Was Qorelo certified by Kantis?

No. Kantis supported preparation, evidence, documentation, and coordination. Formal certification is issued by the certification body.

How long did the process take?

Qorelo moved from kickoff to ISO 27001 certification in approximately six weeks.

Can every startup get ISO 27001 in six weeks?

Not always. Timeline depends on scope, existing security maturity, team responsiveness, auditor availability, and whether major remediation is needed.

What made the process manageable?

The work was scoped tightly, evidence was organized early, policies were adapted to the real operating model, and Kantis absorbed much of the coordination load.

Qorelo ISO 27001 Case Study | 6 Weeks to Certification with Kantis

The customer

Qorelo is a lean European software company selling into markets where trust and compliance matter. Like many startups, the team needed ISO 27001 to support enterprise conversations without turning certification into a months-long distraction.

The team was small, technical, and focused. That made speed possible, but only if the process stayed practical.

The challenge

ISO 27001 can become heavy very quickly for a startup:

policies need to match the real company, not a generic template
cloud, access, vendor, incident, and risk evidence needs to be collected cleanly
founders and engineers need to answer audit questions while still shipping product
auditor requests need to be interpreted and mapped to the evidence that already exists

For Qorelo, the goal was not to build a compliance department. The goal was credible certification with minimal wasted motion.

The Kantis approach

Kantis supported Qorelo through a managed certification path:

Scope the audit boundary and control expectations.
Map existing systems, vendors, and operating practices against ISO 27001.
Prepare policies and evidence around how Qorelo actually worked.
Organize evidence so the auditor could review it without repeated back-and-forth.
Coordinate open questions and keep the team focused on the few items that genuinely needed their input.

The operating principle was simple: Kantis should absorb the compliance coordination load wherever possible, and Qorelo should only be pulled in where customer-specific decisions or evidence were needed.

The result

Qorelo reached ISO 27001 certification in approximately six weeks, with 0 non-conformities.

"Kantis made ISO 27001 manageable for our team. We got certified in six weeks with 0 non-conformities through a clear, practical, and hands-on process."

Marino Kurtovic, Co-Founder & CTO, Qorelo GmbH

What this proves

Qorelo is the kind of startup Kantis is built for:

small team
enterprise trust requirements
real software infrastructure
limited appetite for compliance theater
need for a credible auditor path

The lesson is not that every startup should expect a six-week certification. The lesson is that ISO 27001 can be made much more manageable when the process is scoped, evidence-led, and actively coordinated.

What founders should take from this

If ISO 27001 is starting to appear in enterprise procurement, do not wait until the deal is blocked. Start with a gap assessment, understand the budget and evidence requirements, and choose a route that matches your team capacity.

For some teams, that route is a platform. For others, it is a consultant. For lean European startups that want hands-on help and a clear auditor path, Kantis is designed to be the managed route.

How Qorelo reached ISO 27001 certification in six weeks