How Northwave Helped Volkswagen Pon Financial Services Streamline ISO 27001 Certification
Customer Case
Building Trust Through Pragmatic Security
Volkswagen Pon Financial Services (VWPFS) is one of the largest automotive leasing companies in the Netherlands. Clients trust them with sensitive financial data and want to feel confident their trust is well-placed. Despite mature security processes, VWPFS lacked an essential proof point of their information security efforts: ISO 27001 certification.
Realising they were missing a key competitive advantage as a supplier, VWPFS turned to Northwave. Together we embarked on a journey that enabled VWPFS to achieve ISO 27001 certification with a streamlined approach. For this, we developed a tailor-made implementation solution that built on their existing Governance, Risk, and Compliance (GRC) processes. Open collaboration and trust paved the way to a successful certification.
Challenge: Streamlined Full-Scope Certification
To fully align with client expectations, VWPFS decided to certify the entire organisation rather than limiting the scope. This provides clients with more transparency, as strong information security standards are applied across all leasing services.
But broadening the scope also increased complexity. Many different business operations needed to be addressed, and VWPFS wanted to avoid creating processes for the sake of ticking compliance boxes. Since the organisation already had high information security standards, the goal was clear: efficient, streamlined ISO 27001 implementation that didn’t unnecessarily complicate their existing data security practices.
The good news is that certifications such as the ISO 27001 can absolutely be achieved in a lean way. Most often, organisations already have cyber security practices that, with small adaptations, will easily meet the requirements. It’s all about understanding the logic of the standard, which is something Northwave’s Business Consultancy team is well versed in.
Approach: Reuse and Supplement
Our team recommended a model that would extend the organisation’s existing GRC documentation where necessary and avoid reinventing processes. For six months, a Northwave Business Security consultant worked onsite two days a week at VWPFS’s Amersfoort office. This embedded approach helped us gather deep insights into the organisation’s inner workings and GRC processes. With proactive and transparent collaboration from VWPFS, our consultant was always connected with the right people, received clear answers, and was empowered to act quickly.
We trained the GRC team in ISO logic and requirements. Then, our teams worked together to identify opportunities to improve documentation already in place. We reused what already met, or even exceeded, the certification requirements and supplemented as needed. Northwave business consultants ensured smooth communication with auditors and prepared the organisation for every stage of certification.
What is ISO 27001 certification?
ISO/IEC 27001 is an internationally recognised standard for information security management systems (ISMS). It provides a framework for protecting sensitive data through:
- Risk management
- Access controls
- Security policies and procedures
- Continuous monitoring and improvement
The goal of the standard is ensuring the confidentiality, availability and integrity of information within your organisation.
Approach: Reuse and Supplement
Our team recommended a model that would extend the organisation’s existing GRC documentation where necessary and avoid reinventing processes. For six months, a Northwave Business Security consultant worked onsite two days a week at VWPFS’s Amersfoort office. This embedded approach helped us gather deep insights into the organisation’s inner workings and GRC processes. With proactive and transparent collaboration from VWPFS, our consultant was always connected with the right people, received clear answers, and was empowered to act quickly.
We trained the GRC team in ISO logic and requirements. Then, our teams worked together to identify opportunities to improve documentation already in place. We reused what already met, or even exceeded, the certification requirements and supplemented as needed. Northwave business consultants ensured smooth communication with auditors and prepared the organisation for every stage of certification.
Results: Certification and Confidence
- VWPFS achieved full-scope ISO 27001 certification in six months–outpacing the traditional FastTrack Solution.
- Only one new document was added to existing processes (the mandatory ISO 27001 Statement of Applicability). All other requirements were met by reusing and extending VWPFS’ current documents and processes.
- The certification directly supports client trust and provides a competitive advantage as a supplier when submitting requests for proposals (RFPs).
- VWPFS’s GRC team gained ISO expertise that will help them continue to raise operating standards and adapt to changes in data security regulations.
For both organisations, this project demonstrated that achieving new security standards doesn’t need to be an operational burden. With a pragmatic, tailor-made approach, ISO 27001 can be adapted to the organisation, not the other way around.
VWPFS is continuing to work with Northwave teams to further improve business resilience and help their workforce defend against cyber threats.
“Thank you so much for being part of this project, and for your patience and support especially when it came to navigating the external audit! Your help really made a difference in keeping things on track and making sure everything went smoothly with both the Certifying Body, the external auditor and our internal setup matching with the ISO27001 requirements.”
Local Information Security Officer, VWPFS
Collaboration Built on Trust
A highlight of this project was the spirit of the collaboration. The VWPFS team welcomed Northwave with openness and enthusiasm. Together we tackled complex certification requirements while also genuinely enjoying the process. We kept the momentum going by celebrating each new milestone and achievement along the way. Northwave even delivered champagne to toast when the certification was secured.
Today, VWPFS proudly displays their ISO 27001 certificate in their office–prominent proof that they are a trusted supplier. Beyond certification, this project shows how cyber security can be a strategic business enabler that delivers both compliance and customer confidence.
Learn how Northwave can help streamline your organisation's ISO 27001 certification. Talk to our experts today about our FastTrack and custom-made solutions.
At a Glance: Custom ISO 27001 Implementation
Client
Volkswagen Pon Financial Services (VWPFS), one of the largest automotive leasing companies in the Netherlands.
Challenge
- Needed ISO 27001 certification to prove their data security standards and score higher in RFPs
- Wanted full organisational scope (not just IT), without adding layers of bureaucracy
- Goal: lean, pragmatic certification built on existing GRC processes
Solution
- Tailor-made ISO 27001 approach based onreuse and supplement model
- Embedded Northwave consultant worked onsite with the GRC team for six months
- Only one new document created; all others extended from existing structures
- GRC team trained in ISO logic and requirements
Results
- ISO 27001 certification achieved across the full organisation
- Certification strengthens competitive position and client confidence
- Lean, efficient project completed in just six months
- Positive collaboration built on trust, camaraderie, and celebration of success
- Continued investment in Northwave’s cyber resilience training for the workforce
We are here for you
Need help with your cyber security or wondering how secure your business really is?
Get in touch and we will help you find the best solution.