ISO 27001 Lab
Case studies

Realistic organizations, realistic audit patterns, and realistic implementation tradeoffs

These case studies explain ISO 27001 in business terms. They show why organizations pursue it, how the ISMS changes daily decisions, and where evidence and audit readiness usually become difficult.
ISO 27001 is an operating system for decisions
L'ISO 27001 est un système opératoire de décision
The standard matters because it makes scope, risk, governance, control selection, evidence, audit, and improvement hang together as one management system.
Annex A is not the ISMS
L'Annexe A n'est pas le SMSI
Annex A gives a control catalogue. The ISMS decides why controls matter, who owns them, how they operate, and what evidence proves effectiveness.
Auditors test credibility, not theatre
Les auditeurs testent la crédibilité, pas le théâtre
A beautiful policy set is not enough. Auditors compare documents, interviews, records, and sampled evidence to see whether the system actually works.
France-based learners need workplace language
Les apprenants basés en France ont besoin d'un langage de travail
The hard part is often not literal translation but being able to explain evidence gaps, scope choices, and audit findings naturally in English and French.

Organizational scenarios

Why real organizations pursue ISO 27001 and what their ISMS must solve

NordQuai CloudB2B SaaSParis, France
French SaaS provider moving upmarket
Éditeur SaaS français qui monte en gamme
Enterprise prospects now require a credible ISMS, not only a generic security deck.
Leadership wants repeatable security governance, stronger customer assurance, and a structured way to prioritize funding decisions.
The ISMS becomes the operating model that connects customer promises, engineering controls, and leadership decisions.
Scope focus
Customer platform, support, engineering change flow, and critical cloud suppliers.
Key risks
  • Weak supplier oversight for the cloud stack / Pilotage fournisseur insuffisant sur la pile cloud
  • Fast production changes with uneven evidence / Changements de production rapides avec une preuve inégale
  • Access and logging discipline under growth pressure / Discipline d'accès et de journalisation sous pression de croissance
Evidence priorities
  • Risk method, SoA, change tickets, access reviews, and management review outputs. / Méthode de risque, SoA, tickets de changement, revues d'accès et sorties de revue de direction.
  • Supplier review records for the hosting and support stack. / Traces de revue fournisseur pour l'hébergement et la chaîne de support.
Likely pitfalls
  • Treating ISO 27001 as a sales badge rather than a management system. / Traiter l'ISO 27001 comme un badge commercial plutôt que comme un système de management.
  • Writing polished policies before agreeing scope and risk method. / Rédiger de belles politiques avant de s'accorder sur le périmètre et la méthode de risque.
Helios Managed OpsManaged servicesLille, France
Managed services firm facing tender pressure
Prestataire de services managés sous pression des appels d'offres
Public-sector tenders and cyber insurers are now asking for demonstrable governance, not only technical tooling.
The company needs a disciplined way to govern shared-service risk across customers, contractors, and supporting teams.
The ISMS clarifies who decides, who approves, and what evidence proves service delivery is controlled.
Scope focus
Service desk, remote administration, privileged access, customer change control, and supplier-managed tooling.
Key risks
  • Privileged access spread across many customers / Accès à privilèges réparti sur de nombreux clients
  • Informal change approvals during incidents / Approvals de changement informels pendant les incidents
  • Dependence on third-party tooling and subcontractors / Dépendance à de l'outillage tiers et à des sous-traitants
Evidence priorities
  • Access reviews, ticket workflows, emergency change evidence, and supplier reviews. / Revues d'accès, workflows de tickets, preuves de changements urgents et revues fournisseurs.
  • Internal audit evidence that challenges the real operating model. / Preuves d'audit interne qui challengent le modèle opérationnel réel.
Likely pitfalls
  • Writing scope too narrowly to avoid shared-service complexity. / Écrire un périmètre trop étroit pour éviter la complexité des services partagés.
  • Assuming customer-specific controls remove the need for central governance evidence. / Supposer que les mesures propres aux clients suppriment le besoin de preuves de gouvernance centrale.
Aster ForgeManufacturingLyon region, France
Industrial manufacturer with hybrid IT/OT reality
Industriel avec une réalité hybride IT/OT
Customers want assurance that production continuity, supplier maintenance, and site access are governed coherently.
Leadership needs one management language to connect plant operations, physical security, cyber teams, and supplier risk.
The ISMS becomes the decision frame for continuity, access, maintenance risk, and evidence across both offices and sites.
Scope focus
Production planning systems, industrial networks, contractor access, and key third-party maintenance relationships.
Key risks
  • Incomplete asset visibility for OT-connected systems / Visibilité incomplète des actifs connectés à l'OT
  • Supplier maintenance paths with weak review evidence / Chemins de maintenance fournisseurs avec peu de preuves de revue
  • Continuity assumptions not backed by restore or recovery testing / Hypothèses de continuité non démontrées par des tests de restauration ou de reprise
Evidence priorities
  • Asset inventory, visitor controls, supplier review records, and restore test evidence. / Inventaire des actifs, contrôles visiteurs, traces de revue fournisseur et preuves de test de restauration.
  • Management review decisions covering operational resilience, not only office IT topics. / Décisions de revue de direction couvrant la résilience opérationnelle, pas seulement les sujets IT de bureau.
Likely pitfalls
  • Assuming OT-specific realities justify weak evidence discipline. / Supposer que les réalités OT justifient une faible discipline de preuve.
  • Separating cyber and physical access governance too far from business continuity. / Séparer excessivement la gouvernance cyber et l'accès physique de la continuité métier.
Clinibase ServicesHealth data servicesToulouse, France
Healthcare processor under contractual scrutiny
Prestataire santé sous forte pression contractuelle
Hospital customers and major partners need assurance that security decisions are controlled, evidenced, and reviewed by leadership.
The organization wants a disciplined frame that joins security, contractual obligations, and operational assurance instead of managing them in silos.
The ISMS turns security from a specialist concern into a governed business system with evidence, ownership, and review.
Scope focus
Patient-support platform, hosted environments, support operations, and subcontractors handling regulated data flows.
Key risks
  • Contractual security commitments drifting away from operational reality / Engagements sécurité contractuels qui s'éloignent de la réalité opérationnelle
  • Training and incident evidence not covering all support populations / Preuves de formation et d'incident ne couvrant pas toutes les populations support
  • Shared suppliers affecting multiple in-scope workflows / Fournisseurs partagés impactant plusieurs workflows dans le périmètre
Evidence priorities
  • Requirements register, incident records, training completion, and supplier reviews tied to contract risk. / Registre des exigences, enregistrements d'incidents, réalisation des formations et revues fournisseurs reliées au risque contractuel.
  • Management review evidence showing decisions on resource and compliance pressure. / Preuves de revue de direction montrant les décisions sur les ressources et la pression de conformité.
Likely pitfalls
  • Confusing compliance vocabulary with actual ISMS evidence. / Confondre vocabulaire conformité et preuve réelle de SMSI.
  • Keeping obligations in legal trackers without feeding them into risk and control decisions. / Garder les obligations dans des tableaux juridiques sans les injecter dans les décisions de risque et de mesure.

Bilingual workplace language

Phrasing that helps France-based learners explain ISO 27001, evidence, and findings naturally in English and French.

Explaining inconsistent execution
evidence
English

The process exists but is not consistently evidenced.

Français

Le processus existe mais n'est pas démontré de manière cohérente.

This phrasing is stronger than saying the process is missing when the real issue is execution discipline.
Explaining poor traceability
risk
English

The risk treatment decision is not traceable.

Français

La décision de traitement du risque n'est pas traçable.

Useful when a register exists but treatment logic cannot be linked to owners, dates, or controls.
Clarifying ISMS scope
meeting
English

The scope includes the customer platform and support operations, but not every corporate function.

Français

Le périmètre inclut la plateforme client et les opérations de support, mais pas toutes les fonctions corporate.

Good for kickoff and audit-readiness discussions where boundaries must stay explicit.
Explaining business value
meeting
English

We pursue ISO 27001 to make security decisions repeatable, credible, and governable.

Français

Nous poursuivons l'ISO 27001 pour rendre les décisions de sécurité répétables, crédibles et pilotables.

This keeps the discussion focused on management-system value rather than only certification optics.

Findings preview

The nonconformity lab goes deeper into twenty realistic findings

Open the nonconformity labOpen the implementation journey
majorClause 6.1.2
No formal risk assessment methodology exists
Aucune méthodologie formelle d'analyse des risques n'existe
The team can point to a spreadsheet of 'top risks', but there is no approved method, no defined criteria, and no current ISMS risk register that covers the scoped service.
majorClause 6.1.3
The SoA exists but is not aligned with treatment decisions
La SoA existe mais n'est pas alignée avec les décisions de traitement
The SoA marks several controls as applicable with generic language, but the treatment plan uses different wording, omits owner linkage, and does not explain why a few supplier and logging controls are marked not applicable.
majorClause 4.3
The scope statement is vague and inconsistent with operations
La déclaration de périmètre est vague et incohérente avec les opérations
The scope says 'managed services activity in France', but sampled evidence shows a foreign NOC, shared HR joiner/leaver activity, and common supplier tooling materially affect the same service.
majorClause 9.2
The internal audit programme exists on paper but not in evidence
Le programme d'audit interne existe sur le papier mais pas dans la preuve
An audit schedule exists, but no recent audit plans, reports, sampling records, opening or closing meeting notes, or corrective-action follow-up can be produced for the current cycle.
minorClause 9.3
Management review is claimed, but the minutes are incomplete
La revue de direction est revendiquée, mais le compte rendu est incomplet
The minutes discuss security budget and customer issues, but sampled records do not show internal-audit inputs, objective performance, changes in context, or resulting decisions on improvement and resources.
minorClause 8.1
The access review process is documented but not evidenced consistently
Le processus de revue d'accès est documenté mais pas démontré de manière cohérente
Three sampled applications have review exports and sign-off, but two smaller support tools rely on verbal manager confirmation and no documented follow-up for stale accounts exists.