Raising the bar on trust: How Fluid Attacks completed an integrated audit cycle across SOC, ISO, PCI DSS, and GDPR

More than a milestone

For Rafael Álvarez, Executive Advisor and Co-founder of Fluid Attacks, this achievement is a source of pride for several reasons: the timing, the supporting technology, the internal improvements it required, and the standard it sets for the future. Just as important, he sees this result as the beginning of a new stage rather than the end of a project. The real challenge now is to sustain the management system, help it evolve, and keep raising the rigor of the company's operations. That longer view is already shaping internal conversations about possible future frameworks such as ISO 22301 and ISO/IEC 42001.

That is the real significance of assurance work when it is done well. Trust frameworks should not function as decorative labels. They should force better decisions: sharper scope definition, clearer control ownership, stronger evidence practices, better documentation, and more resilient operating habits that reflect self-regulation, maturity, and institutional discipline. In this cycle, that is exactly what happened.

What Fluid Attacks achieved, precisely

When communicating about compliance and assurance, precision matters: ISO 27001 and 27701 are certifications; ISO 27017 and 27018 are best described publicly as controls aligned with those standards; SOC 2 is an attestation; GDPR is a matter of compliance with legal requirements; and PCI DSS is a validation.

Within that framework, Fluid Attacks achieved ISO/IEC 27001:2022 and ISO/IEC 27701:2019 certification for its information security and privacy management system. The certificate was issued by Kompleye Attestation LLC, which audited the system and confirmed that it met the requirements of the relevant standards. This certificate, like that one for ISO/IEC 27017:2015 and ISO/IEC 27018:2019, records an original registration date of February 25, 2026, with an expiration date of February 24, 2029. Conformity with these latest ISO standards demonstrates Fluid Attacks’ alignment with standard cloud security configurations and the protection of personally identifiable information (PII) in cloud services.

Fluid Attacks also obtained a SOC 2 Type II attestation and a SOC 3 report, both with Kompleye as the independent service auditor. The SOC 2 report evaluates the design suitability and operational effectiveness of security-related controls for Fluid Attacks’ application security (AppSec) solutions. The SOC 3 report covers the same period and offers a public-facing assurance statement on the effectiveness of those controls without disclosing the sensitive details contained in the SOC 2 report.

For payments, Fluid Attacks achieved PCI DSS v4.0.1 validation through an Attestation of Compliance tied to Self-Assessment Questionnaire A-EP, with Internet Security Auditors (IsecAuditors) acting as the qualified security assessor. The result recorded an overall COMPLIANT rating. The payment model described in the documentation is intentionally narrow: cardholder data is captured by PCI-compliant third-party payment providers, and Fluid Attacks’ systems do not themselves store, process, or transmit raw account data.

In parallel, the company documented and strengthened privacy controls and governance structures that support GDPR compliance, including a Privacy Information Management System, a Record of Processing Activities, data subject rights procedures, a designated Data Protection Officer, breach-notification commitments, subprocessor governance, and privacy-by-design practices.

Why this mix of frameworks matters

Each of these frameworks addresses a different dimension of trust, but in practice, they reinforce one another to form a more coherent assurance model:

ISO/IEC 27001 establishes the management system for information security. It requires an organization to identify risks, define controls, assign responsibilities, and operate a structured continuous-improvement program. ISO/IEC 27701 extends that logic into privacy, adding requirements relevant to how organizations process personal data as controllers and processors. ISO/IEC 27017 and 27018 add cloud- and privacy-specific control guidance.

SOC 2 Type II provides third-party assurance that controls are not only well designed but also operating effectively over time — a time-bound operational validation that is especially valuable for customers who want evidence that security commitments are reflected in day-to-day practice. SOC 3 complements it by providing a high-level assurance statement for broader public audiences.

PCI DSS focuses specifically on protecting payment card data and the systems and processes that support payment transactions. GDPR, meanwhile, is not a certification framework at all, but a legal regulation that governs how organizations handle personal data and protect individuals' rights. Together, these frameworks form a layered model of trust: governance, operational assurance, privacy accountability, payment security, and legal compliance working in combination rather than isolation.

That complementarity was also a key enabler of the integrated audit itself. As Diego notes, the auditors used a strategic approach to map and reuse evidence across overlapping requirements in ISO 27001, SOC 2, GDPR, and related frameworks, reducing redundant testing, lowering administrative burden, and saving time without weakening rigor.

The providers behind the achievement

Trust in assurance depends not only on what a company says it achieved, but also on who evaluated it and under what accreditation model. Fluid Attacks completed this work with the support of three key providers: Vanta, Kompleye, and IsecAuditors. Each played a different role in the assurance chain.

Vanta served as the compliance automation platform behind the effort. It was not the auditor, but it was essential to making the project manageable. Notably, Vanta adopted one of Fluid Attacks’ recommendations for handling audits spanning multiple frameworks — a detail that underscores just how unusual this project was. As Diego points out, Vanta streamlined the work by integrating with tools that monitor security controls, ensure documents stay up to date, and provide auditors with access to evidence. In practice, that meant centralizing evidence collection, reducing manual work, and helping the team reuse control information across multiple frameworks.

Kompleye fulfilled two distinct roles. For SOC, it acted as the independent service auditor, evaluating controls against the AICPA Trust Services Criteria and issuing the formal attestation reports. For ISO, Kompleye Attestation LLC acted as the certification body, auditing the management system and issuing the certificates. That distinction matters because “attestation” and “certification” are not interchangeable terms. Kompleye’s ISO activity is backed by ANAB accreditation, which means the certification body itself is subject to external oversight. That additional layer of verification strengthens the credibility of the certificates issued under its authority.

IsecAuditors led the PCI DSS portion of the project as the qualified security assessor. That role exists within the PCI Security Standards Council ecosystem specifically to ensure that PCI validations are carried out by independent firms with the competence and authorization to assess whether the payment environment and controls meet the requirements for the applicable SAQ and to issue a formal validation of compliance. In this engagement, Isec handled the PCI side while Kompleye handled SOC and ISO, allowing Fluid Attacks to pursue an integrated assurance structure rather than a fragmented one.

How the project unfolded

The effort was ambitious from the start. According to Diego, the vendor selection phase involved evaluating pricing and experience among the three providers. Although Fluid Attacks had already been using Vanta for a couple of years, the team still compared it against competitors before renewing. The directive was clear: find a provider arrangement capable of supporting an integrated audit cycle, not just a series of disconnected assessments. That structure emerged through Isec and its partner Kompleye, with Vanta supporting day-to-day compliance operations.

Another early challenge was defining the certification scope. The initial ISO scope covered the whole company and all of its processes, which was too broad and not strategic for a first certification. That had to be narrowed into something rigorous but manageable. The final scope focused on the secure provision of Continuous Hacking (Essential and Advanced plans), including the related processing of personal data — a choice that improved focus and feasibility without diluting the certification's value.

Regarding PCI, determining whether the appropriate self-assessment path was SAQ A or SAQ A-EP required technical and contractual analysis and caused delays. This was not a trivial distinction. The questionnaire had to reflect the actual architecture, the flow of payment information, and the distribution of responsibilities between Fluid Attacks and third-party payment providers.

Once execution began, internal collaboration became one of the strongest drivers of success. The collaborators involved in the audit interviews helped keep the process flowing. At the same time, the internal audit phase exposed a common weakness in certification programs that is often underestimated: documentation gaps. Insufficient evidence and incomplete documentation created obstacles during the audits and required corrective work while the project was still underway.

Not every framework demanded the same kind of effort. The SOC recertification process was relatively smooth because much of the evidence and many of the underlying practices already existed from the previous cycle. The ISO certification, by contrast, required more substantial improvements in documentation, policy formalization, privacy management, incident response, and change management. That contrast is one of the clearest illustrations of how a single integrated project can simultaneously address both the recertification of established systems and the development of first-cycle ones.

What improved inside Fluid Attacks

One of the strongest outcomes of this project is that it changed internal practices, not just external status. The team became more disciplined in how it collected, preserved, and mapped evidence. Scope-setting became more strategic. And the company improved its ability to reuse validated evidence across multiple standards, rather than handling each framework in isolation.

The audit cycle also reinforced an important organizational reality: meaningful compliance cannot be fully outsourced. Tools, auditors, and accreditation matter, but none of them can replace internal ownership. Leaders and team members still have to actively participate in interviews, provide evidence, answer hard questions, and take responsibility for the controls in their areas. Diego makes this especially clear: integrated certification efforts of this magnitude require the organization itself to take an active coordinating role rather than leaving the process structure entirely to vendors.

That internal ownership is part of what makes this milestone meaningful. It demonstrates not only that Fluid Attacks passed external evaluations, but that it strengthened the habits and systems needed to sustain assurance over time.

Lessons learned

Several lessons from this effort stand out and are worth keeping visible for future cycles:

• Define the scope strategically before the audit begins. An overly broad scope increases costs, intensifies timeline pressure, and increases the risk of non-compliance.

• Perform internal audits with the same rigor as external ones. A weak internal report undermines both program readiness and credibility.

• Treat experience with GRC (governance, risk management, and compliance) automation platforms as an explicit vendor-selection criterion. In multi-framework projects, the supporting technology shapes how efficiently evidence can be collected, mapped, and reviewed.

• Identify and remediate documentation gaps early. They are among the most frequent and controllable risks in ISO certification efforts.

• Secure active participation from the leaders and individuals responsible for scoped processes, especially during interviews and evidence collection.

The harder part starts now

Achieving these certifications, attestations, validations, and alignments is a significant milestone for Fluid Attacks as an AppSec company. But the crucial objective moving forward is to maintain them — sustaining the management system, preserving evidence quality, continuing to refine policies and controls, and upholding the commitment to security with the level of rigor that made this milestone possible.

Trust is not built by publishing a list of frameworks. It is built by doing the work required to earn them, by choosing independent and accredited evaluators, by improving internal discipline, and by maintaining that standard once the audit cycle ends. Fluid Attacks has now raised the bar. The next challenge is to maintain it and potentially adopt future frameworks, such as ISO 22301 and ISO/IEC 42001, to further strengthen the way the company operates. If you're interested in checking out our certification and accreditation reports, we invite you to visit our Trust Center.