Notes from the suite.
Compliance mechanics, platform operations, and what regulated teams actually ask us.
- A chain of custody for file transfers that survives an audit Email and consumer file shares do not produce evidence. A custody record for a transferred file needs identity, timing, location, content fingerprint, and a signed receipt — plus retention that does not depend on someone remembering.
- The four ways certificate renewal breaks (and which ones monitoring catches) A certificate breaks on a Tuesday afternoon. The reason is almost always one of four things: a delegation that expired, an ACME rate limit, drift between issuance and the system serving traffic, or a cert nobody on the team knows exists.
- Finding CIDR conflicts before the peering ships A VNet peering ships on Friday. On Saturday, traffic from a branch office is black-holing into a range another tenant in the same subscription has been using for two years. The reason is a CIDR overlap that nobody caught, because the address space lived in three spreadsheets and one engineer’s head.
- Joiner-mover-leaver when nobody owns IT A 60-person company does not have an IT desk. It has an office manager, a controller, and a founder who resets passwords on a Sunday afternoon. The leaver who keeps a license and a laptop is the failure mode JML is supposed to prevent.
- Maintaining DORA registers of information under Article 28 Financial entities must maintain an up-to-date register of ICT third-party contracts at entity and consolidated levels and supply it to supervisors on request.
- Conditional Access policies in multi-tenant regulated SaaS environments Microsoft Entra Conditional Access evaluates signals at sign-in time to enforce per-tenant policies while preserving isolation between customer organisations.
- Using cloud cost data for DORA concentration risk assessments DORA requires financial entities to assess concentration risk from ICT third-party providers; structured cloud spend data forms one input to that assessment.
- Operating an ISMS under ISO 27001:2022 after the 2025 transition With the October 2025 deadline passed, certified organisations must demonstrate the 93 Annex A controls across four themes rather than the prior 14 domains.
- Turning NIS2 Article 21 into one audit export NIS2 Article 21 lists ten risk-management measures. Here is how we map each one to a control you can already show an auditor, and export as a single pack.
- EU data residency without splitting your operating record Keeping data in the EU usually means standing up a second stack and reconciling two sets of records. It does not have to. Here is how region choice and one audit trail coexist.
- One Customer Environment for identity, billing, and audit Most suites are a logo on a login page over separate products. We tied identity, billing, and the audit trail to one record per customer. Here is why, and what it costs.
- The compliance posture that lived in a binder instead of being exportable on demand Across ISO 27001, DORA, NIS2 and GDPR, the GRC lead has built a binder of policies and a backlog of evidence requests. When the regulator asks for proof of one control, it takes two weeks to assemble what should be one export.
- The data processing agreement signed at onboarding and never revisited The DPO has a signed DPA for every vendor and assurance from none. Subprocessors changed, sub-locations moved, and the Article 28 obligations drifted, but the agreement sits in a drawer as if signing it was the control.
- The SaaS outage that took down a business process nobody had mapped to a tool A mid-tier SaaS tool goes dark and a regulated workflow halts. The COO discovers there was no business-impact mapping, no RTO, and no fallback, because the tool was bought as a convenience and became load-bearing without anyone noticing.
- The exit plan the contract required and nobody ever wrote DORA Article 28 expects documented exit strategies for critical ICT providers. The vendor-management lead has the clause in every contract and the plan in none, until a price hike forces a migration they cannot execute.
- The penetration test that only covered the flagship app, not the eight around it The annual pen test scopes the main product because that is what the budget bought. The regulated customer's security team asks for estate-wide assurance, and the IT director has coverage for one tool out of nine.
- The board report that had a revenue number but no operational resilience number DORA put digital operational resilience on the board agenda, but the CTO walks in with uptime stats per tool and no estate-level view of concentration, recovery, or exposure. The board cannot govern a risk nobody can summarize.
- The MFA everyone assumed was on everywhere, except the three apps with local logins Conditional access enforces MFA at the IdP, so leadership reports '100% MFA coverage.' Three legacy SaaS tools authenticate locally and bypass it entirely. The gap surfaces in a credential-stuffing incident, not the dashboard.
- The DPIA that skipped the four tools sitting behind the one it assessed A data protection impact assessment scopes the headline application and misses the analytics, support, backup, and notification subprocessors feeding off it. The DPO signs off on a processing map that is missing half the data flows.
- The audit trail your SaaS vendor could quietly edit Forensic readiness assumes your logs are tamper-evident. When each tool keeps its own mutable activity log with a 90-day retention, the 'append-only' audit trail you promised the regulator is neither append-only nor complete.
- The internal mover who accumulated every role they ever held Joiner-mover-leaver everyone budgets for the joiner and the leaver. The mover is the one who quietly amasses entitlements across five departments over four years, until a privilege-creep finding turns into a segregation-of-duties failure.
- The 24-hour incident clock that started before anyone in the org noticed DORA and NIS2 both impose tight initial-notification windows. When a SaaS subprocessor is breached, the regulated entity's reporting clock runs from detection, and a fragmented estate detects late, reports late, and explains it badly.
- The NIS2 obligations the IT director assumed did not apply to them NIS2 widened essential and important entity scope and pushed accountability onto management bodies. The IT director who assumed 'we're too small' discovers the supply-chain and reporting duties land anyway, with personal liability attached.
- The renewal that auto-charged for 200 licenses, half of them assigned to leavers The annual SaaS renewal lands at last year's seat count. The finance director approves it because reconciling actual usage across a dozen tools is harder than just paying. License leakage is a budget line nobody owns.
- The enterprise deal lost on a security questionnaire you could not answer in time A regulated buyer sends a 300-line vendor assessment with a two-week deadline. The COO can answer for the flagship product but not for the eight tools behind it, and the deal slips to a competitor who could.
- The ISO 27001 evidence pack assembled by hand the night before the surveillance audit Ten exports, three spreadsheets, and a folder of screenshots stitched together at midnight. The 2025 transition raised the bar on evidence quality, and a binder of stale screenshots no longer passes a competent auditor.
- The EU data residency claim your subprocessor quietly broke Sales told the regulated prospect 'all data stays in the EU.' One SaaS tool's support tier routes through a US team, and the DPO finds out during the due-diligence questionnaire that loses the deal.
- The fourth-party concentration risk nobody mapped until the subprocessor went down Five of your critical SaaS vendors run on the same cloud region and the same auth provider. DORA Article 30 now expects you to know that before the outage, not during it.
- The shadow SaaS estate that finance found on the corporate card, not in the CMDB The finance director reconciles the card statement and finds 40 SaaS subscriptions IT never approved, half of them processing customer data. Shadow IT is a procurement control failure before it is a security one.
- The access review that took six weeks of spreadsheet exports and still failed the audit When identity lives in twelve apps, the annual access certification is a hand-merged spreadsheet that is stale before it is signed. ISO 27001 control 5.18 and SOC 2 CC6 expect a review you can reproduce, not reconstruct.
- The leaver who still has access to three SaaS apps, 90 days after their last day 31% of former employees keep access to at least one company app, and the CISO only finds out when one of them logs in. Deprovisioning that stops at the HR system and the IdP is not deprovisioning.