What ISO 27001 actually requires
Unlike PCI DSS, which prescribes specific technical configurations, ISO 27001 is a management framework. The core of ISO 27001 is the implementation of an Information Security Management System (ISMS).
The ISMS
A systematic approach to managing sensitive company information. It encompasses people, processes, and IT systems, applying a risk management process to ensure confidentiality, integrity, and availability.
Risk Assessment
You must formally identify risks to your information assets, evaluate their potential impact, and decide how to treat them (mitigate, accept, transfer, or avoid).
Statement of Applicability (SoA)
A crucial document that lists the 93 controls from Annex A, stating which ones you have implemented to mitigate your identified risks and justifying any exclusions.
Annex A controls relevant to fintechs
The 2022 update of ISO 27001 consolidated the controls into four themes. For engineering teams, the Technological controls are where the heavy lifting occurs.
- A.8.8 Management of technical vulnerabilities: Requires ongoing vulnerability assessments and patch management.
- A.8.25 Secure development lifecycle: Security must be integrated into your CI/CD pipeline.
- A.8.28 Secure coding: Developers must be trained in secure coding principles to prevent OWASP Top 10 vulnerabilities.
- A.8.29 Security testing in development and acceptance: This mandates regular, independent penetration testing of your applications before they go live.
ISO 27001 requires independent penetration testing. We provide reports that auditors accept.
Get an ISO 27001 Pentest QuoteThe certification process
Certification is granted by an accredited external body (like BSI or SGS in Nigeria) following a two-stage audit.
Stage 1: Documentation Review
The auditor reviews your ISMS documentation, policies, and SoA to ensure they meet the standard's requirements. This is a "desktop" audit.
Stage 2: Certification Audit
The auditor verifies that your organization is actually following the documented procedures. They will interview staff, review logs, and check evidence like recent pentest reports.
Surveillance Audits
After certification, you undergo annual surveillance audits to ensure the ISMS is maintained, leading to a recertification audit in year three.
Relationship to CBN requirements
The CBN Risk-Based Cybersecurity Framework draws heavily from ISO 27001 principles. If your fintech successfully implements an ISO 27001 ISMS, you will inherently meet the vast majority of the governance and risk management requirements mandated by the CBN. The primary addition will be the specific CBN reporting timelines and the CSAT submission.
Winning Enterprise Deals
Enterprise procurement cycles in Nigeria move slowly. When a bank asks for your security posture, handing them an ISO 27001 certificate and an executive summary of a recent pentest bypasses weeks of tedious vendor security questionnaires. It is a massive sales accelerator.
Related reading
Blog: Fintech Security Audit Timing
Guides: CBN Compliance Guide · Security Before Fundraising
Services: Secure Architecture Review
Frequently asked questions
{faq.q}
{faq.a}