Fractional GRC · Atlantic Canada & Beyond

Compliance that closes deals, not calendars.

Most of our clients have a deal, a regulation, or an auditor asking questions their current security program can't answer yet. We work with tech companies across Atlantic Canada to get them there: SOC 2, ISO 27001, ISO 42001, and privacy regulations, scoped to the framework in front of you, not a shelf full of them.

Start a conversation → See what we do
SOC 2 ISO 27001 ISO 42001 Privacy vCISO
CISSP · CISA · CISM · CRISC Based in New Brunswick

What we do

Practical, hands-on support across the frameworks enterprise buyers actually ask about. Scoped to your stage, whether you're chasing your first SOC 2 or maturing a security program.

01

SOC 2 readiness

Type I and Type II. Scope definition, control design, evidence collection, and auditor liaison through report issuance.

02

ISO 27001 readiness

ISMS design, Statement of Applicability, risk treatment, and internal audit. Certification-ready in one engagement.

03

ISO 42001

AI management systems for teams shipping models. Governance that stands up to enterprise procurement scrutiny.

04

Gap analysis

A plain-language read of where you are vs. where the framework requires, with a prioritized roadmap instead of a 200-page PDF.

05

Fractional GRC & vCISO

Ongoing security leadership on retainer. Board updates, customer security reviews, and day-to-day risk calls.

06

Policy development

Custom, defensible policies that reflect how your team actually works, not a copy-pasted template pack.

07

Internal audit

Independent internal audits for ISO-certified environments. Findings you can act on, in the auditor's language.

08

Awareness training

Role-appropriate security and privacy training your team will actually complete and your auditor will accept as evidence.

Not sure where to start?

Most engagements begin with a free 30-minute scoping call.

Book a call →

How we work

Four phases. Hands-on from the first call to the signed auditor's letter and beyond if you want ongoing oversight.

01

Scope & gap

We map your environment against the target framework and give you a prioritized list of gaps, ordered by risk and audit impact, not alphabetically.

Deliverable: scoping memo, gap register, 90-day plan.

02

Design & implement

We write policies, stand up controls, and configure tooling alongside your team. You own the implementation; we own the pace and the standard.

Deliverable: policies, control narratives, evidence library.

03

Audit readiness

Internal audit, evidence review, and auditor selection. We sit in auditor calls so you don't have to translate on the fly.

Deliverable: audit binder, readiness attestation.

04

Maintain

Fractional support for the year-over-year work: continuous monitoring, customer security reviews, and the annual audit cycle.

Deliverable: ongoing retainer, monthly cadence.

About

Enterprise expertise, local partnership.

English GRC was founded to give tech companies access to the kind of governance, risk and compliance depth usually reserved for enterprise consultancies, without the enterprise price tag or the large-firm detachment.

Every engagement is led personally by a senior practitioner. You'll work with the same person from the first scoping call through the final auditor's letter.

Read more about our approach →
  • CISSP
  • CISA
  • CISM
  • CRISC
  • ISO 27001 LI
  • 10+ years in GRC
Let's talk

Ready to make compliance a competitive advantage?

Tell us where you are today. We'll respond within one business day with a realistic next step, paid or not.

Start a conversation [email protected]