OSL Group required ISO/IEC 27001:2022 certification to support its strategic evolution into a global stablecoin payment and trading hub. Hacken conducted a crypto-native gap assessment, aligned the ISMS with international regulatory standards, and acted as a technical liaison to translate blockchain evidence for Swiss Approval North America auditors.
What is OSL?
OSL Group (HKEX: 863) is a global stablecoin payment and trading platform that strives to provide compliant and efficient digital financial infrastructure services globally, empowering enterprises, financial institutions and individuals to seamlessly exchange, pay, trade, and settle between fiat and digital currencies. Grounded in the core values of Open, Secure, and Licensed, it is committed to building a more efficient ecosystem that connects global markets and enables instant, seamless and compliant value movement worldwide.
As the cornerstone of this ecosystem, the OSL exchange business plays a pivotal role in the group's broader stablecoin strategy. It serves as the critical gateway and the last-mile settlement infrastructure bridging traditional finance with the digital asset economy. Supported by over 50 licenses and registrations across more than 10 jurisdictions, OSL has built a compliant, highly liquid global network. While upholding the highest security standards, the exchange provides the core capability for seamless conversion between stablecoins and fiat currencies, acting as the foundational layer that powers the efficiency of the entire digital financial ecosystem.
The Challenge
ISO/IEC 27001:2022 was originally designed for traditional enterprise IT. It does not naturally account for the complexities of 1:1 stablecoin settlement, private key lifecycles, or the high-velocity risk profile of a global digital asset exchange.
For OSL, the goal was to ensure their Information Security Management System (ISMS) was robust enough to protect global fund transfers and cross-chain assets while satisfying the rigorous audit expectations of a publicly listed, licensed group.
How Hacken Delivered
1. Specialized Gap Assessment for Regulated Entities
The Challenge: Aligning rigid ISO requirements with a sophisticated environment that manages tokenized treasuries (RWAs) and complex fiat-on-ramps.
What Hacken did: We performed a deep-dive assessment tailored to OSL’s licensed operations. Rather than using a generic template, we benchmarked their existing posture against the 2022 standard through a digital-asset lens – ensuring that governance and access controls were robust enough for institutional service delivery while staying compliant with local SFC guidelines.
2. Risk Management for Global Stablecoin Flows
The Challenge: Traditional risk models often overlook the nuances of hot/cold wallet segregation and the infrastructure behind stablecoin hubs like OSL StableHub.
What Hacken did: Hacken expanded the risk management scope to specifically include the infrastructure supporting OSL’s fiat-to-stablecoin gateway and liquidity mechanisms. We identified threat scenarios unique to institutional brokerage and global payments, creating a Risk Treatment Plan that drives practical, security-first decisions.
3. Operationalizing Documentation
The Challenge: Avoiding "paper compliance" – the common failure where security policies exist in a manual but don't reflect actual engineering or trading workflows.
What Hacken did: We worked directly with OSL’s technical teams to align security documentation with their real-world operations. Policies were designed to support OSL’s high-speed clearing and fund transfer capabilities, ensuring the ISMS acted as a foundation for global growth rather than a source of administrative friction.
4. Audit Advocacy
The Challenge: Proving to traditional auditors that blockchain-native logs and automated security triggers meet the "intent" of ISO’s technical controls.
What Hacken did: Hacken acted as a technical liaison between OSL and the Certification Body (Swiss Approval North America). By translating Web3-specific evidence into recognized audit formats, we helped the auditors interpret OSL’s advanced security measures, ensuring a friction-free path to successful certification.
The Result: ISO/IEC 27001:2022 Certification
OSL successfully established and implemented an Information Security Management System in accordance with ISO/IEC 27001:2022, certified by Swiss Approval North America.
Certification Details:
This certification confirms that OSL operates an internationally recognized security management system across its global infrastructure. It serves as a verified guarantee that OSL’s "Open, Secure, and Licensed" philosophy is backed by world-class operational controls.
What This Means for OSL Users and Partners
ISO/IEC 27001:2022 is independent evidence that OSL manages security risks with the same discipline as a Tier-1 financial institution.
- For institutional partners: It streamlines due diligence by replacing long, manual security questionnaires with a globally recognized certificate of excellence.
- For global regulators: It provides a "common security language" that demonstrates OSL’s internal controls are effective across multiple jurisdictions.
- For professional traders: It confirms that the infrastructure protecting their capital has been externally audited against the world's most rigorous information security standard.
About Hacken’s ISO 27001 Compliance Service
Hacken has guided the world’s leading exchanges, regulated custodians, and Layer 1 protocols through ISO/IEC 27001:2022 certification. Every engagement merges certified ISO Lead Auditors with deep digital asset expertise, including penetration testing, cloud security reviews, and specialized risk assessments, all delivered in-house without third-party vendors.
This same rigorous approach has been applied to global leaders including Toobit (ISO/IEC 27001:2022), Bitunix (ISO/IEC 27001:2022), Bitso (CCSS Level 2), WhiteBIT (CCSS Level 3), and Bybit (MiCA-aligned penetration testing).
If your platform requires institutional-grade ISO 27001 certification: hacken.io/services/iso-27001/
FAQ
What is ISO/IEC 27001 certification for a digital asset platform?
ISO/IEC 27001 is the global standard for information security management systems (ISMS). For a digital asset platform, it means implementing a structured, audited framework to manage risks across operations — including cold storage, private key handling, infrastructure, and personnel security. Certification is granted only after an independent audit by an accredited body.
Does ISO 27001 help with MiCA, DORA, or SFC compliance?
Yes. ISO/IEC 27001:2022 aligns with a significant share of cybersecurity requirements across MiCA, DORA, and SFC frameworks. It does not replace regulatory compliance, but it establishes the baseline controls regulators expect, reducing the scope and complexity of additional audits.
How does ISO 27001 benefit an SFC-licensed entity?
ISO 27001 strengthens trust beyond local regulatory approval. While an SFC license confirms compliance within Hong Kong, ISO certification provides a globally recognized validation of security practices — often required during institutional due diligence across Europe, the US, and Asia.
Can certification cover multiple jurisdictions and entities?
Yes. An ISMS can be scoped across multiple legal entities within a group. This allows organizations operating in different jurisdictions to maintain consistent security standards and centralized risk management under a single certification framework.
