Securing a Distributed Engineering Team for ISO 27001 Readiness

The company

An IoT technology company headquartered in Ireland, with approximately 20 staff across software development, engineering, R&D, client services, and administration. The company designs and develops energy management systems and IoT platforms for commercial and public-sector clients, with developers and engineers distributed across Ireland, the UK, Brazil, and Poland.

The team works across macOS and Windows environments, with engineers requiring toolchain flexibility for local development and Linux-based IoT systems. The company’s cloud infrastructure is hosted on AWS. IoT devices deployed on client sites internationally report data back to these cloud workloads, which form the backbone of service delivery.

We protect our clients’ privacy by default. The details in this case study are anonymised, because we secure our clients’ identities the same way we secure their data.

The challenge

This company engaged Tarbh Tech not after a breach, but because the business was maturing and the gap between where they were and where they needed to be was becoming visible. Enterprise clients were asking harder questions during supplier due diligence (about endpoint management, encryption, monitoring) and the honest answer was that none of it existed. There had never been a dedicated IT function.

The distributed workforce added complexity. Developers in Brazil and Poland worked on the same codebase as engineers in Ireland and the UK, but there was no consistent device configuration, no centralised patching, and no way to verify that any laptop met a minimum security standard.

The development team presented a challenge that many MSPs handle poorly. Engineers need to run unsigned executables, use tunnelling tools, access cloud infrastructure from the command line, and download packages from public repositories. Without proper tuning, security tooling either generates a flood of false positives that gets ignored, or gets disabled entirely. The company needed security calibrated for how developers actually work.

The AWS-hosted cloud workloads (the ingestion layer for IoT devices on client sites) had no security monitoring or external attack surface visibility. ISO 27001 certification was a strategic requirement, but achieving it demanded a verifiable baseline, documented controls, and evidence of continuous monitoring that did not yet exist.

What we did

The engagement began with a full environment audit including the Microsoft 365 tenancy, device inventory across four countries, AWS environment review, developer workflow assessment, and ISO 27001 gap analysis. The developer workflow assessment was critical; toolchain requirements and IoT development environments were documented to ensure security controls would not impede productivity.

The security baseline was deployed within eight weeks. Microsoft 365 Business Premium was optimised with a tiered licensing model. Entra ID P2 provided Conditional Access and MFA enforcement across all four countries. Intune enrolled all managed endpoints with compliance policies across macOS and Windows.

Defender for Endpoint was tuned specifically for developer workstations — custom exclusions for build directories, toolchains, and package managers reduced false positives while maintaining protection. The full Defender XDR suite was deployed alongside Blackpoint Cyber MDR for 24/7 SOC monitoring. Defender for Cloud was deployed across the company’s AWS infrastructure, bringing the cloud workloads that IoT devices report to under the same security monitoring as the Microsoft 365 estate. EASM was deployed to continuously map internet-facing assets including the AWS endpoints that field-deployed IoT devices connect to.

Microsoft Sentinel was deployed with custom detection rules covering authentication from new countries, unseen platform detection, USB file copy monitoring, and application credential monitoring. A security awareness programme addressed the common assumption in technical teams that capability equals awareness.

The ISO 27001 certification programme built directly on the security baseline. Controls were mapped to Annex A, incident management was documented, and evidence collection was automated through operational tooling, not a separate compliance workstream.

The results

The security baseline was in place within eight weeks. In the most recent month, monitoring detected brute-force authentication attempts from Japan, Germany, Luxembourg, and the Netherlands targeting senior leadership accounts, all blocked by Smart Lockout and MFA. USB file copy events were flagged and investigated. None of this would have been visible before.

Defender for Cloud extended monitoring into the AWS workloads. EASM continuously maps the internet-facing assets that IoT devices connect to, flagging changes before they become exposures. The Defender for Endpoint tuning was critical. Custom exclusions mean security works with developer workflows, not against them.

The company achieved ISO 27001 certification and has since retained it. The controls required by Annex A (access management, incident response, asset management, operational security) are the same controls that run the environment day to day. When the certification auditor arrived, the evidence was already there. When enterprise clients ask about security posture, the answer comes with a certificate and the data behind it.

Microsoft Secure Score sits at 74%, compared to the 51% industry average. In the most recent month, 43 security incidents were detected and triaged, and over 2,000 email threats were mitigated.

Where things stand today

The company is on COSAINT Managed with ISO 27001 add-on support. The monthly service includes Microsoft 365 and Intune management across macOS and Windows, Defender XDR and Defender for Cloud monitoring, EASM, 24/7 SOC triage, Sentinel with custom detections, advanced email threat protection, automated monthly reporting, and ongoing ISO 27001 compliance support.

Current priorities include maintaining ISO 27001 certification through continuous evidence collection, remediating remaining non-compliant devices, refining Sentinel detection rules, and supporting continued international growth.