For a modern SaaS and consultancy business like Nobly, compliance is not an isolated discipline, but an integrated part of delivering trust, quality, and stable operations to customers in regulated industries.
When Nobly decided to take its compliance work to the next level and obtain an ISAE 3000 type II statement for the first time, in combination with ISAE 3402, NorthGRC became a central pillar of the work.
Emilie Løyche is Compliance Officer at Nobly and reports to the Head of IT Operations. Her responsibility is to ensure that Nobly complies with relevant legal requirements and internal policies – particularly within data protection and information security.
“My focus is on translating compliance requirements into practical and scalable solutions that fit a SaaS company like ours,”
Emilie explains.
Nobly also has a DPO who handles data breaches and data protection, while Emilie is responsible for the day-to-day compliance work and for ensuring that requirements are operationalised across the organisation.
In December, Nobly obtained its first ISAE 3000 type II statement. Previously, the company had held a type I statement, but several customers requested documentation that demonstrated the effectiveness of Nobly’s controls over time – not just a snapshot.
“The type II statement was important for our maturity,” says Emilie. “It provides a picture of how our controls operate over time – not just at a specific point in time, as a type I does.”
For Nobly, the new statement means the company can provide customers with even stronger evidence that information security is managed effectively in practice. Nobly’s statement setup is a combination of ISAE 3000 and ISAE 3402, using ISO 27001 as a framework – not as a certification standard.
All work related to the statements was brought together in one place.
“What is remarkable is that we have not used any other tools than NorthGRC for our compliance work,” Emilie explains. “All documentation is stored there. We have set up an ISAE library with controls, policies, samples, and an annual cycle covering all activities.”
Nobly also granted its auditor audit access to NorthGRC, allowing all documentation to be accessed directly in the platform.
“The auditors have been very positive. It has made the work much easier that everything is gathered in one place and easy to find.”
In her daily work, Emilie primarily uses the annual cycle in NorthGRC to plan and distribute tasks.
“I use the annual cycle extensively. It provides a clear overview of who needs to do what – and when.”
She combines NorthGRC’s templates with her own controls, adapted to Nobly’s business.
“I will not overstate it, but I have not worked with anything before that has been this transparent and easy to understand. It simply works. I watched a few videos – and then I was up and running.”
NorthGRC also plays a central role in the dialogue with management. The platform’s user and access management ensures that employees have access to relevant policies, while management has access to the overall compliance overview.
“NorthGRC functions as a shared point of reference. Compliance should not be a tick-box exercise – it is an operational discipline where management needs to be actively involved,” Emilie explains.
She regularly participates in management meetings and provides status updates on compliance using red, amber, and green, creating a shared understanding of risks and progress.
In addition to working with ISAE statements, Nobly has also worked with DORA, is preparing for NIS2, and is looking ahead to CIS Controls.
“It is a major advantage that the core regulations are already available in NorthGRC, and that we can supplement them with controls that fit our organisation.”
NorthGRC makes it possible to work with multiple frameworks in parallel without losing overview or creating unnecessary complexity.
For Nobly, NorthGRC has helped change the experience of compliance.
“Compliance is no longer an annual event where the auditor comes to visit. It is an ongoing process,” says Emilie. “The annual cycle makes it clear to everyone what needs to happen when – and we can scale our compliance work as we grow.”
When Emilie describes the value of NorthGRC, she has no doubt:
“It gives peace of mind. I can clearly see where we are and what is still missing.”
She particularly highlights how the platform reduces complexity in an area that can otherwise be heavy to work with.
“Even colleagues with very limited knowledge of compliance can find their way around NorthGRC. It gives them a better understanding of what compliance actually is.”
At the same time, the close and personal contact with the NorthGRC team is highly valued.
“We can always reach out if there is a need. Having a dedicated contact person creates a sense of security.”
For Nobly, NorthGRC is not just a tool for statements, but a platform that makes compliance manageable, understandable, and firmly anchored across the entire organisation.
Book a demo and see how ongoing compliance can be structured, transparent, and scalable, click here.