Results at a glance
- ISO 27001 certified in under two months from kickoff.
- 15-20 hours total from the Centinel team across the whole process.
- GDPR readiness completed alongside certification for customer and procurement conversations.
- Certificate issued by a UKAS-accredited certification body; Kantis ran readiness, internal audit, evidence, and coordination.
- Engineers stayed on product — no six-month compliance project.
The customer
Centinel Analytica is a German startup that helps organisations tell genuine users apart from bots, AI agents, stealth crawlers, and other automated traffic.
That puts Centinel in a trust-sensitive category. Customers are not only buying software; they rely on Centinel to support decisions about real users, suspicious traffic, and security-relevant signals. For a company whose product is trust, its own security posture is a commercial requirement, not a nice-to-have.
The trigger: customers started asking for ISO 27001 and SOC 2
The trigger was direct customer pressure. Centinel's enterprise customers began asking for ISO 27001 and SOC 2, which meant security proof was becoming part of sales and procurement conversations — the same "prove you're secure before we buy" moment that stalls deals for so many B2B and AI startups.
For Centinel, ISO 27001 was not about a badge. It was about showing that its information security management system, risk work, policies, evidence, and operating controls could stand up to independent review — quickly, and without derailing the roadmap.
The challenge: prove trust without a six-month project
Centinel already had a technically mature baseline. The team had strong engineering practices and the right security instincts, but those practices still needed to be translated into audit-ready evidence.
The risk was time. A lean technical team cannot afford a six-month compliance project that pulls engineers away from product work. The goal was to make the process credible, but keep the team focused on the few inputs only they could provide.
The Kantis approach to ISO 27001 for a lean technical team
Kantis supported Centinel through the ISO 27001 path by:
- Running the internal audit work.
- Mapping existing security and engineering practices into audit evidence.
- Preparing policies, risk material, and operating records around how Centinel actually worked.
- Coordinating with the UKAS-accredited certification body.
- Keeping open questions focused so engineers did not need to manage the compliance process themselves.
- Completing GDPR readiness and check work for customer and procurement conversations.
- Helping package the outcome into Centinel's customer-facing Trust Portal.
Kantis did not audit, certify, or issue the ISO 27001 certificate. The certificate was issued by a UKAS-accredited certification body. Kantis supported readiness, internal audit work, evidence preparation, coordination, GDPR readiness checks, and customer-facing proof materials.
The result: ISO 27001 in under two months, 15-20 hours of team time
Centinel Analytica reached ISO 27001 certification in under two months.
The practical outcome was the important part: Centinel's engineers spent approximately 15-20 hours total on the whole process. Kantis absorbed the internal audit, evidence mapping, and auditor coordination, while the Centinel team stayed focused on product.
Kantis also completed GDPR readiness and check work, giving Centinel a clearer package for customer and procurement conversations alongside the ISO 27001 certificate and Trust Portal.
"The trigger was simple: our customers started asking for ISO 27001 and SOC 2. We help companies tell genuine users apart from bots and AI agents, so proving our own security posture isn't optional – it's part of the product promise. What we didn't want was a six-month project that pulled the team off building. Working with Kantis, it didn't feel like that. Misha did our internal audit, handled the auditor coordination, and helped us turn what we already had into proper evidence. Our engineers spent somewhere around 15 hours total, and we were ISO 27001 certified in about two months. For an early team, that's exactly how this should go."
Simeon Räthel, Co-founder & CEO, Centinel Analytica
What this proves
Centinel shows the kind of ISO 27001 path that works for a small, technical team:
- start with a real customer requirement
- map existing security practices before inventing new process
- turn engineering reality into evidence the auditor can review
- keep founder and engineering time protected
- package the result into proof customers can actually use
It also shows why ISO 27001 and GDPR readiness often belong together for European startups. One gives independent certification of the information security management system. The other helps answer privacy and data-handling questions that appear in the same customer and procurement conversations.
What founders should take from this
If your customers are starting to ask for ISO 27001 or SOC 2, the best time to start is before procurement blocks a deal. You may already have many of the right controls in place; the missing piece is usually evidence, structure, and a credible audit route.
For early teams, the goal is not to build a compliance department. It is to prove trust in a way that lets the team keep building — the way Centinel did in under two months, with 15-20 hours of its own time.
Get the same path for your startup
Centinel started with a free ISO 27001 gap assessment: a short, no-commitment call that maps where you are today, what would actually block certification, and how fast you could realistically get there.
If enterprise customers are starting to ask you for ISO 27001, SOC 2, or a trust page, that call is the cheapest way to find out whether you are weeks or months away.
- Book a free ISO 27001 gap assessment — no commitment.
- Compare ISO 27001 costs for startups before you budget.
- See how Qorelo reached ISO 27001 in six weeks, then added SOC 2 Type I and GDPR readiness.
