Every service uses the same methodology. Evidence gathered first. Locally processed. Human-verified before delivery.
How we work →Governance, Risk & Compliance
GRC Consulting
GRC is not a framework you install — it is a capability you build. Most organisations have policies without evidence, controls without testing, and risk registers that bear no relationship to actual exposure. We fix that.
What we do
Governance, Risk and Compliance consulting covers the full spectrum of your organisation's security and compliance posture. We assess what you have, identify what you need, and build frameworks that function in your actual environment — not a generic template of it.
What we do differently
- We assess your actual control environment before recommending a framework — not after.
- Risk registers are built from evidence, not interviews alone.
- Every gap we identify is traceable to a specific control failure, not a general observation.
- We stay through remediation — we do not hand over a report and disappear.
Suited for
Organisations building their compliance function from scratch, preparing for a first audit, or rationalising a compliance programme that has grown without structure.
Deliverables
- Current-state maturity assessment
- Evidence-backed gap analysis
- Risk register with traceable findings
- Governance framework design
- Policy and procedure development
- Remediation roadmap with prioritised actions
AI Governance, Risk & Compliance
NewAI GRC
Organisations are deploying AI faster than they are governing it. The EU AI Act is in force. NIST AI RMF is the operational standard. Most AI deployments have no audit trail, no documented risk assessment, and no structured oversight. We close that gap.
What we do
AI GRC covers the full governance, risk, and compliance lifecycle for AI systems — from classification and risk assessment through control implementation, documentation, audit trail design, and ongoing monitoring. We work across the EU AI Act, NIST AI RMF, and ISO 42001.
What we do differently
- We assess your actual AI systems and their data flows before any framework mapping — not a generic AI risk assessment.
- Audit trail design is built into the engagement from day one — not added as an afterthought.
- We assess all six layers of your AI security stack: identity, data protection, prompt security, output validation, governance, and observability.
- Our evidence-first methodology applies to AI systems the same way it applies to every other compliance engagement — conclusions follow evidence, always.
Suited for
Organisations deploying AI in high-risk use cases, technology companies whose AI products interact with EU residents, and businesses building internal AI systems that handle personal data or make consequential decisions.
Deliverables
- AI system inventory and risk classification
- EU AI Act applicability assessment
- NIST AI RMF mapping and gap analysis
- AI audit trail architecture and design
- Data protection and prompt security assessment
- Output validation and human oversight framework
- AI governance policy and procedure development
- Monitoring and observability programme design
- ISO 42001 readiness assessment (optional)
- Ongoing AI compliance monitoring programme
SOC 2 Type I & Type II
SOC 2
SOC 2 is the most widely requested security assurance report in the B2B technology sector. A poorly evidenced SOC 2 report is worse than no report — it creates liability without credibility. We build reports that hold up.
What we do
SOC 2 attestation covers the Trust Services Criteria relevant to your business — Security, Availability, Processing Integrity, Confidentiality, and Privacy. We scope your engagement precisely, gather evidence systematically, and produce reports that auditors and clients can rely on.
What we do differently
- We scope the engagement based on your actual service commitments — not the broadest possible scope.
- Evidence is gathered before the report period for Type I, and throughout for Type II — no retrospective reconstruction.
- We prepare you for auditor questions with traceable evidence packages, not verbal explanations.
- Our RAG pipeline cross-references evidence against TSC criteria to identify gaps before the auditor does.
Suited for
SaaS companies, cloud service providers, and technology businesses whose enterprise clients require SOC 2 attestation as a condition of doing business.
Deliverables
- Scope definition and boundary documentation
- Control environment mapping against TSC
- Evidence collection and management
- Gap remediation support
- Auditor-ready evidence packages
- Type I or Type II report production support
- Management assertion drafting
ISO/IEC 27001:2022
ISO 27001
ISO 27001 certification demonstrates that your organisation has built and operates an information security management system that meets an internationally recognised standard. The certification is only as credible as the ISMS behind it. We build credible ones.
What we do
We guide organisations through the full ISO 27001 implementation and certification lifecycle — from initial gap assessment through ISMS design, control implementation, internal audit, and certification audit support. We work to the 2022 standard.
What we do differently
- We implement controls against your actual asset inventory and risk treatment decisions — not a generic Annex A checklist.
- Internal audits are conducted with the same evidence-first methodology as our external engagements.
- Statement of Applicability is built from your risk assessment — not pre-populated with standard justifications.
- We remain engaged through the certification audit to respond to auditor queries with documented evidence.
Suited for
Organisations seeking ISO 27001 certification for the first time, organisations recertifying against the 2022 standard, and businesses whose clients or procurement requirements mandate certified ISMS.
Deliverables
- ISO 27001:2022 gap assessment
- ISMS scope and boundary definition
- Asset inventory and risk assessment
- Risk treatment plan
- Statement of Applicability
- Control implementation support
- Internal audit programme and execution
- Certification audit preparation and support
- Corrective action management
Health Insurance Portability and Accountability Act
HIPAA
HIPAA compliance is not a one-time assessment — it is an ongoing programme. Healthcare organisations and their business associates face significant liability from inadequate controls, imprecise risk analysis, and documentation that does not reflect actual practice. We close those gaps.
What we do
We conduct HIPAA Security Rule risk analysis and risk management, assess Administrative, Physical, and Technical safeguards against your actual environment, and produce documentation that demonstrates genuine compliance — not checkbox completion.
What we do differently
- Risk analysis is conducted against your actual ePHI inventory — we identify where ePHI lives before assessing controls around it.
- We assess implemented safeguards, not just documented policies.
- Business Associate Agreement review included as standard — a frequently overlooked liability exposure.
- Findings are traced to specific control gaps, not general risk categories.
Suited for
Covered entities, business associates, and subcontractors handling ePHI who require formal risk analysis documentation, are preparing for an HHS audit, or are responding to a breach investigation.
Deliverables
- ePHI inventory and data flow mapping
- Security Rule risk analysis
- Administrative safeguards assessment
- Physical safeguards assessment
- Technical safeguards assessment
- Risk management plan
- Policy and procedure gap analysis
- Business Associate Agreement review
- Remediation roadmap
- Compliance documentation package
General Data Protection Regulation
GDPR
GDPR compliance requires that your policies, your practices, and your technical controls are aligned. Most organisations have policies. Far fewer can demonstrate that their practices match them. We bridge that gap — with evidence.
What we do
We assess your organisation's compliance with GDPR across all six lawful bases, data subject rights obligations, controller and processor responsibilities, and technical and organisational measures. We work with organisations established in the EU, UK businesses operating under UK GDPR, and international businesses with EU data subject exposure.
What we do differently
- We map your actual data flows before assessing compliance — not after.
- Records of Processing Activities are built from evidence, not self-reported inventories.
- Technical and organisational measures are assessed against implemented controls, not policy statements.
- We identify accountability gaps that DPAs look for specifically — not just formal non-compliance.
Suited for
Organisations established in the EU or UK, international businesses with EU or UK data subject exposure, and companies whose enterprise clients require demonstrable GDPR compliance as a condition of contract.
Deliverables
- Data mapping and flow documentation
- Records of Processing Activities (RoPA)
- Lawful basis assessment
- Data subject rights gap analysis
- Technical and organisational measures review
- Data Protection Impact Assessment (DPIA) support
- Controller/processor agreement review
- International transfer mechanism assessment
- Remediation roadmap
- DPO advisory support (where applicable)
Not sure where to start?
Every engagement starts with understanding your environment — not selling you a framework.
Tell us where you are, what you need to achieve, and what timeline you are working to. We will tell you which framework fits, what evidence we will need, and what the engagement looks like.