How OGold Reached ISO 27001 in Under Six Months: A UAE vCISO Case Study

When OGold announced its ISO 27001:2022 certification, the company marked the milestone the way a serious commitment deserves: a ceremony, with Founder Bandar Alothman and COO Aly Abdo receiving the certificate from the BSI Group team. For a Shariah-compliant gold and silver Super App holding the savings of more than a million users, an information security certificate is not a badge for the wall. It is a statement about whether customer money and customer data are safe.

The part of the announcement that matters most for any UAE founder reading this is the timeline. OGold went from the start of the programme to a certified Information Security Management System (ISMS) in under six months, and it did so with a virtual CISO leading the work rather than a full-time hire. We were proud to provide that vCISO for OGold, and this is the account of how an ISO 27001 certification in the UAE gets done at that pace.

Why ISO 27001 landed on OGold's desk

OGold is an Emirati company that has built the UAE's premier Shariah-compliant, gold and silver-backed Super App, letting users own fractional precious metals for as little as one dirham. Since launch it has passed a million users and tens of millions of dollars in transaction volume, signed partnerships with names like botim, Emirates Gold, Mawarid Finance, and Monetary Metals, and taken strategic investment from Silicon Valley's Plug and Play Ventures. That is a company moving fast and handling real value.

Growth of that kind brings security to the front of the queue, and it usually arrives as external pressure rather than internal appetite. Institutional investors run due diligence and want to know who owns security. Banking and refinery partners run third-party risk reviews before they integrate. Users entrusting their gold to an app expect their assets and their personal data to be protected to a recognised standard. ISO 27001 is the certification the market understands as the answer to all three questions at once. For a fintech scaling across the region, it stops being optional and becomes the price of entry to the next set of deals.

The challenge is that ISO 27001 is not a document you buy. It is a management system you have to build, operate, and prove, with a risk assessment, a Statement of Applicability, a working set of controls, internal audits, and a leadership team that can stand behind it in front of an external auditor. Doing that well, while the engineering team keeps shipping product, is the real problem. It is also exactly the problem a vCISO exists to solve.

Why a vCISO, not a full-time hire

OGold did not need to hire a permanent Chief Information Security Officer to get certified. At its stage, the strategic security work is genuinely part-time between milestones and intense around them, which is the precise shape a virtual CISO engagement is built for. A full-time CISO in the UAE costs the better part of a million dirhams a year all-in, takes months to recruit, and still leaves you needing other people to do the hands-on implementation. We walk through that maths in detail in our comparison of a vCISO versus a full-time CISO.

A vCISO model gave OGold three things a single hire could not have delivered inside six months: senior security leadership that had taken companies through ISO 27001 before and knew where the time goes; an execution team to actually build the controls and write the evidence; and a structure where the certification owner was accountable end to end, including in the audit room. The role was not advice handed over for someone else to act on. It was ownership of the programme through to the certificate.

It is worth being clear that a certification platform alone would not have got OGold here either. A GRC dashboard tells you which controls are passing today; it does not design your ISMS scope, run your risk treatment, or defend your programme to an auditor. We explain that gap in why security tools won't replace a real vCISO. The platform is the rails. The vCISO is the one driving.

The first weeks: scope, gap, and a real risk assessment

The fastest way to overrun an ISO 27001 timeline is to scope the ISMS badly, so the engagement started there. We defined the boundary of the management system around the platform, the data, and the teams that genuinely matter to customer trust, rather than letting the scope sprawl into every corner of the business. A tight, defensible scope is one of the biggest levers on how long certification takes.

In parallel we ran a gap assessment against the ISO 27001:2022 standard and its Annex A controls, and a risk assessment grounded in how OGold actually operates as a gold and silver platform, not a generic template. That produced a prioritised picture of what already held up, what needed building, and what carried the most risk to assets and data. From there the Statement of Applicability and the risk treatment plan followed, which are the documents the auditor will hold you to.

This early phase is where regional context earns its keep. A vCISO who works in the UAE knows how ISO 27001 sits alongside the local landscape, from the UAE Information Assurance Regulation to CBUAE expectations and the UAE PDPL for personal data, and designs the ISMS so one programme satisfies the international standard and the regional requirements together rather than as separate projects.

Building the ISMS: controls, policies, and the cloud

With the scope and risks settled, the work moved into building. The ISO 27001:2022 control set spans organisational, people, physical, and technological themes, and the job is to make each applicable control real rather than documented. That meant a policy suite written against OGold's actual environment, access controls and logging implemented properly, a secure review of the cloud infrastructure the platform runs on, supplier and third-party risk brought under management, and an incident response capability that would function if it were ever needed.

This is where the execution layer behind the vCISO did the heavy lifting. Our Security On Demand team carried the hands-on implementation and evidence collection alongside OGold's own engineers, so the controls were built and operating well before the audit rather than assembled in a panic the week before. Distributing the work across the right specialists, rather than loading it all onto one person, is the single biggest reason a programme like this can compress into months instead of a year.

A point we made repeatedly through the engagement: the goal was a security programme that genuinely protects customers, with the certificate as the proof, not a paper exercise aimed only at passing an audit. OGold's leadership backed that approach, which is ultimately why it worked.

The audit: Stage 1, Stage 2, and the certificate

ISO 27001 certification runs in two stages. Stage 1 is the auditor's review of the management system documentation and readiness. Stage 2 is the full certification audit, where the auditor tests whether the controls are genuinely operating and the ISMS is being run, not just written down. The vCISO's job through both is to prepare the organisation, assemble the evidence, and sit in the room to present and defend the programme.

The choice of auditor matters as much as the certificate itself, and OGold engaged BSI Group, widely regarded as the most prestigious certification body in the world. BSI is the original author of BS 7799, the British standard from which ISO 27001 ultimately descends, which gives a BSI-issued certificate a pedigree few other bodies can match. The certificate was handed over by the BSI team to Bandar Alothman and Aly Abdo at the ceremony marking the milestone. Certification is only ever as strong as the auditor behind it, and a certificate from a body of BSI's standing is a meaningful step above a self-declaration or a mark from a less recognised registrar. It is precisely this that makes the result carry weight with the investors, banking partners, and refineries that run third-party due diligence on OGold: they recognise the auditor, and they trust what its certificate represents.

Dynova's founder at the BSI Group handover of OGold's ISO 27001:2022 certificate, representing the Dynova vCISO team that led the certification programme.

Why under six months was achievable

Six months is fast for ISO 27001, and it is fair to ask how. It comes down to a few things working together rather than any single trick.

Leadership commitment was real, which removed the delays that usually come from chasing sign-off. The scope was defined tightly and defensibly from the start. The vCISO had run certifications before and knew the sequence that wastes the least time. An execution team built and evidenced the controls in parallel with discovery instead of in series. And the regional knowledge meant the ISO work and the UAE regulatory layer were designed together rather than reworked twice. None of that is exotic. It is what an execution-led vCISO engagement is supposed to deliver, applied to a leadership team that wanted the outcome.

What it is not is a shortcut around the actual work. The controls were built and operating, the risk assessment was real, and the audit was independent. The speed came from running the right programme efficiently, not from doing less of it.

What this means if you are a UAE company eyeing ISO 27001

If an investor, a partner, or a regulator has put ISO 27001 on your roadmap and you do not have senior security leadership in-house, OGold's path is the relevant one. You do not need to hire a full-time CISO and wait a year. A vCISO with an execution team behind them can scope the ISMS, run the risk assessment, build and evidence the controls, and take you through a BSI-grade audit on a timeline measured in months, at a fraction of the cost and lead time of a permanent hire.

The version of this that works is execution-led and regionally fluent: a virtual CISO who knows how ISO 27001 interacts with the UAE IAR, CBUAE, VARA, and the PDPL, who is backed by a team that does the hands-on build, and who stays accountable through the certificate and beyond. That combination is what turned an ISO 27001 ambition into a certificate for OGold in under six months.

Frequently asked questions

How long does ISO 27001 certification take in the UAE? It varies with scope and starting maturity, and many organisations take nine to twelve months or more. With committed leadership, a tightly scoped ISMS, and a vCISO and execution team running the programme in parallel rather than in series, it can be compressed considerably. OGold reached ISO 27001:2022 certification in under six months on that model.

Can a vCISO run an ISO 27001 certification? Yes, and for a company without senior security leadership in-house it is often the most effective route. A vCISO scopes the management system, owns the risk assessment and Statement of Applicability, directs the control implementation, prepares the evidence, and represents the programme in the Stage 1 and Stage 2 audits. The difference between a vCISO and a consultant here is accountability: the vCISO carries the certification through, rather than handing over advice.

How much does ISO 27001 cost with a vCISO in the UAE? The main components are the vCISO engagement, the execution work to build and evidence controls, any tooling such as a GRC platform, and the certification body's audit fees, which are separate and paid to the auditor. A vCISO-led programme typically lands well below the all-in cost of hiring a full-time CISO to do the same work. Our own plans run from USD 1,900 a month at the Seed level to USD 7,200 at the Scale level, with the audit fee paid directly to the certification body on top.

Do I need ISO 27001 if I already meet UAE regulatory requirements? They serve different purposes and often complement each other. Regulatory frameworks such as the UAE IAR, CBUAE requirements, or VARA rules are mandatory for the sectors they cover, while ISO 27001 is a voluntary international certification that partners and investors recognise globally. A well-designed ISMS can satisfy much of the regulatory requirement and the ISO standard at the same time, which is exactly how a regionally experienced vCISO scopes the work.

SOC 2 vs ISO 27001 in the UAE: which one do you need? It usually comes down to who is asking and where they sit. ISO 27001 is an international standard with a formal certificate issued by an accredited body such as BSI, and it is the mark most widely recognised by partners, investors, and regulators across the UAE, the wider Middle East, Europe, and Asia. SOC 2 is an attestation report produced by an audit firm under the American AICPA framework, and it tends to be expected by US-based customers and enterprise buyers. For a company scaling in the UAE and the region, ISO 27001 is normally the first and more recognised certification to pursue, which is the route OGold took; SOC 2 is worth adding when US enterprise sales make it a deal requirement. The practical good news is that the two overlap heavily, so an ISMS built for ISO 27001 covers most of what a SOC 2 needs, and a vCISO can scope the programme so the second framework is an extension of the first rather than a separate project.

Closing

OGold's ISO 27001:2022 certification is what an execution-led vCISO engagement looks like when leadership genuinely wants the outcome: a real management system, an independent BSI audit, and a certificate that means something to the investors and partners who asked for it, delivered in under six months. The credit for the milestone belongs to OGold's team and its leadership. Our part was to provide the vCISO and the execution capacity to make the timeline real.

If ISO 27001 is on your roadmap and you want senior security leadership that builds the programme rather than just describing it, get in touch.

Dynova provides virtual CISO, fractional CISO, DPO, and 24/7 SOC services to growing companies across the UAE, Bahrain, and the wider Middle East, with a Security On Demand team behind every engagement so the vCISO executes rather than just advises.