Simulated compliance project — built as a portfolio artifact to demonstrate compliance officer skills including framework alignment, control evaluation, gap analysis, and documentation.
Pay2Go Financial Inc. is a fictional Canadian fintech that facilitates real-time fund transfers between individuals and financial institutions. It processes approximately 500,000 transactions per day and integrates with nearly every bank and credit union in Canada. Its product suite includes:
| Product | Description |
|---|---|
| Pay2Go Debit | Chip-and-PIN / contactless point-of-sale payments |
| Pay2Go e-Transfer | Real-time P2P money transfers via email or mobile number |
| Pay2Go Online Payments | Direct bank-account payments for e-commerce |
| Pay2Go Contactless | Tap-and-go payments under $250 with dynamic encryption |
Simulate the role of a compliance officer building a baseline Information Security Management System (ISMS) aligned to ISO/IEC 27001:2022. The goal is to:
- Define the ISMS scope and asset inventory
- Map assets and controls to ISO 27001 Annex A (2022 edition)
- Identify control gaps and assign owners + maturity ratings
- Produce audit-ready documentation
pay2go-iso27001-compliance/
│
├── README.md ← You are here
├── CHANGELOG.md ← Version history
│
├── docs/
│ ├── scope-statement.md ← ISMS scope and boundaries
│ ├── asset-inventory.md ← All information assets catalogued
│ ├── gap-analysis.md ← Control gaps identified with severity
│ └── risk-register.md ← Risk register with likelihood/impact ratings
│
├── controls/
│ ├── control-matrix.csv ← 20 ISO 27001 Annex A controls (machine-readable)
│ ├── control-matrix.md ← Same matrix, human-readable markdown table
│ └── soa-stub.md ← Statement of Applicability (draft)
│
├── policies/
│ ├── info-security-policy.md ← Master information security policy
│ ├── access-control-policy.md ← Access control and privilege management policy
│ └── incident-response-plan.md ← Incident classification and response procedures
│
├── reports/
│ ├── compliance-summary.md ← 1-page executive compliance summary
│ └── maturity-scorecard.md ← Control-by-control maturity ratings
│
├── diagrams/
│ └── README.md ← Description of diagrams to produce
│
└── .github/
└── ISSUE_TEMPLATE/
└── control-gap.md ← GitHub issue template for tracking gaps
| Status | Count | % of Controls |
|---|---|---|
| ✅ Implemented | 5 | 25% |
| 🟡 Partial | 9 | 45% |
| 🔴 Planned | 6 | 30% |
Overall Maturity Score: 2.4 / 5
| Priority | Control | Gap |
|---|---|---|
| 🔴 Critical | A.8.2 — Privileged access management | No PAM tool deployed |
| 🔴 Critical | A.5.30 — ICT business continuity | No tested failover plan |
| 🔴 High | A.6.8 — Incident reporting | No formal staff escalation path |
| 🔴 High | A.8.9 — Configuration management | No baseline configs enforced |
| 🔴 High | A.5.14 — Information transfer | No data transfer agreements signed |
- Start with
docs/scope-statement.mdto understand what's in scope - Review
controls/control-matrix.mdfor the full gap picture - Read
reports/compliance-summary.mdfor the executive view
This is a simulated project created for educational and portfolio purposes. Pay2Go Financial Inc. is a fictional company. No real financial data, credentials, or personal information is contained in this repository.