HomeResourcesCase StudiesSingapore Fintech ISO 27001
ISO 27001FintechFintech · Singapore

Singapore Fintech Secures ISO 27001 Certification in 7 Months for Enterprise Sales

A B2B payments startup had lost three consecutive enterprise RFPs at the procurement screening stage. ISO 27001:2022 certification changed that — unlocking an estimated SGD 2.1M in annual recurring revenue.

ISO 27001:2022 · MAS Supplier Ready
7mo
Gap to Certificate
Zero
Major NCs
3
RFPs Won
$2.1M
ARR Unlocked
93
Annex A Ctrls
Industry
Fintech & Payments
Service
ISO 27001:2022 Certification
Timeline
7 months
Technology
Complio Platform
The Challenge

Enterprise RFP Requiring ISO 27001 — Repeated Lost Deals

A Singapore-based B2B payments infrastructure company had lost three consecutive enterprise RFPs — two from MAS-regulated banks and one from a government-linked corporation — at the procurement screening stage. In each case, the disqualifying criterion was the absence of ISO 27001 certification. The CEO calculated that the three lost contracts represented approximately SGD 2.1M in annual recurring revenue.

The company had 22 employees, a well-documented development process, and an existing AWS cloud infrastructure — a reasonable security baseline but no formal ISMS documentation. The gap between the company's actual security posture and a certifiable ISMS was primarily a documentation and formalisation gap rather than a fundamental security deficiency.

The timing was critical because two of the three lost RFPs had indicated they would reissue within 6–9 months. If the company could achieve certification within 7 months, they would be eligible to re-submit for at least two of the three opportunities. This created a clear business case with a measurable ROI: the certification investment would be recovered within the first year if even one of the three contracts was won.

The CEO's concern was speed without shortcuts. A certification that was achieved hastily and could not be maintained would create more problems than it solved — particularly with MAS-regulated clients who would expect ongoing compliance evidence as part of their vendor management programmes. The ISMS needed to be genuinely operational, not just paper-based.

  • Three consecutive enterprise RFPs lost at procurement screening stage
  • SGD 2.1M estimated ARR blocked by absence of ISO 27001 certification
  • 22-employee company with reasonable security baseline but no formal ISMS
  • 7-month target to be eligible for reissued RFPs
  • MAS-regulated clients requiring ongoing compliance evidence
EIC's Approach

Complio-Accelerated ISMS Build and Certification

EIC deployed a structured 4-phase engagement using Complio to accelerate documentation, evidence collection, and audit preparation — compressing the typical 9–12 month certification timeline to 7 months.

Phase 01 · Month 1

Gap Analysis & Scope

Complio-assisted gap analysis. ISMS scope: Singapore operations + AWS ap-southeast-1. 34 control gaps identified. 9 new ISO 27001:2022 controls required new implementations.

Phase 02 · Months 2–4

ISMS Build

18 policies created. Risk assessment completed (58 risks, 12 above acceptance threshold). SoA produced for 93 Annex A controls. A.5.23 and A.8.12 implemented via AWS native controls.

Phase 03 · Months 4–6

Evidence & Internal Audit

Complio evidence collection workflows operational. Internal audit completed by EIC. 3 minor observations addressed. Management review conducted per Clause 9.3.

Phase 04 · Month 7

Certification Audit

Stage 1: zero major nonconformities. Stage 2: 1 minor observation (closed in 10 days). ISO 27001:2022 certificate issued.

Implementation Detail

From Zero ISMS to Certified in 7 Months

The gap analysis revealed that the company's existing security practices covered approximately 60% of ISO 27001:2022 requirements in substance — but almost none were formally documented. The development team used version control, code review processes, and infrastructure-as-code practices that aligned well with several Annex A controls. The challenge was formalising these practices into documented policies, procedures, and evidence records that a certification body auditor would accept.

Complio accelerated this process significantly. Rather than starting from blank policy templates, EIC's team configured Complio with the company's existing practices and generated policy documents that reflected what the company actually did — not generic boilerplate. This approach meant that staff did not need to change their workflows; the ISMS documented and formalised existing good practice rather than imposing new processes that would be difficult to sustain.

The risk assessment identified 58 risks, of which 12 exceeded the acceptance threshold and required treatment plans. The highest-priority risks were related to cloud infrastructure (AWS account security, S3 bucket configuration, IAM role management) and third-party supplier management (payment processor SLAs, cloud provider incident notification). Treatment plans for all 12 risks were implemented and documented in Complio before the Stage 1 audit.

The nine new ISO 27001:2022 controls that required implementation included A.5.23 (information security for use of cloud services), A.8.12 (data leakage prevention), and A.5.7 (threat intelligence). For a cloud-native company, these controls aligned well with AWS-native security features — the implementation involved configuring and documenting existing AWS capabilities rather than deploying new tools.

Results

Measurable Outcomes

7
Months from engagement start to certificate issuance
Zero
Major nonconformities at certification audit
3
Enterprise RFPs won in the 6 months post-certification
$2.1M
Estimated ARR unlocked by certification (3 re-submitted RFPs converted)
"
We stopped losing deals we should have won. ISO 27001 took us from 'pending approval' to 'approved supplier' in our three biggest target accounts. The ROI was obvious before the certificate even arrived.
CEO, B2B Payments Infrastructure Company, Singapore
Services & Technology in This Engagement

Losing Enterprise Deals to ISO 27001 Requirements?

Schedule a 30-minute scoping call and we'll assess your current ISMS readiness and recommend a certification pathway with timeline estimate.