Free 30-min strategy call — no commitment, just answers. Book a Free Call
Compliance & Security

Owning ISO 27001, ISO 9001, and PCI DSS Compliance Through the 4.0 Transition

Served as the single point of contact for internal and external audits, carrying a CloudStack environment's PCI DSS certification from version 3.x through to version 4.0.

Engagement snapshot

Who this was for and what it involved

  • ClientThe founder's employer at the time, a cloud services provider operating a CloudStack environment
  • EnvironmentA CloudStack-based cloud environment requiring simultaneous ISO 27001, ISO 9001, and PCI DSS certification, with PCI DSS 4.0 introducing a major framework revision partway through the ownership period.
  • Engagement period2020 to 2024
3 Compliance frameworks owned at once: ISO 27001, ISO 9001, PCI DSS

Delivered by ThirtyZero's founder in senior technical and compliance roles prior to founding the company. Client names and identifying details are withheld under confidentiality.

ISO 27001 Lead AuditorCMMCPCI DSS leadership
The challenge

What we walked into

Maintaining one certification is a full-time discipline on its own. This role required owning three at the same time, ISO 27001, ISO 9001, and PCI DSS, for a CloudStack cloud environment, with a single person acting as the point of contact for every internal and external audit across all three.

Partway through, PCI DSS itself changed. Version 4.0 replaced the long-standing 3.x series with new and more detailed requirements, which meant the certification work was not just maintaining an existing standard but carrying the environment through a full framework revision without losing certification status along the way.

What we did

The approach

01

Own internal and external audits as the single point of contact

Acted as the sole point of contact managing both internal audits and external certifying-body audits across ISO 27001, ISO 9001, and PCI DSS for the CloudStack environment.

02

Maintain ISO 27001 and ISO 9001 certification

Kept the information security management system (ISO 27001) and quality management system (ISO 9001) certifications current through their respective audit and surveillance cycles.

03

Carry PCI DSS through the 3.x to 4.0 transition

Managed the environment's PCI DSS compliance through the release of version 4.0, updating controls and documentation to meet the new requirements rather than letting the certification lapse at the framework change.

Results

What came out of it

  • ISO 27001 and ISO 9001 certification maintained for a CloudStack cloud environment across multiple audit cycles.
  • PCI DSS compliance carried through the version 3.x to 4.0 transition without losing certification status.
  • One person served as the single point of contact for all internal and external audits across all three frameworks, formally part of the role's job description.
ISO 27001 (Information Security Management)ISO 9001 (Quality Management)PCI DSS 3.x and 4.0Apache CloudStack
Good to know

Frequently Asked Questions

What changed between PCI DSS 3.x and 4.0?

PCI DSS 4.0 introduced more detailed and, in places, stricter requirements than the 3.x series it replaced, including changes to authentication, monitoring, and how organizations are expected to demonstrate ongoing compliance rather than point-in-time compliance. Carrying an existing certification through that change means updating controls and evidence to match the new standard, not simply re-submitting the old documentation.

Why does owning three certifications at once matter?

ISO 27001, ISO 9001, and PCI DSS overlap in places but are not the same framework, and each has its own audit cycle, evidence requirements, and certifying bodies. Managing them as one integrated program, rather than three disconnected efforts, is what keeps the audit workload from tripling.

What does being the single point of contact for audits actually involve?

Being the person auditors, both internal and external, go to for evidence, walkthroughs, and remediation status across all three frameworks. It means the organization is not scrambling to find the right person when an audit starts, because one person already owns the full picture.

Can this kind of compliance ownership be brought in for an existing certification program?

Yes. This describes the kind of compliance program ownership ThirtyZero's founder has held formally, as part of a job description, at a previous employer. The employer's name is withheld under confidentiality; the scope is described here to show the kind of audit and certification management work we can take on.

Keep exploring

Related work and services

Running something similar today?

Tell us what you are working with and what is not working. We will give you a straight answer on scope, approach, and whether it is a fit.

Book a Free Call