Start of the Journey

Why ISO 27001

At Paybix, security has always been part of our DNA. Handling sensitive payroll data means our systems, processes, and people already operate with security in mind. ISO 27001 does not add a new layer of protection. Instead, it allows us to make our existing practices visible, measurable, and verifiable. It helps formalize the controls we already have, provide clear evidence of how we operate, and strengthen a culture that is embedded in daily work.

Over the past months, we have noticed a shift in the types of companies engaging with our platform. From larger enterprises to value-added resellers, these organizations bring higher expectations and more rigorous demands around compliance and information security.

Questions about how we manage access, how data is deleted, how breaches are handled, or whether we are ISO certified are no longer occasional. They have become the norm. For some opportunities, ISO 27001 certification is explicitly listed as a precondition for partnerships or contracts.

This trend is not surprising. As businesses become more digital and interconnected, the risk surface grows. Organizations do not want to expose themselves through insecure third-party software. They expect their partners to demonstrate security and compliance, not just claim it.

A Natural Step for Paybix

We are proud of the agility and focus that come with being a small SaaS company. But as we grow and attract larger clients, we must also evolve. ISO 27001 helps us compete on equal footing with larger players who already hold formal certifications.

For our team, it is a step toward operational maturity. For our clients and partners, it is reassurance that Paybix can be trusted with their most sensitive data.

Our Journey

I had previous experiences with ISO certifications. Looking back, they feel like they belonged to another age, with a very different toolset. When we recognized that Paybix needed ISO, I hesitated. I knew the value, but I also foresaw a mountain of work heading toward me and the development team.

Now, having almost completed the track, I can say it went much smoother than I imagined. With today’s perspective, ISO feels practical, structured, and achievable. What initially seemed like a project that could take more than a year, we brought from zero to a successful internal audit in just seven weeks.

Before summer, our Board of Directors formally approved the decision to pursue ISO 27001 certification. Since then, we have prepared internally, aligned responsibilities, and begun selecting the right implementation partner to guide us through the practical steps toward certification.

Choosing the ISO 27001 Partner(s)

Once the Board approved the decision to pursue ISO 27001, the next question was clear: how should we approach the actual implementation?

Two Paths: Big Four or Specialist

ISO 27001 is not a one-size-fits-all effort. Conversations with founders and CTOs of other SaaS companies showed us that many had gone through a consultancy track to reach certification. Some chose the classic route with one of the Big Four consulting firms, while others worked with smaller, specialized consultants focused exclusively on ISO and security compliance.

The Big Four option has obvious advantages: brand recognition, deep resources, and robust audit preparation. For a company of our size and stage, however, it felt heavy, expensive, and not tailored enough. We needed flexibility, speed, and practical, hands-on guidance.

Through a warm introduction, we connected with an independent ISO 27001 consultant, a true expert with a deep track record of helping SaaS companies achieve certification. From our first call, it was clear: this person had walked this path many times. His insights were sharp, feedback practical, and expectations crystal clear.

We appreciated the honesty. This would be a serious track, likely taking 12, some said 18 months, depending on our commitment, availability, and the depth of our implementation. It felt exactly like the no-nonsense guidance we needed to get started.

Exploring Compliance Automation Platforms

Moving away from the pure consulting track, we heard about platforms that might help speed up the process. So, we also wanted to see if tooling could help us move faster. From conversations with other entrepreneurs, it became clear that combining human expertise with software could accelerate certification. They were talking about certification in 3 months! Different tools stood out repeatedly like Drata, Vanta and Secfix.

While other solutions exist, two were recommended by companies similar to ours so we only looked into them. Here’s how they compare:

‍

‍

Both Drata and Secfix offered startup-friendly pricing. Drata’s Foundation Package makes it accessible for companies like ours. Secfix provides pricing with implementation and support included, which fits well with our European operations. The disadvantage of Drata was that the implementation is done by an external party, which in our opinion counts in that they will sell a consultancy track after 30 days. While we wanted to jumpstart in the first 30 days. For Secfix it was in their advantage that we would proceed very quickly.

Our Decision: A Hybrid Track

Being a challenger ourselves, Secfix naturally felt like the right fit. Their hands-on guidance and focus on European companies aligned with our culture and compliance needs. At the same time, we knew speed and structure were crucial.

We decided on a hybrid approach:

• Secfix (Secfix) became our compliance platform.
• Our independent ISO consultant, Roel Heymans (https://onerule.be), would guide us through the first months, helping to set priorities and structure.

Summer is typically quieter for us, with fewer customer deadlines and more breathing room, making it the perfect time to fast-track our efforts. Our goals included defining responsibilities, organizing the risk register, setting up the asset inventory, and laying the foundations for documentation and internal controls.

This hybrid approach allows us to combine structured software automation with real-world expertise while maintaining momentum throughout the certification journey.

So I, would have a daily standup with my consultant, managing the tasks together in order to jump as far as possible in the first month.

‍

Week 1: Structure, Speed, and Security in Action

28 July 2025 marked the official start of our ISO 27001 readiness project. As CTO, I knew this would be a significant undertaking, and I also understood its importance for strengthening our security posture and maintaining the trust our customers place in us.

Onboarding the Platform

Our first interaction with Secfix was the onboarding session led by our customer success consultant Melita. It was a well-prepared walkthrough of how the entire implementation would work.

She provided a detailed overview that instantly became our project’s central hub. Each task in the sheet included:

• A description of what to do
• An estimated time to complete it, giving a realistic sense of effort
• Links to the platform help articles, often with concrete examples or pre-prepared documents or Excels we could adjust to our needs
• Space to track progress step by step

The clarity and structure were invaluable for a project of this scope. Roel and I immediately began dividing tasks.

Tailored Policies: A Huge Time Saver

One of the biggest advantages of using a platform became clear on day one: 20 pre-prepared policies tailored to our business type, size, and sector.

These were not generic templates. They already included best practices and reflected expectations for companies in our industry. Instead of starting from scratch, we could focus on reviewing and making minor adjustments to align them with our internal processes. This alone probably saved us weeks of work. Not probably. For real. Even Roel was impressed.

Next to that, we connected O365, so our population comes in the platform. And the connection with our Azure subscription, imported all cloud assets in the inventory section. This is auto updated. And because of these integrations, also the vendors used on the laptops by our employees are already seeded in the platform. Suddenly you have a view on your organisation.

Roles and Daily Collaboration

From the start, we organized our workload to maximize efficiency. In the first week:

• Roel, our part-time CISO, spent about 2.5 hours a day reviewing policy content and adding expert notes to the tracker
• I've invested around 4 hours a day while continuing to manage developer priorities and design new features for our clients

Every day, we have a short, focused check-in. He updates me on policy progress, I update him on technical matters, and together we decide which policies to finalize next.

Policy Approval via the Security Council

Once a policy was complete, we added it to the platform. This automatically triggers approval by our newly created Security Council, responsible for formally approving policies before they become active. This ensures policies are not only written but officially adopted and ready to be enforced. For now, we are just adding policies. The approval step will come later.

Device Compliance Across the Company

Policies are one thing, but ensuring devices comply is another. Early in the first week, we rolled out the platform compliance app across all company devices (including Apple devices).

The app checks each device against the needed security standards and flags where adjustments are needed. This gave us immediate visibility into our device fleet, allowing us to address gaps. Like a company password manager.

Security Awareness for Everyone

Security is also about people. We assigned the Security Awareness Test to every employee via the platform’s self-service portal. The training covers phishing prevention, password best practices, and safe device use. It is concise enough to complete in one sitting but thorough enough to make a meaningful impact.

By the end of week one, 80% of our employees had completed both the compliance app installation and the security awareness training, an early win that ensures our team is informed and equipped from the start.

Overall ISO Progress

In parallel with employee actions, we advanced on the overall ISO 27001 readiness plan. By the end of week one, we had reached 26% progress, according to our automated Project Status Report. Key achievements included:

• Reviewing and finalizing 7 of the 20 prepared policies
• Collecting evidence for several requirements
• Updating multiple Azure and O365 security settings
• Triggering policy approvals via the Security Council process
• Installing the platform compliance app company-wide
• Launching and tracking security awareness training

This strong start shows that clear structure, speed, and defined responsibilities can move an ISO project forward quickly without sacrificing quality.

‍

Coming up: Week 2: Using the Momentum

‍

Stay tuned as I will share insights from our journey via the upcoming blog series of our week-by-week progress and efforts that led to a successful internal audit outcome in just seven weeks.

‍

About the author Bart Slaets

Bart is Paybix’s Chief Technology Officer and an experienced technology leader specializing in SaaS product development for international payroll systems and time/attendance solutions. He drives Paybix's global product strategy, leveraging 20+ years of expertise in building and managing cloud-based workforce management platforms.

His core competencies include: International payroll system architecture, SaaS product lifecycle management, Cross-border compliance frameworks, Cloud-native workforce solutions.

If you have any questions, don't hesitate to contact us.