LegalTech SaaS: ISO 27001 Certification for a Contract Intelligence Platform
A contract intelligence platform processing confidential legal documents for law firms had lost two enterprise deals because they could not demonstrate ISO 27001 certification. The certification was achievable - they had a reasonably secure AWS setup - but the ISMS documentation, risk register, and control evidence were missing entirely. We got them certified in 7 months.
The Challenge
The product handled some of the most sensitive documents in existence: M&A agreements, litigation strategy, IP filings. Law firm procurement teams required not just technical security controls but a functioning Information Security Management System (ISMS) with documented policies, a risk register, and evidence of continuous control operation. The technical stack was reasonable - AWS, encrypted storage, MFA - but nothing was documented or evidenced in an auditable form.
The Approach
ISO 27001 has two equal components: technical controls (Annex A) and the ISMS (clauses 4–10). Most engagements fail because teams treat it as a technical checklist and neglect the management system. We ran both tracks in parallel, staffing a part-time compliance lead alongside the technical implementation.
The Implementation
ISMS setup and risk register
We defined the ISMS scope (the cloud infrastructure and application handling legal documents), identified 34 information assets, conducted a risk assessment for each, and populated a risk register in Notion with risk owners, treatment plans, and residual risk ratings. The risk register became the backbone of the audit.
Technical control implementation (Annex A gaps)
Gap analysis identified 12 missing controls: no vulnerability management process, no formal asset inventory, no encryption key rotation schedule, no supplier security assessments, and no change management policy. We implemented each over 8 weeks. The most impactful: automated dependency scanning in CI (Trivy) and a quarterly key rotation schedule in AWS KMS.
Policy library and staff training
ISO 27001 requires documented policies for information security, access control, incident response, business continuity, and more. We wrote 11 policies tailored to the company's actual operations (not boilerplate), uploaded them to a document management system, and ran a 2-hour all-hands training session. Training completion was tracked as audit evidence.
Internal audit and management review
Six weeks before the certification audit, we conducted an internal audit against all 93 Annex A controls and the 10 ISMS clauses. We found 4 non-conformities - all minor and remediated within two weeks. The management review meeting (required by clause 9.3) was documented with minutes and action owners. The certification audit found zero non-conformities.
Key Takeaways
- ISO 27001 is 50% documentation and process - a technically secure system without a management system will not pass
- A pre-audit internal assessment 6 weeks out is the single practice that most consistently produces first-attempt certification
- Vanta or Drata for evidence collection is worth the cost for any company with fewer than 5 ops staff - manual evidence collection is the bottleneck
- The risk register is the central artefact of ISO 27001 - auditors spend more time on it than any technical control
Facing Similar Challenges?
Book a free 30-minute audit and I will tell you what I see.