How Paymenttools Achieved ISO 27001 Certification Success and Unified Compliance Management

“The IO platform is now our strategic umbrella system for managing our entire security and compliance landscape.”

Jan Oetting CISO, Paymenttools

Key Takeaways

Learn how Paymenttools:

• Achieved ISO 27001 certification in nine months
• Used the IO platform to implement a robust ISMS and ensure ISO 27001 compliance
• Employed SGG’s support and expertise to deliver certification success
• Continue to leverage the IO platform to manage their entire security and compliance landscape.

About Paymenttools

Paymenttools are technologists and payment experts with a deep background in retail. The business’s mission is to design payments that make life easier for everyone involved, from checkout staff to end customers, and to improve the shopping experience long-term.

With Paymenttools’ roots in commerce, the team understand that payment transactions are not an afterthought, but a strategic tool for modern business models. They take a holistic approach, considering everything from payment processes and loyalty programmes to our vision of an independent European payment system.

They are driven by a common goal: to future-proof payments with solutions that work reliably today and create real independence tomorrow.

The Challenge

With limited resources for security and risk management, the Paymenttools team needed a lean and pragmatic solution that could be operated by a small, focused team to successfully achieve ISO 27001 certification. As a cloud-native company with a large engineering focus, many traditional, bureaucratic security controls didn’t apply to the business, so being able to easily identify and implement relevant controls was a core priority.

“Our challenge was to maintain a high-security posture and compliance without slowing down our engineers.”

Jan Oetting CISO, Paymenttools

Jan and the team were using tools such as Google Workspace for defining policies and managing risk, but recognised this wasn’t an efficient approach. They required a dedicated platform to manage and maintain their information security management system (ISMS), rather than disparate tools and documentation.

They also needed expert support and guidance to work through the ISO 27001 compliance and certification process. The team needed someone to align with their core security ‘co-pilot’ philosophy: someone to act as a partner, not a blocker, enabling success and finding secure paths to ‘yes’.

“This overall work is part of our strategic shift from reactive compliance to proactive command over our defensive landscape.”

Jan Oetting CISO, Paymenttools

The Solution

Paymenttools enlisted the expertise of SGG to implement an ISO 27001-compliant ISMS and conduct pre-certification audits, both pre-stage 1 and pre-stage 2. The business also leveraged the IO platform, using the platform’s pre-built ISO 27001 templates and workflows to ensure swift implementation and alignment.

“SGG provided crucial guidance on understanding the standard and how to approach the certification process in a pragmatic, business-focused manner.”

Jan Oetting CISO, Paymenttools

Using the IO platform enabled Paymenttools to streamline their ISO 27001 compliance and efficiently implement and manage associated controls and processes. Chris Gill, Head of Cybersecurity, GRC and Auditing at SGG, said: “The pre‑built templates and workflows aligned to ISO 27001 saved the business significant time and reduced complexity.”

With the support of SGG, Paymenttools leveraged the intuitive, user-friendly IO platform and the IO 11-step Assured Results Method (ARM) to work strategically through certification requirements.

“The Assured Result Methods (ARM) worked perfectly as promised, providing a huge head start where around 70% of the policies were immediately good enough to use. This allowed us to focus on our security strategy: state what you are doing, evaluate risk, then improve.”

Jan Oetting CISO, Paymenttools

The platform’s pre-built elements provided a baseline on which Paymenttools could build and evolve a bespoke, highly tailored ISMS. Core areas the business used included the risk register, asset inventory, interested parties map, security management track and the corrective actions and improvements track.

Collaboration was also a vital element of the partnership. To ensure ongoing success, SGG and Paymenttools consistently aligned on the business’s compliance efforts, ensuring ISO 27001 compliance was progressing as expected.

“The SGG team held workshops with Paymenttools’ staff as and when required to ensure ISO 27001:2022 concepts were clear and understandable.”

Chris Gill Head of Cybersecurity, GRC and Auditing, SGG

The Result

Paymenttools successfully achieved ISO 27001 certification in nine months. Jan estimates that by working with IO and SGG, the business saved around 100 person-days in the initial setup compared to a manual approach, plus the time saved in ongoing maintenance work.

“The time needed as overhead for managing different regulations and audits is significantly reduced.”

Jan Oetting CISO, Paymenttools

For Paymenttools, the most valuable elements of the IO platform were the modern policy documentation and asset inventory provided in the ISO 27001 project structure: “The most important element of the IO platform were the predefined policies, specifically because they are optimised for a modern company like ours.”

The Paymenttools team also benefited from the platform’s centralised information security approach across risk management, asset management, corrective actions, and incident response. This allowed the business to consolidate the compliance workload and delay the use of specialised tools until they were absolutely needed.

SGG’s strategic advice and expert guidance were instrumental in Paymenttools’ ISO 27001 achievement, steering the business’s security management in the right direction to ensure certification success.

“Chris at SGG provided crucial guidance on understanding the standard and how to approach the certification process in a pragmatic, business-focused manner. He acted as a true Co-Pilot. He discussed critical areas with the external auditors and justified our decisions, and also provided significant help with risk management.”

Jan Oetting CISO, Paymenttools

What’s Next?

While the business successfully achieved ISO 27001 certification, continuous improvement is a requirement for ongoing compliance. As such, Paymenttools and SGG remain focused on maturing the business’s ISMS and remediating any findings.

“Since Paymenttools achieved ISO 27001:2022 certification, SGG have helped mature a number of Paymenttools processes including supplier management, the return of assets, and information security in project management.”

Chris Gill Head of Cybersecurity, GRC and Auditing, SGG

Since achieving ISO 27001 certification, Jan and the team have extended the scope of their compliance to include PCI DSS and the German KRITIS regulation, all within the IO platform. Paymenttools are now beginning to leverage the IO platform as a general policy and risk management tool for the organisation, extending its use beyond just security.

“The IO platform is now our strategic umbrella system for managing our entire security and compliance landscape.”

Jan Oetting CISO, Paymenttools

The team is currently integrating NIS 2 to ensure alignment with the regulation, the NIST Cybersecurity Framework (CSF) to measure maturity, and CoBit as a general control framework.

“We are continuing our journey to mature our security posture from ‘Compliance’ to ‘Command’.”

Jan Oetting CISO, Paymenttools