Background
A manufacturing technology company developing Industrial IoT software and automation solutions had experienced explosive growth over a 24-month period, expanding from a regional player to a vendor of record for three large multinational manufacturing clients, one American, one European, and one Canadian.
Their platform connected directly to factory floor systems, production line sensors, and supply chain management infrastructure across their clients’ facilities. The data flowing through their platform included proprietary production data, operational technology configurations, and in some cases, safety-critical system parameters. For their clients’ procurement and risk teams, this level of access demanded rigorous proof of security.
The problem was that each of the three clients had different compliance requirements — shaped by their own regulatory environments, industry standards, and internal risk management frameworks. And all three had delivered their compliance requirements within the same 60-day window.
Challenge
The company’s leadership opened three separate emails in the same week:
- Client A (US-based automotive manufacturer): Required SOC 2 Type II certification as a condition of contract renewal, audit observation period to begin within 90 days.
- Client B (European industrial conglomerate): Required ISO 27001:2022 certification under their supplier security program, driven by EU regulatory requirements affecting their supply chain.
- Client C (Canadian aerospace supplier): Required a NIST Cybersecurity Framework alignment assessment plus completion of their proprietary 150-question vendor security questionnaire, due in 45 days.
Facing this, the company’s operations director did what seemed logical: she assigned each compliance requirement to a different internal team member, engaged two separate external consultants for ISO 27001 and SOC 2 respectively, and began working through Client C’s security questionnaire independently.
Within six weeks, the dysfunction was undeniable.
The two external consultants were giving conflicting guidance. The ISO 27001 consultant had designed a set of access control policies. The SOC 2 consultant had independently designed a different set of access control policies for the same systems, using different terminology, different control structures, and different evidence requirements. Staff were being asked to attend separate training sessions for each framework. Evidence was being collected in three different formats for three different purposes. The internal team member handling the NIST questionnaire was answering questions about controls that neither consultant had yet implemented.
The company had three compliance programs running simultaneously, duplicating work, consuming resources, creating contradictions, and making progress on none of them. After six weeks of effort, they were further from certification than when they started, and the deadlines were getting closer.
Their operations director called Armour.
Action
When Armour Cybersecurity’s compliance team conducted the initial assessment, the picture was clear: this wasn’t a compliance problem. It was a coordination problem that was generating compliance problems. The solution wasn’t to work harder on three separate tracks — it was to recognize that ISO 27001, SOC 2, and NIST CSF are not three different security programs. They are three different lenses looking at the same underlying security controls.
Armour proposed and delivered a fully Integrated Audit Compliance program — a single, unified approach that addressed all three frameworks simultaneously through one coordinated set of controls, one evidence collection infrastructure, and one team.
Phase 1 — Unified Gap Assessment & Control Mapping (Weeks 1–3)
We began by retiring both external consultants and conducting a single integrated gap assessment — mapping the company’s current security posture against all three frameworks simultaneously. Every control gap was catalogued once and tagged to every framework it applied to.
The result was a unified control library, a master inventory of every security control the company needed to implement, with each control mapped to its corresponding requirements across ISO 27001 Annex A, SOC 2 Trust Services Criteria, and NIST CSF functions. What had appeared to be three separate compliance programs turned out to require 847 distinct control requirements, of which 71% overlapped across two or more frameworks. Nearly three quarters of the work only needed to be done once.
This single insight, delivered in week two, transformed the project from impossible to achievable.
Phase 2 — Unified Policy & Documentation Framework (Weeks 3–7)
Rather than writing separate policy suites for each framework, Armour developed a single integrated policy framework, 26 policies and procedures, each written to simultaneously satisfy ISO 27001, SOC 2, and NIST requirements. Every policy was cross-referenced to all three frameworks in a mapping appendix, providing clear audit evidence that a single document satisfied multiple requirements.
This eliminated the contradictory policies the two previous consultants had created and gave the internal team one authoritative set of documentation to operate from — rather than three conflicting versions.
Phase 3 — Unified Technical Control Implementation (Weeks 4–12)
Technical controls were implemented once, to the most stringent specification required across all three frameworks, ensuring that a control implemented for ISO 27001 would simultaneously satisfy the corresponding SOC 2 criterion and NIST subcategory. Implementation workstreams included:
- Identity & Access Management: Role-based access controls, MFA enforcement, privileged access reviews, and session management, implemented to satisfy ISO 27001 A.8, SOC 2 CC6, and NIST PR.AC simultaneously
- Asset Management: Complete asset inventory covering IT and OT environments. addressing ISO 27001 A.5, SOC 2 CC6.1, and NIST ID.AM in a single unified asset register
- Vulnerability Management: Continuous scanning, patch management program, and remediation tracking, satisfying requirements across all three frameworks with one operational program
- Incident Response: A single Incident Response Plan structured to meet ISO 27001 A.5.26, SOC 2 CC7.3, and NIST RS requirements, tested with a tabletop exercise documented as evidence for all three frameworks simultaneously
- Supplier Security: Vendor risk management program covering all critical technology suppliers s,atisfying ISO 27001 A.5.19 and SOC 2 vendor management criteria with a single supplier assessment process
Phase 4 — Client C Security Questionnaire (Weeks 2–5, parallel track)
While the unified control implementation progressed, Armour simultaneously worked through Client C’s 150-question vendor security questionnaire, answering each question by referencing the controls being implemented in the unified program. Questions that had previously been unanswerable because controls didn’t yet exist were answered with documented implementation timelines and evidence of work in progress. The completed questionnaire was submitted on time, with supporting evidence attachments drawn directly from the integrated compliance program.
Phase 5 — Audit Coordination & Certification (Weeks 10–20)
With a unified control environment in place, Armour coordinated the three separate audit processes as a single integrated program:
- ISO 27001: Managed Stage 1 and Stage 2 certification audit, all documentation submitted from the unified policy framework, all technical control evidence drawn from the single integrated evidence repository
- SOC 2 Type II: Managed the audit observation period and fieldwork, evidence collection was fully automated, pulling from the same systems used for ISO 27001 evidence, requiring zero additional staff effort
- NIST CSF: Delivered a formal NIST CSF alignment report, generated from the unified control library, requiring no separate assessment work
All three audit processes concluded within the same 30-day window.
Impact
- ISO 27001:2022 certification achieved, zero major nonconformities
- SOC 2 Type II report issued, clean opinion, zero exceptions
- NIST CSF alignment report delivered, submitted to Client C ahead of deadline
- Client C security questionnaire completed on time, with documented evidence attachments
- All three client contract requirements satisfied, zero contract terminations
- 71% control overlap identified, nearly three quarters of compliance work executed once instead of three times
- Estimated 340 hours of duplicated staff effort eliminated versus running three separate programs
- Single unified policy framework, 26 documents replacing the contradictory outputs of two separate consultants
- Ongoing integrated compliance program, annual surveillance and recertification managed as one coordinated engagement
Conclusion
The company didn’t have a compliance problem. They had a coordination problem, and it was costing them time, money, and progress on all three fronts simultaneously.
The instinct to treat each audit as a separate project is understandable. Each framework has its own name, its own auditor, its own deadline, and its own documentation requirements. It feels logical to handle them separately. But that instinct is exactly what causes organizations to duplicate effort, contradict themselves, and exhaust their teams, while making real progress on none of them.
Armour’s Integrated Audit Compliance approach is built on a different premise: security controls are security controls. ISO 27001, SOC 2, and NIST CSF are all asking organizations to do the same fundamental things, manage access, protect data, monitor threats, respond to incidents, and manage risk. The frameworks differ in language, structure, and emphasis. The underlying security program, built correctly, satisfies all of them at once.
For this company, that insight didn’t just save time. It saved three client contracts, eliminated hundreds of hours of wasted effort, and produced a compliance program that is now a genuine competitive differentiator in a market where their competitors are still trying to figure out which framework to tackle first.