate the case queue for information‑security queries, mirroring the case‑management responsibilities highlighted in client requirements.
2. Capture and track audit evidence for ISO 27001 and GDPR, feeding into the weekly reporting dashboards that kept senior leadership informed.
3. Integrate with the firm’s cloud provider APIs to continuously monitor configuration changes and enforce the mobile‑device policy and teleworking controls.
4. Set up incident-management processes that meet NIS 2 notification deadlines, including automatic escalation steps and evidence collection for regulatory checks.

 

Key Outcomes

• The organization achieved ISO 27001:2022 certification within 12 months, with no critical non‑conformities reported during the audit.
• GDPR compliance was validated through a third‑party privacy assessment, confirming that all data‑processing activities met the principles of lawfulness, fairness, and transparency.
• A NIS 2 readiness score of 92% was achieved, reflecting robust incident‑response capabilities and an updated critical‑infrastructure register.
• ServiceNow GRC reduced manual compliance reporting effort by 60%, freeing up security staff to focus on emerging threats.

 

Lessons Learned

1. Embedding compliance into the development lifecycle (e.g. secure‑by‑design reviews) mitigates the risk of rework once the ISO 27001 audit is complete.
2. Continuous training and awareness ensure that security controls are understood and adhered to across the organization.
3. Leveraging a single, integrated GRC platform not only streamlines evidence collection but also provides real‑time visibility into compliance posture, a critical advantage for fintech firms operating under fast‑moving regulatory landscapes.

This shows that using a well-organized, risk-focused method, supported by an integrated GRC platform (like ServiceNow GRC) can help a company meet ISO 27001, GDPR, and NIS 2 standards while staying flexible in its operations.