In January 2026, AhoyAhoy (and our sister company, Finlert) officially achieved ISO 27001:2002 certification — proving our secure software development practices aren’t just good intentions… they’re independently verified.

If you’ve ever worked with larger clients, you’ll know the feeling: the project’s going well, everyone’s happy… and then the due diligence questionnaire drops like an anchor.

• “Are you ISO 27001 certified?”

• “Do you have an ISMS?”

• “Can you show evidence for your security controls?”

• “What’s your process for incidents, access, suppliers, change management… and everything else under the sun?”

By mid-2025, those questions were turning up more regularly for us — especially as we started hosting and handling more sensitive client data. So we decided to stop answering with “we do security….. seriously” and start answering with “we can prove it.”

In January 2026, we earned ISO 27001:2002 certification for both AhoyAhoy and Finlert.

And yes… we did it with a small internal team, not a flotilla of compliance staff.

Why we went for certification

ISO 27001 is a global standard for information security management. But for us, the “why” was very practical:

1. Credibility — externally verified

We’ve always built with secure practices in mind. ISO 27001 gives clients something better than a promise: independent validation.

2. Faster (and calmer) client due diligence

When you’re hosting or processing client information, technical due diligence can become a long voyage through spreadsheets and evidence requests.

Having a certified Information Security Management System (ISMS) helps clients:

• trust the baseline controls are in place

• reduce bespoke security back-and-forth

• assess risk faster (and with fewer surprises)

3. Partner expectations are rising

As certified partners in ecosystems like Xero, Stripe, and AWS, we’ve also seen a consistent push toward formal security and quality systems — and in some cases, it’s required to access sensitive environments and information.

Confession: I’d seen the map before (but not on a small boat)

Before AhoyAhoy, I (Nathan) was CTO at SAI Global, so I was familiar with the ISO world and how certification audits run.

But, implementing ISO 27001 inside a small business is a different adventure:

• you can’t “throw a department at it”

• everyone wears multiple hats

• you still need real evidence, real controls, and real discipline — not just nice documents

So we approached it the AhoyAhoy way: practical, lightweight where it can be, and rigorous where it must be.

The crew who captained the programme

We started with a small internal team:

• Stevie

• Geoff

• Nathan

That was the core crew charting the course, gathering evidence, tightening controls, and building a system we could actually live with (not just survive an audit with).

Our secret weapon: Pocket CISO (and Carlota)

We also had brilliant support from Carlota at Pocket CISO. Her guidance was honestly priceless — the kind of help that saves you months of guesswork and keeps the programme moving when the sea gets choppy.

• Pocket CISO: https://pocket-ciso.com/

Carlota helped us steer clear of “compliance theatre” and focus on what matters:

• clear scope

• sensible risk treatment

• evidence that matches reality

• a system we can maintain, not just launch

The practical how: what we actually did (step-by-step)

Here’s the playbook we followed:

1. We used Confluence as our single source of truth

We already ran our operational knowledge through Confluence, so we leaned into it as our document and record repository.

To accelerate the setup, we purchased the ISO 27001 pack from the QC Template Launcher Confluence app:

• QC Template Launcher (Atlassian Marketplace): https://marketplace.atlassian.com/apps/1230973/qc-template-launcher

That gave us a structured baseline for:

• policies and procedures

• registers (risk, incidents, assets, suppliers, etc.)

• templates and records

Then we tailored it so it matched how we actually work (because nobody wants a 40-page policy that the crew avoids like rough weather).

2. We assessed our gaps using the Pocket CISO Security Health Model

One of the biggest early wins was using Pocket CISO’s Security Health Model.

It made it simple to:

• assess our current state

• identify gaps

• prioritise what mattered most

• track progress toward ISO 27001 (or SOC 2-style outcomes)

In practice: less hand-waving, more “here’s what we need to fix next.”

3. We levelled up the crew with Wizer (ongoing learning)

Security isn’t a one-and-done voyage — you’ve got to keep the crew sharp as the seas change. For our ongoing learning and awareness programme, we partnered with Wizer:

• Wizer: https://www.wizer-training.com/

Wizer has been a great fit because they cover both sides of the deck:

• Security awareness training with genuinely engaging content (the kind people actually complete)

• Deeper secure development training, so our engineers aren’t just “aware” — they’re actively improving how we build

They also run practical exercises that turn training into real-world readiness, including:

• Phishing simulations (helping us practice spotting the hooks before they snag us)

• Developer “capture the flag” events (hands-on challenges that sharpen secure coding instincts)

The result: security stays part of our everyday rhythm — not a dusty binder we pull out when audit season rolls around.

4. We chose a certification body that could get moving fast

We selected Compass Assurance Services (Kiwa) as our certification body:

• Compass Assurance Services: https://cas.com.au/

Then we ran the two-stage audit process:

Stage 1 Audit — the chart review

Stage 1 covered the whole programme and validated that the foundations were in place. It also helped us identify the gaps we needed to close before the full certification audit. The audit team were practical and constructive - this provided us with the confidence that we needed to keep pushing forward.

Outcome: a clear punch list, not a surprise storm.

Stage 2 Audit — full assessment (including physical)

Stage 2 happened six weeks later and included a full audit (including a physical audit). We passed, and certification followed soon after.

Outcome: ISO 27001 certification achieved for AhoyAhoy and Finlert in January 2026.

What changed (and what didn’t)

ISO 27001 isn’t about turning your business into a paperwork navy.

For us, the best result is that it:

• formalised what we already cared about

• filled the gaps that creep into any growing team

• made security repeatable, not heroic

The biggest improvements we felt day-to-day:

• clearer access control and review cadence

• tighter supplier and partner tracking

• cleaner incident/issue pathways

• stronger evidence collection (so we’re not scrambling later)

And crucially: it’s now easier to answer client security questions with confidence — because the system is already in place.

What this means for our clients

If you work with AhoyAhoy, you’re getting:

• a product-focused software team

• with secure development and cyber security practices

• backed by an independently certified ISMS

When sensitive data enters the picture, we’re not improvising. We’re operating to a global standard — and we can show the logs, records, and controls to prove it.

Want to sail with a security-first crew?

If you’re building software that needs to handle customer data, financial info, or regulated workflows — we’d love to chat.

(We promise: no endless questionnaires. We’ve seen enough of those for one lifetime.)