Everything you need to pass, and nothing you don't.
Engagements are scoped to the framework, your team size, and the deadline in front of you. Fixed-fee where possible; monthly retainer where ongoing oversight makes more sense.
SOC 2 readiness
The ticket most enterprise sales conversations ask for. We take you from "we've heard of SOC 2" to a signed Type II report, typically in 6 to 9 months.
- Scope & trust-services criteria mapping
- Control design & implementation
- Evidence library & tooling setup
- Auditor selection & liaison
- Type I prep, observation-period playbook
- Post-report security-review responses
ISO 27001 readiness
The international standard European buyers increasingly require. An ISMS built to certify, not just pass a surface audit.
- ISMS scope & context definition
- Risk assessment & treatment plan
- Statement of Applicability (Annex A)
- Mandatory document suite
- Internal audit & management review
- Stage 1 & Stage 2 audit support
ISO 42001 — AI management
For teams shipping AI features into regulated or enterprise environments. The governance structure that turns an AI procurement questionnaire from a two-week scramble into a checkbox.
- AIMS scope & risk framing
- AI impact assessments
- Model lifecycle & monitoring controls
- Data & training-set governance
- Third-party model risk
- Alignment with NIST AI RMF
Gap analysis
A two-week engagement that tells you, honestly, how far you are from the finish line. No fluff, no upsell-by-default. Sometimes the answer is "you're closer than you think."
- Framework-specific control walkthrough
- Stakeholder interviews
- Evidence sampling
- Prioritized remediation roadmap
- Effort & cost estimate
- Executive read-out deck
Fractional GRC / vCISO
Senior security leadership for companies that aren't ready to hire one full-time. On-call for board meetings, customer reviews, incidents, and everything in between.
- Monthly security steering
- Board & investor reporting
- Customer security-review support
- Vendor risk program ownership
- Incident response coordination
- Annual audit cycle management
Policy development
Custom policies written in plain English, tailored to how your team actually works. Defensible to auditors; readable by the people expected to follow them.
- Information security policy suite
- Acceptable use, access control, BC/DR
- Vendor & third-party risk policy
- Incident response plan & runbooks
- Privacy & data handling regulations
- Annual review cadence
Internal audit
Independent internal audits that meet ISO's requirements and turn up real issues before the external auditor does.
- Annual internal audit plan
- Control sampling & testing
- Nonconformity reporting
- CAPA (corrective action) tracking
- Management review inputs
- Auditor-ready evidence packaging
Security awareness training
Security and privacy training worth sitting through. Checks the auditor's box without eating an afternoon, with separate tracks for engineering, sales, and leadership.
- Annual base curriculum
- Role-specific modules (eng, sales, ops)
- Phishing simulation & reporting
- Onboarding module for new hires
- Completion tracking & evidence
- Updates for new threats & policies
Not sure which of these you need?
Book a free 30-minute call. We'll walk through what your buyers are asking for and point you to the right starting place, even if it's not with us.