We help tech companies across New Brunswick and beyond get audit-ready, validate existing security controls, close compliance gaps, and meet privacy regulations — whether you're targeting SOC 2, ISO 27001, ISO 42001, or just want confidence that your program holds up to scrutiny. Enterprise-grade GRC, delivered at startup speed.
Practical, hands-on support across the frameworks enterprise buyers actually ask about. Scoped to your stage — whether you're chasing your first SOC 2 or maturing a security program.
Type I and Type II. Scope definition, control design, evidence collection, and auditor liaison through report issuance.
ISMS design, Statement of Applicability, risk treatment, and internal audit — certification-ready in one engagement.
AI management systems for teams shipping models. Governance that stands up to enterprise procurement scrutiny.
A plain-language read of where you are vs. where the framework requires — with a prioritized roadmap, not a 200-page PDF.
Ongoing security leadership on retainer. Board updates, customer security reviews, and day-to-day risk calls.
Custom, defensible policies that reflect how your team actually works — not a copy-pasted template pack.
Independent internal audits for ISO-certified environments. Findings you can act on, in the auditor's language.
Role-appropriate security and privacy training your team will actually complete — and your auditor will accept as evidence.
Four phases. Hands-on from the first call to the signed auditor's letter — and beyond if you want ongoing oversight.
We map your environment against the target framework and give you a prioritized list of gaps, ordered by risk and audit impact — not alphabetically.
Deliverable: scoping memo, gap register, 90-day plan.
We write policies, stand up controls, and configure tooling alongside your team. You own the implementation; we own the pace and the standard.
Deliverable: policies, control narratives, evidence library.
Internal audit, evidence review, and auditor selection. We sit in auditor calls so you don't have to translate on the fly.
Deliverable: audit binder, readiness attestation.
Fractional support for the year-over-year work — continuous monitoring, customer security reviews, and the annual audit cycle.
Deliverable: ongoing retainer, monthly cadence.
English GRC was founded to give tech companies access to the kind of governance, risk and compliance depth usually reserved for big-city consultancies — without the big-city bill or the big-firm detachment.
Every engagement is led personally by a senior practitioner. You'll work with the same person from the first scoping call through the final auditor's letter.
Read more about our approach →Tell us where you are today. We'll respond within one business day with a realistic next step — paid or not.