SOC, cloud security and CI/CD pod for a compliance-ready healthtech

The problem

The client, an Amsterdam-based healthtech processing sensitive patient data, was contractually required to pursue ISO 27001:2022 and SOC 2, with NIS2 now in active enforcement across the EU raising the bar further. They had no dedicated security monitoring, their CI/CD pipeline had no automated security gating, and a single healthcare data breach now far exceeds the cost of the controls needed to prevent it. Specialist SOC analysts and cloud-security engineers in the Netherlands were scarce and commanded premium salaries, and the existing platform team was fully committed to the product roadmap. They needed compliance-grade security engineering quickly, without pulling product engineers off their work.

Team composition

OSCABE stood up a three-person managed security and DevOps pod, sized to reach audit-readiness and run detection:

• 1 SOC and detection analyst (8 yrs, SIEM, detection engineering and incident response)
• 1 cloud-security engineer (9 yrs, AWS security, IAM and posture management)
• 1 DevSecOps engineer (7 yrs, pipeline hardening and security automation)

Two sat in the India security pool with a SOC analyst based in Riyadh to extend monitoring-hours coverage, all on a 4 to 6 hour daily overlap with Amsterdam under the client's CISO.

Timeline

The pod reached audit-readiness in six weeks:

• Weeks 1 to 2: gap assessment against ISO 27001:2022 and SOC 2; cloud posture review; logging and asset inventory baseline.
• Weeks 3 to 4: SIEM and alerting stood up; CI/CD security gating wired in; IAM and least-privilege hardening.
• Weeks 5 to 6: control evidence assembled for assessors; detection rules tuned; extended monitoring coverage live.

Tech stack

AWS as the cloud platform, hardened with GuardDuty, Security Hub and AWS Config; a SIEM and alerting layer for log monitoring; Snyk and SAST/DAST plus infrastructure-as-code scanning (Checkov on Terraform) wired into GitHub Actions; container scanning on the build pipeline; and a control-evidence repository mapped to ISO 27001:2022 Annex A and SOC 2 criteria.

How OSCABE vetted the team

Every engineer cleared OSCABE's five-step vetting. An instant AI shortlist matched security specialisms to the brief; a senior OSCABE specialist ran a technical interview with a hands-on security assessment (detection-rule writing for the SOC analyst, an IAM and posture exercise for the cloud-security engineer, a pipeline-hardening task for the DevSecOps engineer); a communication assessment confirmed they could work under a CISO and write audit-grade evidence; and background and reference checks were run with particular care given the healthcare context. Chartered Engineer / CE verification was applied to the engineering roles, and relevant security certifications were confirmed in reference checks.

What was delivered

The healthtech reached audit-readiness for ISO 27001:2022 and its SOC 2 controls on roughly the planned timeline, with the pod producing the bulk of the evidence assessors requested. Security alerting and extended monitoring went live without diverting any product engineers, and the hardened pipeline began catching vulnerabilities before release rather than after. The pod later took on ongoing detection-and-response and now supports the company's NIS2 obligations.

Client workflow and collaboration

The pod ran as the client's de facto security function under the CISO's direction. A daily overlap window gave the CISO live cover; a weekly security review tracked control progress, open findings and alert volume; and the pod fed directly into the audit timeline with assessors. The CISO owned risk decisions and policy while the pod carried implementation and evidence.

Tools used

GitHub and GitHub Actions; Snyk, SAST/DAST and Checkov; AWS GuardDuty, Security Hub and Config; a SIEM with alerting into Slack and PagerDuty; Jira for the control and remediation backlog; Confluence for the evidence library; and Google Meet for the weekly review.

Security and compliance model

The engagement ran under ISO 27001-aligned controls and EU GDPR, under one UK contract. The pod worked to least-privilege, role-scoped access through SSO on managed, encrypted devices, and handled no raw patient data directly (working against de-identified or synthetic data and metadata). Cross-border access from India and Saudi Arabia was covered by SCCs plus a transfer risk assessment, with the client's most sensitive data kept in-region. Every engineer signed an NDA, and all tooling, detection content and documentation belonged to the client. The pod's own work strengthened the very controls the client was being audited against.

Cost comparison

Before and after

What OSCABE managed vs what the client managed

OSCABE managed:

• Sourcing, five-step vetting, employment and payment of the three-person pod.
• Day-to-day delivery, monitoring coverage and the overlap with Amsterdam.
• Managed devices, least-privilege access and the compliance baseline.

The client managed:

• Risk appetite, security policy and acceptance of controls.
• The audit and assessor relationship and final sign-off.
• Data residency decisions for the most sensitive patient data.

Why remote worked

Security engineering and detection are delivered through tooling, evidence and well-tuned alerts, not physical presence. A 4 to 6 hour overlap with the CISO plus a Riyadh analyst extending monitoring hours gave the client broader detection coverage than three local hires would have, and the hardened pipeline catches issues automatically regardless of where the engineers sit. Strict least-privilege access, in-region storage for the most sensitive data and one UK contract let the client reach ISO 27001 and SOC 2 readiness at roughly half the cost, without slowing the product team down.

- CISO, healthtech platform (Amsterdam)