Skip to content
Kellwick

Blog

Notes from the part of compliance that actually breaks.

Practical writing on readiness, evidence, surveillance audits and product-led GRC - written for the teams doing the work, not for search engines.

ISO 27001 Readiness

Why your ISO 27001 audit should not be your first real ISMS review

Certification audits reveal problems that were visible months earlier. Here is what auditors find, why teams miss it, and how to run your own review before the stakes get high.

Read article →

Jul 1, 2026 · 3 min read
Vanta / Drata / Sprinto

Vanta is not your ISMS

Compliance platforms collect evidence beautifully. They do not decide whether your scope, risks, control ownership and evidence quality actually make sense. Here is the gap they leave - and how to close it.

Jun 24, 2026 · 3 min read

Evidence & Audit Prep

What ISO 27001 evidence actually means

Policies describe intent. Evidence proves operation. Auditors and enterprise buyers care about the second one. Here is what strong evidence looks like, control by control.

Jun 17, 2026 · 3 min read

Surveillance Audits

How SaaS companies should prepare for a surveillance audit

Certification is a moment. The surveillance audit is where the ISMS proves it actually kept running. Here is what to check in the 90 days before the auditor returns.

Jun 10, 2026 · 2 min read

Statement of Applicability

The Statement of Applicability mistakes auditors notice fast

The SoA is the map between your controls and reality. Auditors read it first and use it to decide where to dig. These are the mistakes that invite exactly the wrong kind of attention.

Jun 3, 2026 · 2 min read

Security Questionnaires

Security questionnaires are enterprise sales blockers

A security questionnaire is not a compliance chore - it is a gate on your revenue. When you cannot answer it with evidence, the deal stalls. Here is how to stop losing time in the security review.

May 27, 2026 · 2 min read

Risk Management

Risk register without theatre

Most risk registers are compliance props: generic entries, static scores, no owners. Here is what a register that actually drives decisions looks like.

May 20, 2026 · 3 min read

Product-led GRC

Why policies fail when nobody owns the control

Policies describe intent. Controls produce evidence - but only when a named person owns them. Here is how to assign ownership that keeps an ISMS alive.

May 13, 2026 · 3 min read

Evidence & Audit Prep

How access reviews become audit findings

Access reviews are one of the most common sources of nonconformities. The phrase we review access rarely survives contact with an auditor.

May 6, 2026 · 3 min read

Supplier Risk

Supplier reviews: the ISO 27001 control SaaS teams forget

SaaS runs on dozens of subprocessors, yet third-party risk reviews are routinely skipped. Your suppliers are your customers' risk too.

Apr 29, 2026 · 3 min read

SaaS Security Governance

How QA and release governance support ISO 27001

For SaaS teams, your CI/CD pipeline, code review and change approvals already produce most of the audit evidence ISO 27001 expects. The gap is usually proving it, not doing it.

Apr 22, 2026 · 3 min read

ISO 27001 Readiness

What to check 90 days before your certification audit

A concrete countdown for the last 90 days before Stage 2, focused on what must already be true and cannot be manufactured at the last minute.

Apr 15, 2026 · 3 min read

Surveillance Audits

What to check 30 days before your surveillance audit

A final 30-day checklist for surveillance: evidence continuity over the year, closed prior findings and control owners who can speak to their controls. Rehearse, do not cram.

Apr 8, 2026 · 3 min read

Management Review

Why management review is not a meeting formality

Auditors look for real decisions and follow-ups in your management review, not a calendar invite. Here is what a substantive review actually produces.

Apr 1, 2026 · 3 min read

Internal Audits

Internal audit readiness checklist for SaaS teams

A credible internal audit finds real problems before your external auditor does. Here is how to run one that satisfies the standard and actually helps.

Mar 25, 2026 · 3 min read

ISO 27001 Readiness

What founders should know before starting ISO 27001

ISO 27001 can open doors or stall your team, depending on how you scope and sequence it. Here is what to know before you start.

Mar 18, 2026 · 3 min read

ISMS Maintenance

How to keep ISO 27001 alive after certification

The ISMS starts decaying the moment attention moves on. A steady rhythm keeps it audit-ready between surveillance visits.

Mar 11, 2026 · 3 min read

Fintech & Payments GRC

How payment companies should think about ISO 27001 evidence

For payment companies, ISO 27001 evidence has to reflect how money and cardholder data actually move. Generic SaaS evidence rarely covers it.

Mar 4, 2026 · 3 min read

Fintech & Payments GRC

What fintech teams get wrong about ISMS scope

Scope is the most consequential early decision in ISO 27001. Fintechs tend to draw it too narrow or too vague, and pay for it later.

Feb 25, 2026 · 3 min read

Product-led GRC

Product-led GRC: the missing bridge between product and security

ISO 27001 for SaaS is not a documentation exercise. Product-led GRC connects security governance to how the product is actually built and sold.

Feb 18, 2026 · 3 min read