We achieved ISO 27001 certification. Here’s what it actually took.

When Forma set out to pursue ISO 27001 certification, we knew it would be significant work. What we didn’t fully appreciate was how much it would force us to examine not just the policies we’d written, but the actual culture of how security decisions get made day-to-day. This post is an honest account of that process.

Why ISO 27001, and why now

Forma sits at an unusual intersection: we’re a fintech company that also touches health data. Every day, our platform processes claims, administers spending accounts, and moves money between employers, employees, and financial institutions — across 100+ countries. The breadth of sensitive information flowing through our infrastructure is significant, and we’ve always taken it seriously.

But “taking it seriously” and “having a systematic, independently verified way to prove it” are different things. As our enterprise customer base has grown, procurement teams have gotten sharper. They want to know you have a coherent information security management program, that you assess risk systematically, and that someone independent has verified it.

ISO 27001 wasn’t something customers were asking for by name — but it was the answer to what they were actually asking: “Can we trust you with our employees’ most sensitive data, at scale, indefinitely — and can you prove it to an audience that isn’t just in the US?”

We already held SOC 2 Type II, a self-attested PCI DSS SAQ A, a third-party HIPAA assessment, and GDPR compliance — a strong foundation, but each framework speaks to a specific audience and scope. ISO 27001 is the one standard that enterprise security teams globally recognize as a baseline. It evaluates not just whether controls exist, but whether you have a coherent, risk-driven management system governing all of them. Pursuing it completes the picture.

Six months to a clean audit

‍

‍

Coming in with SOC 2, PCI DSS, HIPAA, and GDPR already in place gave us a meaningful head start — access control evidence, incident management procedures, and risk documentation transferred directly into ISO Annex A controls. We weren’t starting from scratch; we were closing specific gaps and building the governance layer ISO uniquely requires.

That governance layer is what makes ISO 27001 different from every other framework we hold. SOC 2, PCI, HIPAA, and GDPR all ask: do you have the right controls, and are they working? ISO asks a harder question: do you have a functioning management system that governs how security decisions get made, reviewed, and improved over time? Formal management reviews, documented objectives, an internal audit program, a continual improvement cycle — that structure is where most of the incremental effort lived.

The other place we invested significant time was the Statement of Applicability — the document that declares which of the 93 Annex A controls apply to our ISMS, which are excluded, and why. Every inclusion and exclusion has to reflect genuine risk reasoning specific to Forma, not boilerplate.  Getting this right allowed us to identify areas for improvement and continue building on our strengths.

Our Stage 2 audit was conducted remotely by Sensiba LLP over nine days in January and February 2026. The result was a clean audit: zero nonconformities and zero Opportunities for Improvement. Sensiba’s report noted that the management system “demonstrates maturity and effectiveness across all assessed domains.” Our certificate was issued on March 6, 2026, valid through March 5, 2028.

‍

ON BUILDING FROM AN EXISTING COMPLIANCE STACK

Having SOC 2 Type II, PCI DSS SAQ A, HIPAA, and GDPR in place before pursuing ISO 27001 made a genuine difference. Substantial portions of our existing compliance work mapped directly into ISO Annex A controls. We weren’t starting from scratch; we were closing specific gaps and layering in the ISMS governance structure ISO requires. The frameworks reinforce each other far more than they duplicate work.

‍

What this means for Forma customers

With ISO 27001, customers aren’t trusting our self-assessment — they’re trusting the finding of an independent certification body that walked through our controls, reviewed our documentation, and spoke to our people. For customers with their own compliance obligations, you can now reference Forma’s ISO 27001 certification in your own vendor risk documentation. Our certificate, ISMS scope, and SoA are available on request through our Trust Center.

Certification is an on-ramp to a program, not the program itself. ISO 27001 operates on a three-year cycle — surveillance audits in years one and two, full recertification in year three. Our ISMS is a living system: risk assessments updated as our product evolves, controls reviewed as threats change, management reviews and internal audits on a regular cadence.

 A clean Stage 2 result is something we’re proud of. Keeping it clean is the actual job.

The certificate is meaningful — not because it’s a badge, but because it represents independent verification of the program we’ve built. We worked hard to earn it, and we’ll work harder to keep it.

If you’re a current Forma customer with questions about our security practices, visit trust.joinforma.com or reach out to your account team. If you’re evaluating Forma for enterprise benefits administration, we’re happy to walk you through our security documentation in detail.

‍

‍