It Started With a Single Internal Audit
When this company first reached out, the ask was straightforward: they needed help with their ISO 27001 internal audit. They had an established information security management system, a certification body they worked with, and a team that understood the standard. What they didn’t have was the bandwidth to run a thorough internal audit alongside everything else on their plate.
We conducted the internal audit, delivered findings, and helped them prepare for their surveillance audit. Clean, professional, no surprises. That was supposed to be the end of the engagement.
It wasn’t.
Why the Relationship Grew
The compliance landscape for global SaaS companies doesn’t simplify over time. It compounds. New markets mean new regulatory requirements. Larger customers mean stricter procurement demands. Government contracts mean entirely separate certification regimes.
After the initial internal audit, the company’s compliance needs started expanding in every direction. They were fielding SOC 2 requests from US enterprise prospects. Their European customer base was asking about data protection specifics beyond what ISO 27001 covered. Government opportunities in Australia and the US required certifications most SaaS companies have never heard of.
They came back to us not because we pitched them on more work, but because we’d demonstrated something that’s surprisingly rare in compliance consulting: we knew what we were doing, we delivered on time, and we didn’t create unnecessary complexity. When the scope grew, they trusted us to grow with it.
Building the Multi-Framework Program
SOC 2
The SOC 2 engagement was the natural next step. US enterprise customers were making it a requirement, and the company needed a Type II report. Because we already understood their environment, controls, and architecture from the ISO 27001 work, we didn’t start from scratch. We mapped existing ISO 27001 controls to the Trust Services Criteria, identified gaps, and built a focused remediation plan.
The key advantage of having a single team manage both programs: control overlap is handled once, not twice. When a control satisfies both ISO 27001 Annex A and SOC 2 Common Criteria, it’s documented, evidenced, and maintained as one control with two mappings. That’s the difference between a compliance program that scales and one that drowns in duplicate work.
ISO 27018
As the company processed more personal data in cloud environments on behalf of their customers, ISO 27018 certification became important. ISO 27018 extends ISO 27001 with controls specific to protecting personally identifiable information (PII) in public cloud services.
Because ISO 27018 builds directly on the ISO 27001 management system, integration was efficient. We extended the existing Statement of Applicability, added PII-specific controls, and aligned the privacy documentation with what was already in place. The company achieved certification without building a parallel program.
DPST (Data Protection and Security Toolkit)
Expanding into the UK healthcare market introduced the NHS Data Protection and Security Toolkit. DPST has its own assessment structure, its own evidence requirements, and its own annual submission cycle. It’s not a standard you can casually map to ISO 27001 and call it done.
We worked through the DPST assertions methodically, leveraging existing controls where they applied and building targeted processes where they didn’t. The company’s ISO 27001 foundation covered a significant portion of DPST requirements, particularly around access control, encryption, and incident management, but areas like staff training records, data flow documentation, and NHS-specific data handling required dedicated attention.
IRAP (Information Security Registered Assessors Program)
Pursuing Australian government customers meant IRAP assessment. IRAP is based on the Australian Government Information Security Manual (ISM), and it’s one of the more rigorous security assessments a SaaS company can undertake. The ISM contains hundreds of controls, and IRAP assessors examine them with the thoroughness you’d expect from a government security program.
This was a significant undertaking. We worked alongside the company to prepare for their IRAP assessment, mapping existing controls to ISM requirements, identifying gaps specific to Australian government expectations, and building documentation that met the assessor’s evidence standards. The ISO 27001 and SOC 2 foundations helped, but IRAP required substantial additional work, particularly around Australian data sovereignty, cryptographic requirements, and system hardening.
StateRAMP/GovRAMP
US state and local government opportunities brought StateRAMP into the picture. StateRAMP (now evolving alongside GovRAMP) provides a standardized security assessment framework for cloud products used by government agencies. It’s heavily influenced by FedRAMP and NIST 800-53, which means a detailed control catalog and rigorous documentation requirements.
We helped the company navigate the StateRAMP authorization process, from selecting the appropriate impact level through completing the security assessment and achieving authorization. Having mature ISO 27001 and SOC 2 programs in place meant many controls were already operating effectively, but the NIST 800-53 control baseline required additional implementation and documentation that went well beyond what those standards require.
Privacy Program
Underpinning all of this was a growing need for a structured privacy program. The company was processing personal data across multiple jurisdictions, each with its own regulatory requirements: GDPR, CCPA, Australian Privacy Principles, UK Data Protection Act. Privacy couldn’t be an afterthought bolted onto individual frameworks.
We helped build a unified privacy program that served as the foundation for privacy-related requirements across all of their frameworks. Data processing inventories, privacy impact assessments, data subject rights procedures, breach notification processes, and vendor privacy assessments were built once and mapped across every framework that required them.
What Made This Work
One Team, One View
The single biggest advantage was having one compliance partner with visibility across the entire program. When a new framework was added, we didn’t start from zero. We started from a comprehensive understanding of what was already in place and what needed to be built.
Control Rationalization
Every new framework added to the program went through the same process: map to existing controls, identify genuine gaps, build only what’s needed. The company never maintained duplicate controls for the same risk. One control, many mappings.
Continuous Relationship
Compliance isn’t a project with a start and end date. It’s an ongoing program. Because we worked with this company continuously, we caught issues early, adapted to organizational changes in real time, and ensured that audit preparation was a steady process rather than an annual scramble.
Trust Built Through Delivery
The relationship expanded because we delivered results, not because we sold services. Every engagement ended with the company in a stronger compliance position than where they started. That track record is what earned the opportunity to take on the next challenge.
The Takeaway
Most SaaS companies start their compliance journey with a single framework, usually SOC 2 or ISO 27001. The ones that scale successfully don’t treat each new requirement as an isolated project. They build a unified compliance program where frameworks share a common foundation of controls, evidence, and processes.
That’s what we do at Concerto. Whether you’re starting with your first audit or managing a multi-framework program across global markets, we build compliance programs that grow with you. Schedule a consultation to talk about where you are today and where you’re headed.
