mistral-data_logo

ISO 27001 in just 10 months: how Mistral Data built a lean, audit-ready ISMS with DataGuard

“ISO 27001 is not as intimidating as it first seems. With DataGuard, the structure is there, the templates are there, and the guidance is there. You don’t need to reinvent the wheel—you just need the right partner.”

mistral-data_james_clark

James Clark

PMO Manager

Mistral Data

Mistral Data develops data-driven software solutions for the rail industry. For more than 5 years , the company has focused on integrating and analyzing data from diverse sources—including train-operating companies, control centers, and customer-facing platforms.Its cloud-native SaaS tools, built on AWS and Snowflake, support UK rail operators with real-time insights through solutions such as Sirocco, Notus, and Berth Maps—improving punctuality, communication, and overall operational efficiency.

Location

UK

Company size

Small & medium business

Industry

Tech

Product

Security

How Mistral Data achieved ISO 27001 certification in just 10 months

Mistral Data builds cloud-native SaaS tools that power UK rail operations—from real-time punctuality insights to customer communications. Security was always central to their work, but growing commercial pressure made ISO 27001 non-negotiable. Major tenders began treating certification as a gatekeeper. With DataGuard’s platform and hands-on expert support, Mistral transformed a daunting, highly complex process into a structured journey—achieving ISO 27001:2022 certification and setting a stronger foundation for growth.

 

Challenge

For Mistral Data, ISO 27001 was no longer optional. Customers and tenders increasingly demanded certification as a baseline requirement. But achieving it meant turning years of informal security practices into a formal, auditable management system while keeping business operations on track.

The key challenges: 

  • Tender pressure: ISO 27001 became a pass-or-fail requirement for large contracts; “working towards becoming certified” was no longer enough.
  • Limited capacity & knowledge: With just 34 employees and no prior ISO experience, only two people could dedicate time to the project.
  • Overwhelming scope: The team had more than 120 controls to interpret, implement, and document in a structured way.
  • Fragmented documentation: Security measures were in place but lived in silos. Early planning was spread across spreadsheets and links, making them difficult to track and align.
  • Audit readiness: Preparing for external auditors without clear processes or templates felt daunting and resource-heavy.

What Mistral needed was structure, clarity, expert steering, and a way to turn an overwhelming checklist into a manageable path toward certification.

Solution

To meet ISO 27001 requirements without overextending their small team, Mistral Data turned to DataGuard for both platform and expert support. What made the difference was the combination of structured tools and weekly guidance that turned a daunting standard into a manageable, step-by-step journey.

Why DataGuard?

  • Dedicated expert support
    Weekly calls with DataGuard provided hands-on, pragmatic advice. Instead of over-engineering, DataGuard’s expert support streamlined the process and kept momentum going.
  • Frameworks App for structure & confidence
    Gave clarity on how 120+ controls connect, linked policies to multiple controls, and highlighted gaps. Served as a “smart checklist” with helpful descriptions and templates, giving the team confidence before the audit.
  • Policy templates
    Ready-to-use, adaptable templates saved weeks of effort and guided the team in addressing the right details.
  • Risk App for governance
    Replaced a simple spreadsheet with a more mature system. Monthly reviews became structured, helping the team to decide whether to accept, mitigate, or transfer risks.
  • Policies App
    Helped centralize and control documentation, with versioning and sign-off built in to reduce audit headaches.

Together, these tools and expert guidance allowed Mistral to move from fragmented documents and uncertainty to a structured ISMS they could stand behind in front of auditors.

Results 

For Mistral Data, ISO 27001 created a clear framework for how security is governed, documented, and reviewed. Processes that once relied on tacit knowledge are now visible to the whole company, repeatable across teams, and easier to maintain alongside daily business operations.

What Mistral achieved with DataGuard:

  • Certified, fast
    Internally audit-ready in 10 months; full certification followed as soon as an external audit slot was available.
  • Confidence before the audit
    A two-day internal audit by DataGuard revealed more issues than the certification body (by design), so the team walked into Stage 1/2 prepared.
  • No extra headcount
    Managed by one project lead with part-time input from Security and the COO; ISO work ran alongside business as usual.
  • Governance that sticks
    Formalized risk reviews (monthly), supplier meetings with agendas and minutes, and clearer ownership across teams.
  • Clarity for everyone
    Policies that had lived “in people’s heads” are now written down; a technical security handbook gives the team clear expectations.
  • Commercial advantage
    Able to clear pass-fail tender gates and compete on trust with large railway operators.
  • Platform foundations
    Using the Risk App for structured decisions (accept/mitigate/transfer) and moving towards the Policies App for version control, attestations, and annual sign-off.

What’s next? 

With certification achieved, Mistral Data is shifting focus from sprinting toward an audit to embedding security into everyday routines. The next stage is about continual improvement—maintaining ISO 27001 year after year and strengthening governance across the organization.

What lies ahead for Mistral Data:

  • Annual CvP audits: Moving into the continual verification program, ensuring security practices stay current and audit-ready.
  • Continual assurance program: Establishing a regular cadence of reviews and improvements, not just one-off milestones.
  • Supplier management: Using ISO as a lever to structure supplier reviews, with formal agendas and notes to drive accountability.
  • Platform evolution: Expanding use of the Policies App for version control and attestations; sharing feedback to enhance the Risk App
  • Cultural impact: Making security awareness visible beyond the core security team, so new hires and non-specialists understand expectations and processes.

James’s advice for others? Don’t be discouraged by the scale of ISO 27001:

🏢 Organization Schema Preview (Development Only)
{
  "@context": "https://schema.org",
  "@graph": [
    {
      "@type": "Organization",
      "@id": "www.dataguard.com#organization",
      "name": "DataGuard",
      "legalName": "DataCo GmbH",
      "description": "DataGuard, the European leader in security and compliance software, is trusted by more than 4,000 organizations across 50+ countries. We help you identify and manage your security and compliance risks and fast-track your certifications and compliance by combining expert consultancy with AI-powered automation. Our purpose-built, all-in-one platform is developed with the experience of over 1.5 million total hours by a team of certified security and compliance experts.",
      "foundingDate": "2018",
      "taxID": "DE315880213",
      "logo": "https://7759810.fs1.hubspotusercontent-na1.net/hubfs/7759810/DataGuardLogo.svg",
      "url": "www.dataguard.com",
      "email": "info@dataguard.de",
      "telephone": "+49 89 452459 900",
      "address": {
        "@type": "PostalAddress",
        "streetAddress": "Sandstrasse 33",
        "addressLocality": "Munich",
        "addressRegion": "Bavaria",
        "postalCode": "80335",
        "addressCountry": "Germany"
      },
      "sameAs": [
        "https://www.linkedin.com/company/dataguard1/",
        "https://www.youtube.com/channel/UCEQzPZ6sCBCj9cAoBvaLL6w",
        "https://x.com/i/flow/login?redirect_after_login=%2FDataGuard_dg"
      ]
    }
  ]
}

✅ Organization schema markup for "DataGuard" has been injected into the document head.