Build the governance structure your security programme needs.
Gap assessments, framework readiness, policy development, and audit preparation - taking you from intent to documented, auditable practice.
ISO 27001 Readiness
Gap assessment output - illustrative
Four advisory engagements
ISO 27001 Readiness & Advisory
Structured support for organisations pursuing ISO 27001 certification - from initial gap assessment through Statement of Applicability development and audit preparation.
Includes
- Gap assessment against ISO 27001:2022 Annex A
- Risk assessment and risk treatment plan
- Statement of Applicability (SoA) development
- Policy and procedure documentation
- Internal audit support
- Pre-certification review
SOC 2 Readiness Assessment
For SaaS and technology firms preparing for a SOC 2 Type I or Type II audit - we assess your controls against the Trust Service Criteria and provide a clear remediation roadmap.
Includes
- Readiness assessment across Trust Service Categories
- Security, Availability, Confidentiality in scope
- Control gap register
- Prioritised remediation plan
- Evidence collection guidance
- Audit firm liaison support
Security Gap Assessment
A structured assessment of your current security posture against an appropriate baseline - identifying gaps, prioritising remediation, and giving you a clear starting point for programme development.
Includes
- Policy and governance review
- Technical control assessment
- Asset management and access control
- Incident management review
- Business continuity assessment
- Prioritised remediation roadmap
Policy & Documentation Development
Development or review of the security policies, procedures, and standards your organisation needs - written for real use, not audit theatre.
Includes
- Information Security Policy suite
- Acceptable Use and Access Control policies
- Data Classification framework
- Incident Response plan
- Vendor risk management framework
- Tailored to your size and regulatory context
Standards we work within
ISO 27001:2022
The international standard for information security management systems. We work to the 2022 revision including all Annex A controls.
SOC 2 (AICPA TSC)
Trust Service Criteria covering Security, Availability, Confidentiality, Processing Integrity, and Privacy.
NIST CSF 2.0
The updated NIST Cybersecurity Framework - used as a baseline for gap assessments and programme maturity evaluation.
PCI DSS v4.0
Payment Card Industry Data Security Standard for organisations that process, store, or transmit cardholder data.
SAMA CSF
Saudi Arabian Monetary Authority Cyber Security Framework for financial institutions operating in Saudi Arabia.
NCA ECC
National Cybersecurity Authority Essential Cybersecurity Controls for organisations operating in Saudi Arabia.
Frameworks are a means, not an end.
The goal of a GRC engagement is not a certificate on the wall - it is a security programme that actually functions. We build documentation, policies, and controls that your team can operate, that auditors can verify, and that reduce real organisational risk.
No boilerplate policies
Every policy we produce is written for your organisation - your size, your stack, your regulatory context. Not a template with your logo on it.
Audit-ready from day one
We structure every engagement so that the output is directly usable in an audit - evidence trails, control mapping, and documentation formatted for examiner review.
Ongoing advisory available
For organisations that need continued support as they implement - we can work alongside your team through the full programme rather than delivering and disappearing.
Ready to start your GRC programme?
Whether you're starting from scratch or preparing for a specific audit - we'll give you a structured path to get there.