How Axipro Took Insightplay From a Compromised Audit to a Flawless ISO 27001

Certification

ISO 27001

Industry

AI Software | AI Agents

Engagement Length

6 weeks

Location

Dover, Delaware, USA

Product

ISO 27001

Industry

Sustainability Technology, Digital Product Passports, Life Cycle Assessment

Engagement Length

10 Months

Location

Manchester, United Kingdom

Outcome

Successful ISO 27001 certification for both entities, with Drata at 100% control compliance

Axipro Helped Turn Audit Failure into Success

Most companies pursue ISO 27001 to prove they can be trusted. Insightplay had a stranger problem: the platform vouching for its security had itself become the security question. In March 2026, whistleblower allegations surfaced against Delve, the compliance automation startup, accusing it of generating fraudulent audit reports and fabricating evidence of controls for hundreds of customers.

Delve disputes the allegations, but for the companies holding its paperwork, the dispute was largely beside the point. A certification exists to remove doubt. Once it acquires an asterisk, it has already failed at its only job.

This is the story of how Insightplay rebuilt its information security certification from that position: a full migration from Delve to Drata, implementation led by Axipro, and an independent audit by Prescient Security.

The result was an ISO 27001 certification the customer publicly rates five out of five, under the title “Perfect ISO 27001 Certification.”

01- THE CHALLENGE

When the Compliance Platform Becomes the Compliance Risk

An ISO 27001 certificate works because it is a shortcut. A prospect sees the certificate, and weeks of security due diligence collapse into a single act of recognition. That is the entire commercial value of the standard, which ISO describes as the world’s best-known framework for information security management systems. But a shortcut is only as reliable as the party who built it.

When the audit process itself is called into question, the shortcut fails, and it fails for everyone who used it, including companies whose underlying security was genuinely sound.

That is what made the Delve situation so corrosive. 

The allegations did not merely claim that some audits were sloppy.

They claimed the appearance of compliance had been manufactured at scale, with reports of rubber-stamping auditors and pre-populated evidence spreading through the industry press within days.

Every company with a Delve-sourced attestation inherited the doubt, whether they deserved it or not.
Insightplay made the decision quickly.

The certification had to be rebuilt on infrastructure whose credibility could not be questioned.

Important: An ISO 27001 certificate is only as strong as the accreditation behind it. Before trusting any certificate, yours or a vendor’s, verify that the issuing certification body is accredited by a recognized national body such as UKAS or ANAB. Certificates from unaccredited issuers can be produced by anyone with a PDF editor.

02- THE BACKGROUND

What Insightplay Actually Needed

The engagement scope had three parts, and the ordering mattered.

  The first priority was not the certificate.

It was a published trust center carrying the minimum credible information, live as fast as possible. Enterprise deals do not pause politely while a vendor re-certifies. Sales conversations needed something verifiable to point to immediately, while the full program was rebuilt behind it.

  The second part was the migration itself.

Moving the entire compliance program from Delve to Drata, re-mapping controls, and rebuilding evidence collection on a platform whose pipeline could withstand hostile scrutiny.

  The third was forward-looking.

Framework readiness, preparing the foundations so that future standards could be added without starting from zero. The engagement was structured as a yearly contract rather than a one-off project, because compliance that ends at the certificate is precisely the model that had just failed.

03- THE SOLUTION

Three Independent Pillars

The architecture Axipro proposed was deliberately redundant. Axipro served as the implementation partner, running the migration, the control mapping, and the audit preparation. Drata provided the continuous monitoring platform where evidence is collected and verified. Prescient Security, an independent accredited audit firm, designed and executed the audit itself.

Three separate parties, none of whom writes its own report card. In ordinary times, this separation is good practice. In the aftermath of a scandal built on auditor independence, it is the entire point. The structure is not just how the certification was achieved; it is what makes the certification believable. No single company controls the evidence, the platform, and the opinion.

Insider Note: After the Delve allegations, security teams began asking compliance vendors three questions that separate real programs from theater: Who signs the final audit opinion? Who designs the test procedures? Can we see the raw evidence behind each control? A vendor who hesitates on any of the three is telling you something.

04- THE MIGRATION

Leaving a Failing Vendor Without Losing a Step

The main reason companies stay with compliance vendors they no longer trust is that switching feels more dangerous than enduring. A migration means re-collecting evidence, re-mapping every control, rewriting policies to fit a new platform, and doing all of it while customers are actively asking questions. The fear of the interim gap keeps companies attached to certificates they privately doubt.

Axipro’s job was to make that fear unfounded.

The team migrated Insightplay’s program from Delve into Drata, rebuilt the control set, and managed every request for evidence raised during the audit through to resolution.
Where submitted evidence fell short of the auditor’s bar, Axipro flagged it and worked with Insightplay’s team to remediate rather than letting it slide through. That last detail is worth dwelling on.
A partner willing to reject its own client’s evidence is a partner optimizing for the audit holding up, not for the invoice clearing.

Pro Tip: Rebuilding trust after a Vendor Failure

If you are rebuilding trust after a vendor failure, publish your trust center before your new certification completes, with a smaller set of fully verified claims rather than a large set of aspirational ones. A short page where everything checks out builds more confidence than a long one with gaps.

05- THE RESULTS

Insightplay achieved its ISO 27001 Certification

Insightplay achieved its ISO 27001 certification through the independent audit with Prescient Security, with every request for evidence addressed. The trust center went live early in the engagement, giving the sales team a credible security story while the full program matured. Framework readiness work is underway for the standards Insightplay will need next, and the relationship has been formalized as an ongoing yearly engagement rather than a transactional project.

06- WHAT'S NEXT

Trust, Rebuilt Properly

Insightplay’s situation will become more common, not less. As compliance automation grows, so does the temptation to compress the one part of the process that cannot be compressed: independent verification. When that corner gets cut somewhere in the market, every certificate in the category takes on a little of the doubt.

The answer is not less automation. It is automation with visible separation of powers: a platform that collects evidence, a partner that prepares it honestly, and an auditor that answers to no one but the standard. That is what Insightplay bought, and it is why their certification means what a certification is supposed to mean. If your current compliance setup could not survive the three questions above, it may be worth a conversation with Axipro before the market asks them for you.

Case Studies

Explore More Case Studies