Singapore Fintech Secures ISO 27001 Certification in 7 Months for Enterprise Sales
A B2B payments startup had lost three consecutive enterprise RFPs at the procurement screening stage. ISO 27001:2022 certification changed that — unlocking an estimated SGD 2.1M in annual recurring revenue.
Enterprise RFP Requiring ISO 27001 — Repeated Lost Deals
A Singapore-based B2B payments infrastructure company had lost three consecutive enterprise RFPs — two from MAS-regulated banks and one from a government-linked corporation — at the procurement screening stage. In each case, the disqualifying criterion was the absence of ISO 27001 certification. The CEO calculated that the three lost contracts represented approximately SGD 2.1M in annual recurring revenue.
The company had 22 employees, a well-documented development process, and an existing AWS cloud infrastructure — a reasonable security baseline but no formal ISMS documentation. The gap between the company's actual security posture and a certifiable ISMS was primarily a documentation and formalisation gap rather than a fundamental security deficiency.
The timing was critical because two of the three lost RFPs had indicated they would reissue within 6–9 months. If the company could achieve certification within 7 months, they would be eligible to re-submit for at least two of the three opportunities. This created a clear business case with a measurable ROI: the certification investment would be recovered within the first year if even one of the three contracts was won.
The CEO's concern was speed without shortcuts. A certification that was achieved hastily and could not be maintained would create more problems than it solved — particularly with MAS-regulated clients who would expect ongoing compliance evidence as part of their vendor management programmes. The ISMS needed to be genuinely operational, not just paper-based.
- Three consecutive enterprise RFPs lost at procurement screening stage
- SGD 2.1M estimated ARR blocked by absence of ISO 27001 certification
- 22-employee company with reasonable security baseline but no formal ISMS
- 7-month target to be eligible for reissued RFPs
- MAS-regulated clients requiring ongoing compliance evidence
Complio-Accelerated ISMS Build and Certification
EIC deployed a structured 4-phase engagement using Complio to accelerate documentation, evidence collection, and audit preparation — compressing the typical 9–12 month certification timeline to 7 months.
Gap Analysis & Scope
Complio-assisted gap analysis. ISMS scope: Singapore operations + AWS ap-southeast-1. 34 control gaps identified. 9 new ISO 27001:2022 controls required new implementations.
ISMS Build
18 policies created. Risk assessment completed (58 risks, 12 above acceptance threshold). SoA produced for 93 Annex A controls. A.5.23 and A.8.12 implemented via AWS native controls.
Evidence & Internal Audit
Complio evidence collection workflows operational. Internal audit completed by EIC. 3 minor observations addressed. Management review conducted per Clause 9.3.
Certification Audit
Stage 1: zero major nonconformities. Stage 2: 1 minor observation (closed in 10 days). ISO 27001:2022 certificate issued.
From Zero ISMS to Certified in 7 Months
The gap analysis revealed that the company's existing security practices covered approximately 60% of ISO 27001:2022 requirements in substance — but almost none were formally documented. The development team used version control, code review processes, and infrastructure-as-code practices that aligned well with several Annex A controls. The challenge was formalising these practices into documented policies, procedures, and evidence records that a certification body auditor would accept.
Complio accelerated this process significantly. Rather than starting from blank policy templates, EIC's team configured Complio with the company's existing practices and generated policy documents that reflected what the company actually did — not generic boilerplate. This approach meant that staff did not need to change their workflows; the ISMS documented and formalised existing good practice rather than imposing new processes that would be difficult to sustain.
The risk assessment identified 58 risks, of which 12 exceeded the acceptance threshold and required treatment plans. The highest-priority risks were related to cloud infrastructure (AWS account security, S3 bucket configuration, IAM role management) and third-party supplier management (payment processor SLAs, cloud provider incident notification). Treatment plans for all 12 risks were implemented and documented in Complio before the Stage 1 audit.
The nine new ISO 27001:2022 controls that required implementation included A.5.23 (information security for use of cloud services), A.8.12 (data leakage prevention), and A.5.7 (threat intelligence). For a cloud-native company, these controls aligned well with AWS-native security features — the implementation involved configuring and documenting existing AWS capabilities rather than deploying new tools.
Measurable Outcomes
We stopped losing deals we should have won. ISO 27001 took us from 'pending approval' to 'approved supplier' in our three biggest target accounts. The ROI was obvious before the certificate even arrived.