top of page

CASE STUDY

Executive Summary

​

Facing increasing demands from enterprise clients for proof of security, privacy, and responsible AI practices, the startup needed to formalize its Information Security Management System (ISMS), AI Management System (AIMS), and governance processes. We designed and executed an internal IT audit program, closed gaps across multiple domains, and coordinated external audits, achieving full certification within one year.

Background

The startup specialized in developing AI-powered sports performance analytics and data-driven player wellness platforms. As the company expanded internationally, prospective clients required formal assurance that the platform met industry standards for:

  • Data Security (SOC 2, ISO 27001)

  • AI Ethics and Governance (ISO 42001)

However, the startup’s existing IT controls, documentation, and governance practices were informal and fragmented. The leadership appointed an IT Project Manager to lead a structured audit-readiness and compliance project.

Objectives

  1. Conduct a comprehensive internal audit of the company’s IT posture.

  2. Identify and document gaps across Information Security, Infrastructure, and Application Development.

  3. Develop project plans to remediate all identified deficiencies.

  4. Establish a formal governance framework aligned with SOC, ISO 27001, and ISO 42001 standards.

  5. Lead the company through successful third-party audits and certification.

Phase 1: Internal IT Audit and Assessment

1. Methodology

The PM developed and executed a 6-week internal audit process structured around three domains:

  • Information Security Governance

  • Infrastructure and Operations

  • Application Development and DevSecOps

The audit followed the principles of ISO 19011 for internal auditing, combining:

  • Document review and policy analysis

  • Staff interviews and process walkthroughs

  • Technical control verification (network, codebase, CI/CD, cloud infrastructure)

2. Audit Deliverables

The PM produced a detailed Internal Audit Report summarizing the findings, structured as follows:

Infosec Governance

  • Findings: Policies existed in draft form; risk assessment not standardized; incident response not documented

  • Recommended Action: Establish ISMS aligned with ISO 27001 controls; formalize risk register

Infrastructure

  • Findings: Cloud configuration lacked MFA enforcement and log retention; limited patch tracking

  • Recommended Action: Implement centralized configuration management and continuous monitoring

Application Development

  • Findings: No secure SDLC policy; inconsistent code review documentation

  • Recommended Action: Integrate security gates in CI/CD pipeline; enforce secure coding training

The report concluded that while the company demonstrated strong technical capability, governance and documentation maturity were lacking.

Phase 2: Gap Analysis and Project Planning

Using the audit results, the PM developed gap remediation plans with assigned owners, deliverables, and timelines.

Each IT department received a tailored Project Remediation Plan, including measurable milestones:

Information Security Plan

  • Establishment of an Information Security Management System (ISMS)

  • Creation of core security policies (Access Control, Data Protection, Incident Response, Asset Management)

  • Implementation of quarterly risk assessments and a vendor risk management program

Infrastructure Plan

  • Deployment of cloud infrastructure baselines and automated compliance scanning

  • Implementation of multi-factor authentication, centralized logging, and patch management policies

  • Creation of disaster recovery playbooks

Application Development Plan

  • Definition of a Secure Software Development Lifecycle (SSDLC)

  • Integration of static and dynamic application security testing (SAST/DAST) tools

  • Mandatory developer security training and certification

The PM created a Compliance Project Roadmap showing sequential objectives and cross-departmental dependencies, ensuring all tasks were tracked in a centralized project management platform (JIRA/Confluence).

Phase 3: Implementation and Governance Alignment

The PM established a Governance Steering Committee with representatives from IT, Legal, and Product departments.

Key governance improvements included:

  • Weekly compliance stand-ups and status tracking

  • Monthly risk review meetings with executive oversight

  • Quarterly internal audits to validate continuous improvement

The PM also authored the Information Security Governance Charter, defining roles, responsibilities, and accountability frameworks for compliance across departments.

Phase 4: Audit Readiness and External Certification

Once the internal systems were mature, the PM led audit readiness workshops with department heads, conducted mock audits, and ensured all required evidence and documentation were available for auditors.

SOC 2 Type II

  • PM coordinated evidence collection and auditor Q&A process

  • Implemented continuous monitoring dashboards to demonstrate control effectiveness

ISO 27001

  • PM served as liaison between the auditor and control owners

  • Successfully demonstrated the ISMS scope, risk treatment plan, and continuous improvement process

ISO 42001 (AI Management System)

  • PM mapped AI lifecycle processes (data curation, model training, model monitoring) to ISO 42001 clauses

  • Developed AI Ethics Policy and AI Risk Assessment Template

  • Successfully demonstrated organizational transparency and accountability for AI-driven decision-making

Results

After an 12-month execution timeline, the startup achieved:

  • SOC 2 Type II certification

  • ISO/IEC 27001:2022 certification

  • ISO/IEC 42001:2023 certification (AI Management System)

Quantitative Outcomes

  • Security incidents per quarter reduced from 4 to 0

  • Policy coverage (documented & approved) improved from 45% to 100%

  • Employee compliance training completion improved from 35% to 98%

  • Audit readiness score improved from 56% to 94%

Lessons Learned

  1. Internal audit readiness is key — early identification of gaps prevents costly delays during external audits.

  2. Governance must be cross-functional — embedding compliance within all IT and product processes ensures sustainability.

  3. Documentation and evidence management are as critical as technical controls.

  4. Continuous improvement mindset ensures the organization remains audit-ready year-round.

Conclusion

Our strategic leadership, cross-functional coordination, and methodical execution transformed the startup’s IT governance and compliance posture. Through a combination of rigorous internal audits, structured remediation planning, and stakeholder engagement, the company not only met but exceeded the requirements of SOC 2, ISO 27001, and ISO 42001, positioning itself as a trusted technology provider in the global market.

bottom of page