FinTech SaaS · Tri-geo
FinTech SaaS: ISO 27001 in 9 months, zero velocity regression.
Roadmap frozen by cert. DevSecOps, IaC policies, Vault, incident runbook. DORA stays elite.
KPI
9 mois
ISO 27001 (vs 18 estimé)
Duration
11 mois
Team
6 engineers
Hub(s)
Tri-geo
ISO 27001 in 9 months without freezing the roadmap: feasible, but you prepare it like a release train, not like an audit.
The context
European B2B SaaS FinTech, 95 employees, Paris, Montreal, and Singapore presence. Strong growth (14M EUR ARR, +85% YoY), imminent entry into the enterprise segment which contractually required ISO 27001. Initial internal estimate: 18 months and feature freeze.
The problem
- ISO 27001 mandatory for 6 strategic deals in pipeline
- Heavy product roadmap, DORA elite velocity to maintain
- CTO and CISO agreed on target, disagreed on method
- No formalized IaC policy, cleartext secrets in CI
- Previous audit (2024): 23 findings, 5 critical
The approach
End-to-end DevSecOps: security becomes a platform feature, not an audit checklist. Industrialization of controls, automation of evidence, mock audit three months before the final to clear the minefield.
The workstreams
- SAST/DAST integrated into pipelines (Snyk Code, OWASP ZAP)
- Terraform IaC with Sentinel policies: no non-compliant resource deploys
- Vault for secret rotation and injection, KMS for encryption
- Documented incident runbooks, quarterly table-top exercises
- Internal mock audit at month 7, official audit at month 9
The stack
- Terraform Cloud with Sentinel policies
- HashiCorp Vault, AWS KMS
- Snyk Code, Snyk IaC, OWASP ZAP
- GitHub Actions with OIDC, mandatory signed commits
- AWS Control Tower for multi-account governance
The results
- ISO 27001 certification obtained in 9 months (vs 18 estimated)
- 0 critical finding at final audit, 3 minor
- DORA velocity: maintained elite (deploys/day, MTTR < 1h)
- SAST coverage: 92% of code base in blocking CI
- Secret rotation: 100% automated
« Abbeal turned a regulatory constraint into a commercial advantage. We signed three enterprise accounts in the eight weeks following certification. »
What we learned
Sentinel is expensive but pays back ROI in 6 months by avoiding post-deploy remediation. The internal mock audit avoided 8 potential findings: to redo systematically. What we'd do differently: embed legal from month 1, not month 5. Contractual rewording cost us three weeks we hadn't planned.
// Read next
Mobilité urbaine · Paris + Montréal
Mobility scale-up: −30% cloud bill, same SLOs.
AWS bill doubled in 18 months without matching traffic growth. GreenOps audit, refactor, Karpenter, ARM64. Measured outcome.
−30%
facture cloud
E-commerce sport · Paris
Sports leader: PWA, +18% mobile conversion, Lighthouse 92.
Mobile Lighthouse at 38, conversion falling. Next.js App Router, edge, images, splitting. Delivered in 6 months.
+18%
conversion mobile
Robotique industrielle · Tokyo
Japanese industrial: 80 AGVs, ROS 2, +40% warehouse throughput.
Slow fleet, collisions, downtime. Nav2 refactor, perception fusion, multi-agent planning. Zero collisions in 6 months.
+40%
throughput entrepôt