TL;DR: ISO 27001 in a Swiss FinTech, in 90 seconds
ISO/IEC 27001:2022 is the same standard everywhere, but Swiss financial services entities read it through six regulatory overlays: FINMA Circular 23/01 (operational risk and resilience), Circular 18/3 (outsourcing), the Information Security Act (ISG, with 24-hour cyberattack reporting since April 2025), the revised Federal Act on Data Protection (revFADP), DORA (for entities with EU exposure), and the EU AI Act (phased enforcement through 2027). A clean ISO audit is necessary but not sufficient. The ISMS that survives FINMA inspection is one designed with the regulatory overlay mapped from day one, not retrofitted at first inspection.
Switzerland's only PECB Titanium Partner: 99% PECB exam pass rate, 2,500+ professionals trained from 120+ countries
Source: PECB partner tier, verified.
Diagram showing ISO/IEC 27001:2022 ISMS at the top as the international standard, with the Swiss regulatory overlay below it (FINMA Circular 23/01, FINMA Circular 18/3, ISG, revFADP) and the EU spillover layer beneath that (DORA, EU AI Act). Each frame shows what it asks of the ISMS.
Why does ISO 27001 read differently in a Swiss FinTech?
A FinTech CTO walked me through her ISMS last quarter. Clean documentation, well-scoped, certified six months earlier by a reputable certification body. Then her bank partner sent over the annual outsourcing review under FINMA Circular 18/3. Three of the controls she had closed in her ISO 27001 audit came back with follow-up questions. Not because the ISMS was wrong. Because FINMA reads ISO conformance through a different lens than an ISO auditor does.
This is the FinTech ISMS paradox in Switzerland. ISO 27001 is the international anchor every regulator points to, but in a Swiss FinTech it never sits alone on the page. It gets read alongside FINMA's operational risk and outsourcing circulars, the federal Information Security Act (ISG), the revised Federal Act on Data Protection (revFADP), and, for any FinTech with EU exposure, DORA and the EU AI Act. Six concrete things change when those readings happen on top of your ISMS.
ISO 27001:2022 is the standard. Annex A controls, the ISMS clauses (4 through 10), the audit cycle, all the things a Lead Implementer learns to design and a Lead Auditor learns to evaluate. That layer doesn't change in Switzerland. Annex A reads the same in Zürich as in Singapore.
What changes is the layer that sits on top. For a Swiss FinTech, the regulatory overlay reads each ISO control through a specific operational lens, asks a specific question of it, and treats audit findings as inputs to a regulatory inspection rather than the end of the story.
FINMA Circular 23/01 (Operational risks and resilience, banks)
The Swiss Financial Market Supervisory Authority's primary circular on operational risk and resilience, in force since 1 January 2024. It sets supervisory expectations on ICT risk, cyber risk, business continuity, third-party arrangements, and critical data management for banks. FINMA does not legally require ISO 27001, but recognises it as one accepted way to demonstrate sound ICT-risk governance, and reads its expectations on top of whichever framework an institution chooses. Source: FINMA, Circular 2023/1, in force 1 January 2024.
The two-layer reading is the gap that generic Lead Implementer curricula don't address by default. Practitioner-led training closes it. The six changes below are where the gap shows up in practice.
What changes for ISMS scope when FINMA is in the room?
In a non-regulated environment, ISMS scope is an internal decision: what services, processes, and data you want certified. In a Swiss FinTech, scope becomes a procurement and supervisory question.
Pre-license, your bank or insurer partners' diligence teams effectively dictate scope: anything that touches their regulated services has to be in. Post-license, FINMA expects scope to cover all material services, and supervisors read scope statements with a sharp eye for carve-outs. The common failure mode is treating customer-facing payment rails or KYC pipelines as 'outsourced and therefore out of scope'. In FINMA supervisory practice and partner due-diligence reading, they are treated as in-scope: they are your service to a regulated counterparty, and the certification body's scope statement is the artifact a FINMA examiner, and your partner's outsourcing officer, will read first.
What works in practice: define scope as the service delivered, not the legal entity providing each component. A payment-orchestration FinTech selling to a regulated bank cannot define its ISMS scope as 'the orchestration layer' while excluding the merchant onboarding workflow that triggers KYC. The whole service surface is in scope, and the statement of applicability has to reflect that. Anything else fails the procurement-side reading before it fails the supervisory one.
How do Annex A controls read against Circular 23/01?
A clean ISO audit doesn't equal a clean FINMA inspection. The same control can pass one and fail the other.
ICT change management (Annex A.5.37) is read against Circular 23/01's expectations on change risk for critical functions. Business continuity (A.5.30) is read against the operational resilience pillar, not just 'do you have a plan' but 'what is your tolerance for disruption, by service, and how was that tolerance derived'. Cyber incident management (A.5.24) reads on top of FINMA's incident reporting expectations and the ISG cyberattack reporting obligation. Supplier security (A.5.19 to A.5.23) reads alongside Circular 18/3 on outsourcing.
The mistake is to document Annex A controls in isolation and discover the regulatory layer at first FINMA inspection. The discipline is to map each material control to both its ISO clause and its applicable Swiss circular, in the same control document.
This is one place where tooling earns its keep. Some Swiss FinTechs build the multi-framework view in-house on existing GRC platforms. Others use purpose-built tools such as Acuna GRC, which can model ISO 27001, FINMA expectations, FADP, DORA, and EU AI Act overlays as a single control library rather than five parallel documents. The choice of tooling matters less than the discipline of avoiding parallel control libraries; the discipline matters more than any specific tool.
For practitioners, the combination of Lead Implementer training and ISO 27005 Risk Manager training is materially stronger than either one alone in a regulated FinTech context, because risk-density is the dimension where FINMA's reading bites hardest.
What does Circular 18/3 ask of your supplier risk register?
The ISMS supplier risk register isn't a back-office artifact in a Swiss FinTech. It is the document FINMA examiners read to evaluate concentration risk, exit strategy, audit rights, and sub-outsourcing chains.
Circular 18/3 (Outsourcing, banks and insurers) sets four supervisory questions of every material outsourcing relationship: is the concentration risk understood and bounded; is there a credible exit strategy; are audit rights enforceable end-to-end; and is sub-outsourcing controlled. ISO 27001's supplier controls answer the security dimension. Circular 18/3 asks the resilience and governance dimensions on top.
The most common failure mode for FinTechs is cloud concentration. A single hyperscaler relationship with no documented exit strategy passes ISO 27001 supplier security if the security configuration is sound. It does not pass Circular 18/3.
For the FinTech that is the third party, selling to a bank, the same lens turns around: you will be audited under your customer's outsourcing framework, and your ISO 27001 certification is the entry ticket, not the conclusion. Audit-rights flow-down clauses, sub-outsourcing notification, and exit strategy support become contractual obligations that the ISMS has to operationalise, not just describe.
How does cyber incident reporting triple-stack in Swiss FinTech?
ISO 27001 expects an incident management process. Swiss FinTech regulation expects three of them, running in parallel.
The internal ISO process exists for the ISMS: detection, classification, response, lessons learned, and continual improvement. FINMA's expectations layer in: material incidents at regulated institutions and their material outsourcing partners are reportable on an operational risk basis, with timelines and content driven by FINMA guidance and supervisory dialogue. The ISG 24-hour reporting obligation, in force since April 2025, sets a hard clock for cyberattacks on critical infrastructures, and Swiss financial institutions are routinely classified as such. From October 2025, the federal sanctions framework under the ISG provides for financial penalties of up to CHF 100,000 against operators of critical infrastructure that fail to comply with the 24-hour cyberattack notification obligation. The figure is set in the law itself; enforcement modalities continue to be developed by NCSC and the Federal Council.
One incident, three reports, three different clocks
A single material cyber incident in a regulated Swiss FinTech can trigger three notifications with different content, different recipients, and different deadlines: the internal ISO 27001 incident management process, FINMA's incident reporting expectations, and the ISG 24-hour reporting obligation to NCSC. Build the ISMS incident process to feed all three by design, not by reaction. The first time you discover the gap is during the incident, which is the worst possible moment. While exact timing and content vary by institution, regulatory bucket, and incident severity, the practical result for any material incident in a regulated Swiss FinTech is three reporting streams that have to be managed concurrently.
What survives a real incident is one incident process that produces all three outputs from a single timeline, not three incident processes running on parallel tracks.
What does the revFADP do to ISO 27001 scope decisions?
The revised Federal Act on Data Protection (revFADP), in force since 1 September 2023, does not require ISO 27701, but it does shape every scoping decision in the ISMS that touches personal data.
The common failure mode in FinTech is to scope the customer database as 'the bank's responsibility' when the FinTech is in fact the data processor under FADP. ISO 27001 won't catch that error; Annex A treats personal data as one category of information assets among many. FADP catches it. The downstream effect is that ISMS controls on retention, lawful basis, data subject rights, and cross-border transfer become FADP-relevant, and the supervisory authority (FDPIC) reads them through a different lens than your ISO auditor.
For Swiss FinTechs handling material personal data, which is most of them, ISO 27701 (the Privacy Information Management System extension) is increasingly the right complement. It sits on top of ISO 27001 and aligns the privacy programme with the same management system discipline. It is not legally required. It often becomes commercially required by partners who themselves face FADP and GDPR exposure.
How far does EU regulation reach into a Swiss FinTech ISMS?
A Swiss FinTech is a Swiss entity. Its regulatory exposure is rarely only Swiss.
DORA entered into application on 17 January 2025, with detailed technical standards (RTS and ITS) phasing in through 2025 to 2026. It applies directly to entities formally designated as critical ICT third-party service providers (CTPPs) to EU financial entities. Non-critical providers, which includes most Swiss FinTechs servicing EU counterparties, typically take on DORA-aligned obligations through contractual flow-down clauses imposed by their EU financial-entity customers under DORA's third-party risk management requirements.
GDPR catches Swiss FinTechs with EU customers, regardless of where the FinTech is incorporated. The EU AI Act phases in over 2025 to 2027: prohibited-practice provisions applied from 2 February 2025, general-purpose AI and governance obligations applied from 2 August 2025, and the bulk of obligations on high-risk AI systems take effect from 2 August 2026, with extended transitions for embedded high-risk systems running through 2027. Swiss FinTechs using AI for credit decisions, fraud detection, KYC, or biometric authentication are caught when their systems sit in the high-risk classification or when they place AI systems on the EU market.
A Swiss-only ISMS is a fiction for most FinTechs at scale. The discipline is to scope the ISMS once, identify the regulatory readings that apply, and document each one against the same controls, not to build separate management systems per regulator. Our French-language deep dive on DORA compliance for Swiss and European financial institutions covers the EU side in detail; this guide focuses on the Swiss reading.
What's the difference between FINMA-supervised, FinTech sandbox, and DLT Act entities?
Not every Swiss FinTech sits in the same regulatory bucket, and ISMS expectations track the bucket.
FINMA-supervised entities, banks under the Banking Act, insurers, FinTech-license holders under Article 1b of the Banking Act, securities firms, fund management companies, portfolio managers and trustees under FinIA, are directly supervised. The full FINMA toolkit applies: Circular 23/01 for banks and licensed FinTechs in the operational resilience scope, Circular 18/3 on outsourcing, supervisory dialogue, on-site inspections.
FinTech sandbox entities operate under the de minimis exemption (public deposits up to CHF 1 million) that allows certain activity below threshold without a full banking licence. The sandbox is not a formal FINMA-licensing category; it's a supervisory perimeter treatment. Sandbox entities are not directly supervised by FINMA in the way a licensed bank is, but they sit inside a perimeter that monitors the threshold, and partner banks routinely apply Circular 18/3 expectations contractually. The sandbox doesn't insulate the ISMS from supervisory-style reading; it just changes who is doing the reading.
DLT Act entities, DLT trading facilities licensed under the 2021 DLT Act, sit in a distinct supervisory category with FINMA oversight specific to distributed ledger market infrastructure. ISMS scope here has to absorb DLT-specific operational risks (smart contract change management, token custody, network resilience) that don't sit comfortably in standard Annex A control descriptions, and the certification body needs to be comfortable auditing them.
The mistake is to assume one ISMS template fits all three buckets. The discipline is to map your regulatory perimeter early, ideally before the ISMS scope is locked, and let the bucket drive scope and SoA decisions.
How does ISMS posture change pre-license vs post-license?
The ISMS plays two different roles depending on where the FinTech is in its regulatory journey.
Pre-license, the ISMS is a procurement asset. Bank partners conduct due diligence under their own outsourcing framework. SOC 2 Type II is often the entry ticket for US-anchored partners; ISO 27001 increasingly differentiates on European and international engagements. The ISMS at this stage exists to win and retain partner business.
Post-license, the ISMS becomes a regulatory artifact. FINMA inspects directly. ISG cyberattack reporting applies. Outsourcing supervision flows up the chain, not just down. The ISMS at this stage exists to satisfy a supervisor, in addition to satisfying partners.
The common mistake is to rebuild the ISMS at the licensing transition. The right approach is to build it pre-license with the post-license overlay already mapped, so the transition is documentation maturation rather than re-architecture.
ISMS posture: pre-license vs post-license Swiss FinTech
Dimension: Primary audience for the ISMS
Dimension: Scope driver
Dimension: Incident reporting
Dimension: Third-party risk reading
Dimension: Personal data scope
Dimension: Cost of a finding
Which Annex A controls get audited hardest in Swiss FinTech?
Across 100+ ISO 27001 implementations and 200+ audits, the controls that draw the deepest scrutiny in Swiss financial services aren't a surprise; but the reasons they draw it are sharper than the standard suggests.
A.5.19 to A.5.23 (Information security in supplier relationships). The full supplier control set is read against Circular 18/3. Audit rights, sub-outsourcing, and cloud concentration drive the questions. Documenting the supplier security review is necessary; the supervisor wants to see the resilience and exit-strategy dimensions answered too.
A.5.24 to A.5.28 (Information security incident management). The five incident controls together are inspected as a triple-output process: ISO process, FINMA notification, ISG 24-hour report. The single most frequent finding is that the playbook produces one of the three but not all three.
A.5.30 (ICT readiness for business continuity). Read against Circular 23/01's resilience pillar. The control passes ISO if a tested plan exists. It passes Circular 23/01 only if disruption tolerance is defined per critical service, scenarios are tested, and recovery objectives are derived from operational tolerance rather than the other way around.
A.5.34 (Privacy and protection of PII). Read against revFADP. Findings cluster around controllership scoping (who is the controller for which dataset) and cross-border transfer mechanisms after the FADP-GDPR adequacy decisions.
A.8.34 (Protection of information systems during audit and testing). Read against FINMA's expectations on supervisory access. The control needs to support both internal audit and supervisory inspection scenarios; the second is often missed in non-regulated implementations.
A working pattern across these controls: maintain the control documentation in a system that can express the multi-framework reading natively, whether that's an in-house GRC build or a purpose-built tool. The discipline that matters is the single-source-of-truth principle: one control, one record, multiple regulatory views. Five parallel documents fail audit eventually.
How do you choose a certification body as a Swiss FinTech?
Certification body selection for a Swiss FinTech is a more consequential decision than the standard provider-comparison exercise suggests, because the certification body's understanding of the Swiss regulatory overlay shapes how the ISMS is audited, scoped, and certified.
Three factors matter more than they do in non-regulated contexts.
Accreditation that Swiss financial counterparties recognise. SAS-accredited bodies and bodies with strong recognition in the Swiss financial sector remove a procurement-side question that other accreditations leave open. Bank partner due diligence teams have preferred lists.
Auditor familiarity with Swiss financial regulation. An ISO 27001 lead auditor who reads Annex A.5.30 in isolation is not the same as one who reads it through Circular 23/01's lens. The questions are different; the findings are different; the remediation guidance is different. Ask explicitly during certification body selection whether their lead auditors have audited FINMA-regulated entities before.
Scope expression alignment with regulatory readings. The certification body's standard scope statement template matters. A statement that reads cleanly to a FINMA examiner is not always the one a generic certification body would produce by default.
For FinTechs navigating this selection alongside the implementation itself, Abilene Advisors, the GRC consulting practice within the Abilene Group, engages across the full ISO 27001 implementation lifecycle in regulated Swiss financial services, including certification body engagement, scope drafting, and pre-audit readiness. It complements Abilene Academy's training side: the Lead Implementer course builds the practitioner capability; the advisory engagement carries the project.
Need help mapping your ISMS to the Swiss regulatory overlay?
Talk to our Lead Trainer about FinTech-specific implementation. Email request@abileneacademy.ch or browse upcoming Lead Implementer sessions at https://www.abileneacademy.ch/en/training/iso-27001-lead-implementer.
What are the 10 practical steps to ISO 27001 in a Swiss FinTech?
A pragmatic implementation sequence that holds up under both partner due diligence and FINMA reading. Timelines below assume a mid-stage FinTech with established engineering practices; earlier-stage FinTechs trim the duration but not the sequence.
1. Map the regulatory perimeter
Before scoping the ISMS, decide which regulatory bucket you're in: FINMA-licensed, FinTech sandbox, DLT Act entity, or unregulated with regulated partners. Identify which of FINMA Circular 23/01, Circular 18/3, ISG, revFADP, DORA, GDPR, and EU AI Act apply. The output is a one-page regulatory map that drives every subsequent decision.
2. Define ISMS scope as a service, not a legal entity
Scope by the customer-facing service surface, not by the company org chart. If you serve regulated counterparties, the surface they consume defines the floor of your scope. Carve-outs that look defensible in ISO terms can fail Circular 18/3 reading at the procurement step.
3. Conduct risk assessment with regulatory overlay
Run an ISO 27005-aligned risk assessment, but enrich the threat catalogue with FINMA-relevant scenarios (operational disruption of critical services, third-party concentration, incident notification timing) and FADP-relevant scenarios (controllership ambiguity, cross-border transfer disputes). Generic risk assessments miss these.
4. Build a multi-framework control library
Document Annex A controls once, with a regulatory-overlay column for each control showing the FINMA, FADP, DORA, and (where relevant) EU AI Act reading. Maintain it in a tool that can express this natively, either an existing GRC platform configured for the Swiss context, or a purpose-built one such as Acuna GRC. The single-source-of-truth discipline is what survives audit.
5. Operationalise the triple-stack incident process
Design the incident process to produce three outputs from one timeline: ISO incident record, FINMA notification (where applicable), and the ISG 24-hour report. Test the timing on tabletop exercises. The triple stack failing is the single most expensive ISMS finding in regulated Swiss FinTech.
6. Resolve the SOC 2 vs ISO 27001 question early
Decide whether the FinTech runs SOC 2 alone, ISO 27001 alone, or both, based on partner geography. US-anchored partner ecosystems often expect SOC 2 Type II. European partners and FINMA-regulated counterparties expect ISO 27001. Many regulated Swiss FinTechs maintain both, with the control set engineered so that one audit cycle evidences both.
7. Engage the certification body before management review
Discuss scope statement and audit approach with the chosen certification body before locking the ISMS for certification. Bring questions about Swiss financial regulation reading. The certification body that engages substantively is the right one; the one that doesn't is a future audit problem.
8. Run a pre-audit readiness review
A structured readiness review against both ISO 27001 conformance and the regulatory overlay catches the gap between 'ISO-compliant' and 'FINMA-defensible' before the certification audit. This is where external advisory engagement earns its fee; Abilene Advisors runs FinTech-specific readiness reviews as part of the implementation engagement.
9. Build the supplier register as a regulatory artifact
Treat the supplier register as a Circular 18/3 artifact, not just an Annex A.5.19 record. Document concentration, exit strategy, audit rights flow-down, and sub-outsourcing notification for each material relationship. The register has to answer FINMA's four supervisory questions on demand.
10. Plan for ongoing supervisory dialogue, not annual audits
Post-license, the ISMS exists in continuous supervisory dialogue. Build a quarterly review cadence that updates the regulatory overlay, refreshes the supplier register, tests the incident triple-stack, and aligns the SoA with any FINMA circular updates. The ISMS that survives is the one designed for continuity, not for the certificate refresh date.
What training and support does a Swiss FinTech ISMS need?
ISO 27001 Lead Implementer training prepares you to design and implement an ISMS to international standard. That is the foundation, and it is necessary. For a Swiss FinTech context, two specific elements deserve more weight than a generic curriculum gives them.
The first is risk management depth. FinTechs are risk-density-heavy by nature, with high-velocity transactions, third-party dependencies, and an evolving threat landscape. ISO 27005 Risk Manager training extends what Lead Implementer covers in risk assessment into a full risk management methodology. For practitioners working in regulated FinTechs, the combination of Lead Implementer plus ISO 27005 Risk Manager is materially stronger than either one alone.
The second is the Swiss regulatory overlay itself. A trainer with implementation experience in regulated Swiss financial services brings the FINMA, ISG, and FADP context into the methodology by default. The Lead Implementer materials describe how to build an ISMS. The classroom conversation determines whether you leave knowing how to build an ISMS that holds up under Swiss supervision.
Beyond training, FinTech ISMS work routinely needs hands-on implementation engagement: scope drafting against the regulatory overlay, certification body selection, multi-framework control mapping, pre-audit readiness, and ongoing supervisory-dialogue support. Abilene Advisors, the GRC consulting practice within the Abilene Group, engages across this full lifecycle in regulated Swiss financial services, complementing the Lead Implementer training delivered by Abilene Academy.
Why Abilene for Swiss FinTech ISO 27001
Abilene Academy is Switzerland's only PECB Titanium Partner, the highest tier globally, with a 99% PECB exam pass rate and 2,500+ professionals trained from 120+ countries. Lead Trainer Alexis Hirschhorn has led 100+ ISO 27001 implementations and 200+ audits across regulated Swiss financial services, AI governance, defence, and international organisations, and lectures at the University of Geneva. Training is delivered in physical classroom, online classroom, eLearning, and self-study formats, in English, French, and Spanish; other languages on request. To discuss your FinTech-specific implementation, email request@abileneacademy.ch or call +41 21 802 35 54.
Sources & References
FINMA Circular 2023/1, Operational risks and resilience, banks · finma.ch (official)
FINMA Circular 2018/3, Outsourcing, banks and insurers · finma.ch (official)
Federal Information Security Act (ISG), cyberattack reporting obligation · fedlex.admin.ch (official)
Revised Federal Act on Data Protection (revFADP), in force 1 September 2023 · edoeb.admin.ch / FDPIC (official)
Federal Act on the Adaptation of Federal Law to Developments in Distributed Ledger Technology (DLT Act) · fedlex.admin.ch (official)
Regulation (EU) 2022/2554, Digital Operational Resilience Act (DORA) · eur-lex.europa.eu (official)
Regulation (EU) 2024/1689, EU Artificial Intelligence Act · eur-lex.europa.eu (official)
ISO/IEC 27001:2022, Information security management systems, Requirements · iso.org (official)
