The situation
Pactio sells into a market where the security questionnaire arrives before the contract does. Without ISO 27001 and SOC 2, enterprise deals stall and investor due diligence drags; with a small team shipping product at pace, nobody had capacity to run two certification programmes side by side, and hiring for it would have taken longer than the certifications themselves.
How the CyPro team approached it
One CyPro practitioner owned the whole programme, and treated the two frameworks as one body of work: where ISO 27001 and SOC 2 ask overlapping questions, the evidence was produced once and mapped to both. Control selection was ruthless about substance, favouring the measures that genuinely cut risk for a cloud-native FinTech over checkbox exercises, and the evidence trail was built into the team’s normal working week instead of a pre-audit scramble.
What changed
Seven months after starting from scratch, Pactio held both certificates. The company’s measured cyber risk fell over the same period, which is the point most compliance projects miss: the audits were passed by becoming more secure, not by producing paperwork that says so.