What is ISO27001? Having recently attained the certification themselves, Amy North – Head of Client Accounts at We Complement, shares how it’s changed the way the firm look at data for the good.
If you’d asked me a year ago what ISO 27001 meant, I’d probably have said something vague about data security and audits, and quietly hoped someone else in the business understood it better than I did.
Fast forward to today, and it’s been one of the biggest pieces of work we’ve ever taken on as a team. Not because of the paperwork, but because of how it’s changed the way we think about data, risk and responsibility in our day-to-day paraplanning work (what we refer to as suitability consulting).
And that’s why it matters for paraplanners, especially those of us working in outsourced support.
This wasn’t just a technical exercise
ISO 27001 can sound quite abstract from the outside. Policies, controls, audits, standards. It’s easy to assume it sits mainly with senior management or the systems side of a business.
In reality, most of the work sat right in the middle of paraplanning. In the everyday moments that don’t feel dramatic, but absolutely define how securely and confidently we work.
Things like:
- receiving full client fact finds, cashflow outputs and medical information from multiple adviser firms
- suitability instructions landing late in the day, often by email
- jumping between different CRMs, platforms and document portals
- saving drafts while waiting for adviser feedback or approval
- handing cases over internally when someone’s off, ill or just swamped
None of these feel risky in isolation. They’re just part of the job. But when you’re working across multiple firms, with different processes and expectations, they add up very quickly.
The real question became: what does “good” actually look like in day-to-day paraplanning?
Not in theory. Not in a policy document. But in the messy, real-world moments where judgement, pressure and practicality collide.
Once we started looking at things through that lens, a lot of everyday habits suddenly mattered much more.
Making the invisible visible
Before ISO, a lot of good practice already existed. It just lived in people’s heads.
Paraplanners were already doing sensible things instinctively. Double-checking email recipients. Naming files properly. Avoiding saving things locally. Asking “is this the right version?” before pressing send.
The issue wasn’t behaviour. It was consistency.
Going through certification meant pulling those good habits into the open. Writing them down. Making them repeatable. Making sure good practice didn’t rely on one particularly experienced person or “the one who always knows”.
That’s especially important in outsourced paraplanning, where:
- more than one paraplanner might touch the same case
- advisers expect continuity regardless of who’s working on it
- workloads shift quickly
- new joiners need to get comfortable fast
The aim wasn’t control for control’s sake. It was making sure quality and security didn’t wobble when things got busy.
Clarity builds confidence
One thing we were genuinely conscious of was whether clearer controls would feel restrictive or slow people down.
What actually happened was the opposite.
Clear boundaries removed uncertainty. Paraplanners stopped second-guessing themselves and felt more confident making decisions, because expectations were clear.
Knowing exactly where client data and working drafts should live, what is ok to share with advisers, and when something needs escalating rather than quietly fixed, made day-to-day paraplanning smoother, not harder.
In addition, when advisers expect quick turnarounds, but the consequences of getting something wrong are significant, that confidence really matters to paraplanners.
Why this matters now
Outsourced paraplanning isn’t behind the scenes anymore. Advisers are being asked more questions about third-party oversight, operational resilience and data governance than they were even a few years ago.
That scrutiny doesn’t stop at the adviser firm. It reaches the people doing the technical work.
ISO 27001 isn’t the only way to respond to that, but going through it reinforced something important for us. Good data security doesn’t come from policies alone. It comes from understanding how paraplanning actually works, day to day, across real adviser relationships.
What “good” looks like in practice
If you want to sense-check your own setup, ask yourself:
- Do I always know where client data and working drafts should live?
- Would someone else be able to pick up my case confidently if I was off tomorrow?
- Do I feel comfortable raising a data concern without worrying it’ll be taken the wrong way?
If any of those feel a bit wobbly, that’s usually where the real opportunity for improvement sits.
What this really comes down to
Data security isn’t something separate from paraplanning. It’s woven into the role.
And when it’s done well, it doesn’t get in the way of good technical work. It supports it, protects it, and gives paraplanners the confidence to focus on what they do best.
Main image: claudio-schwarz-fyeOxvYvIyY-unsplash
