EnglishGRC
Services

Everything you need to pass, and nothing you don't.

Engagements are scoped to the framework, your team size, and the deadline in front of you. Fixed-fee where possible; monthly retainer where ongoing oversight makes more sense.

01
SOC 2 · Type I / II

SOC 2 readiness

The ticket most enterprise sales conversations ask for. We take you from "we've heard of SOC 2" to a signed Type II report — typically in 6–9 months.

  • Scope & trust-services criteria mapping
  • Control design & implementation
  • Evidence library & tooling setup
  • Auditor selection & liaison
  • Type I prep, observation-period playbook
  • Post-report security-review responses
02
ISO/IEC 27001

ISO 27001 readiness

The international standard European buyers increasingly require. An ISMS built to certify — not just pass a surface audit.

  • ISMS scope & context definition
  • Risk assessment & treatment plan
  • Statement of Applicability (Annex A)
  • Mandatory document suite
  • Internal audit & management review
  • Stage 1 & Stage 2 audit support
03
ISO/IEC 42001

ISO 42001 — AI management

For teams shipping AI features into regulated or enterprise contexts. Governance that makes procurement's AI questionnaire a formality instead of a blocker.

  • AIMS scope & risk framing
  • AI impact assessments
  • Model lifecycle & monitoring controls
  • Data & training-set governance
  • Third-party model risk
  • Alignment with NIST AI RMF
04
Assessment

Gap analysis

A two-week engagement that tells you — honestly — how far you are from the finish line. No fluff, no upsell-by-default. Sometimes the answer is "you're closer than you think."

  • Framework-specific control walkthrough
  • Stakeholder interviews
  • Evidence sampling
  • Prioritized remediation roadmap
  • Effort & cost estimate
  • Executive read-out deck
05
Retainer

Fractional GRC / vCISO

Senior security leadership for companies that aren't ready to hire one full-time. On-call for board meetings, customer reviews, incidents, and everything in between.

  • Monthly security steering
  • Board & investor reporting
  • Customer security-review support
  • Vendor risk program ownership
  • Incident response coordination
  • Annual audit cycle management
06
Documentation

Policy development

Custom policies written in plain English, tailored to how your team actually works. Defensible to auditors; readable by the people expected to follow them.

  • Information security policy suite
  • Acceptable use, access control, BC/DR
  • Vendor & third-party risk policy
  • Incident response plan & runbooks
  • Privacy & data handling (PIPEDA)
  • Annual review cadence
07
Assurance

Internal audit

Independent internal audits that satisfy ISO's requirements and surface real findings you can act on before the external auditor arrives.

  • Annual internal audit plan
  • Control sampling & testing
  • Nonconformity reporting
  • CAPA (corrective action) tracking
  • Management review inputs
  • Auditor-ready evidence packaging
08
Training

Security awareness training

Role-appropriate, actually-engaging training that checks the auditor's box without wasting your team's time. Custom content for engineering, sales, and leadership tracks.

  • Annual base curriculum
  • Role-specific modules (eng, sales, ops)
  • Phishing simulation & reporting
  • Onboarding module for new hires
  • Completion tracking & evidence
  • Updates for new threats & policies
Scoping call

Not sure which of these you need?

Book a free 30-minute call. We'll walk through what your buyers are asking for and point you to the right starting place — even if it's not with us.

Book a call Email instead