This case study shows how a European B2B SaaS provider structured its Information Security Management System to meet ISO/IEC 27001 expectations while minimizing additional effort and disruption to daily work.
Company Profile: European B2B SaaS Provider Serving Enterprise Customers
The company develops and operates a B2B software-as-a-service platform used by organizations across Europe and North America. The solution supports core operational workflows and integrates with customer systems, processing usage data, and limited personal data.
The organization employs around 70 people, including engineering, product, and customer-facing teams working in a distributed setup. Annual revenue is estimated at approximately USD 8-12 million, driven by long-term contracts with mid-sized and enterprise customers. As the customer base evolved, formal information security assurance became a requirement in sales and renewal processes.
Business Context: Enterprise Customer Requirements Drove ISO/IEC 27001
The decision to pursue ISO/IEC 27001 certification was driven by enterprise customer expectations. Security questionnaires, vendor assessments, and contract negotiations required proof of a structured and maintained Information Security Management System.
Key stakeholders involved in the initiative included:
- Enterprise customers – expecting documented controls, risk management, and reliable audit evidence;
- Founder and CEO – accountable for governance, contractual commitments, and trust;
- CTO – responsible for technical controls, system security, and operational continuity.
Several challenges became visible early on:
- Security information spread across tools – policies, reviews, and evidence stored in multiple locations;
- Limited overview – no single place to see risks, controls, assets, and incidents together;
- Risk of process overload – concern that ISO preparation could add effort without clear internal benefit;
- Limited ISMS experience – strong technical skills, but little practice with formal security governance.
Implementation: Integrating ISO/IEC 27001 Into Ongoing Management
Before defining the final approach, the company reviewed several established GRC platforms commonly used for ISO/IEC 27001 certification. These tools were assessed as suitable for managing certification workflows, but less aligned with the company’s existing management practices.
At the same time, the company was already using BSC Designer to monitor strategic plan and internal execution priorities. Extending this existing structure to cover information security management was seen as a logical step, allowing ISO/IEC 27001 to be embedded into already established governance and review cycles.
On the technical level, this translated into:
- Policy documentation – internal policies and procedures were consolidated in a secured online file storage environment;
- ISMS governance – scope, roles, review cadence, and improvement actions were maintained in a dedicated ISMS scorecard, while stakeholders and their strategic intent were linked from an existing stakeholder scorecard;
- Security controls – controls were modeled as indicators with unique IDs, owners, review frequency, and evidence attached to each review;
- Risk management – risks were tracked using BSC Designer’s native risk functionality, allowing separate assessment of probability and impact, as well as inherent and residual risk levels, treatment actions, acceptance status, and responsible owners;
- Assets and vendors – assets and third parties were documented using scorecards extended with custom fields reflecting classification, criticality, and review requirements;
- Incidents and findings – security incidents, near-misses, and audit findings were logged and tracked through corrective actions to resolution.
Client’s expectation was to have live, strategy-aligned security controls:
“We don’t want security documentation that exists only for auditors. If we cannot review, update, and explain it ourselves, it’s not useful to us.”
This expectation shaped how the ISMS was built and used. For example, controls defined for ISO/IEC 27001 were also reused as inputs for risk assessment and management scorecards outside the audit scope, supporting operational and strategic decisions.
A practical concern raised during implementation highlighted a common audit risk:
“Our biggest risk is losing evidence across different locations when auditors ask for it.”
To address this, evidence was uploaded directly to each control review and linked to the control’s update date. Each evidence item was accompanied by short explanatory comments from the uploader, providing context for why the evidence was relevant and what it demonstrated.
Access rights were configured so that auditors could be granted read-only access to the relevant scorecards for a defined period. Modification rights were restricted to authorized roles at all times, ensuring that ISMS content could not be changed unintentionally or without accountability.
All changes within the platform were automatically recorded in a central audit trail. The same audit trail could be filtered to show the change history of specific items, such as individual controls, risks, or incidents, allowing auditors and management to review how each item evolved over time without maintaining separate version histories.
Results: Centralized ISMS, Reliable Evidence, Reduced Audit Friction
After implementation, the company observed several concrete outcomes that improved both audit readiness and internal clarity.
- Central ISMS overview – risks, controls, assets, vendors, and incidents were visible in one place;
- Consistent evidence handling – evidence was reviewed and stored together with the related controls;
- Clear accountability – owners were assigned to all key ISMS elements;
- Lower audit effort – audit data was prepared without manual reporting;
- Stronger customer discussions – responses to enterprise security questions became clearer and more consistent.
The company also tracked several high-level ISMS indicators, including:
- Control review completion – controls reviewed within the defined timeframe;
- Open incidents and findings – number and age of unresolved issues;
- Risk acceptance status – risks pending approval or treatment;
- Vendor review coverage – third-party reviews completed as planned.
How Can ISO 27001 Be Implemented With Less Effort?
ISO 27001 certification requires significant effort, but when implemented correctly, it can become (1) a real value driver and (2) be implemented with less effort:
- Make ISO readiness part of existing management systems – reuse established structures instead of creating parallel processes;
- Keep evidence close to controls – store context and justification together with each review;
- Apply access control with full traceability – allow transparency without sacrificing integrity;
- Use a structured platform such as BSC Designer – to maintain clarity, accountability, and audit readiness over time.
BSC Designer is strategy execution software that enhances strategy formulation and execution through KPIs, strategy maps, and dashboards. Our proprietary strategy implementation system guides companies in practical application of strategic planning.