📋

Compliance & GRC Services

End-to-end compliance support across ISO 27001, SOC 2, Cyber Essentials Plus, NIS2, HIPAA, and FedRAMP.

ISO 27001SOC 2Cyber Essentials PlusNIS2HIPAAFedRAMP
Serving clients across the United Kingdom & United States of America

What You Receive

  • Gap assessment against the target framework
  • Risk register and treatment plan
  • Policy and procedure documentation
  • Control implementation support and evidence packaging
  • Pre-audit readiness review and mock audit

Compliance work is not a security programme — it is documentation, evidence, and demonstration that your security programme operates as designed. The two often diverge. We provide compliance and GRC services that connect security operations to certification outcomes, supporting organisations through gap analysis, control implementation, evidence packaging, and pre-audit readiness review.

Frameworks We Support

ISO 27001:2022

The international gold standard for information security management. We support organisations through the full ISMS lifecycle: scoping, context analysis, risk assessment and treatment, Statement of Applicability, policy and procedure documentation, internal audit, management review, and Stage 1 + Stage 2 certification preparation. The 2022 revision moves from 114 to 93 Annex A controls; we help organisations transitioning from the 2013 edition handle the changes correctly.

SOC 2 Type I and Type II

The de facto standard for US B2B SaaS procurement. We help organisations select trust services criteria (Security mandatory; Availability, Confidentiality, Processing Integrity, Privacy optional based on customer requirements), implement controls, prepare evidence, and engage AICPA member firms for the formal attestation. For organisations new to SOC 2, we recommend starting with Type I to validate control design before committing to the Type II observation period.

For a side-by-side comparison of frameworks and which to choose, see our framework comparison guide.

Cyber Essentials and Cyber Essentials Plus

UK NCSC's prescriptive technical scheme. Cyber Essentials (basic) is self-assessed; Cyber Essentials Plus adds independent technical verification. We support both certification preparation and ongoing maintenance. Particularly relevant for UK organisations selling into UK public sector where CE+ is mandatory for many contracts.

NIS2 Directive

For organisations with EU exposure — either directly through EU-registered entities or indirectly through supply chain obligations — NIS2 Article 21 imposes substantial cybersecurity requirements with personal liability for management bodies. See our NIS2 readiness guide for the technical detail.

HIPAA Security Rule

For US healthcare organisations and their business associates. We support Risk Analysis, Risk Management, Workforce Training, Access Management, Audit Controls, Integrity, Transmission Security, and Business Associate Agreement requirements.

PCI-DSS v4.0

For organisations handling payment card data. We support SAQ completion for Levels 2-4 merchants and ROC preparation for Level 1 merchants in partnership with QSA firms. PCI-DSS v4.0 introduces substantial changes from v3.2.1 — particularly around continuous control validation and customised approaches.

FedRAMP

For organisations pursuing US federal market access. We support FedRAMP Moderate baseline preparation including SSP development, control implementation, and 3PAO engagement preparation. FedRAMP High and JAB authorisations supported in partnership with US-based specialist firms.

Sector-Specific Frameworks

UK: FCA SYSC, NHS DSPT, NCSC CAF. US: GLBA Safeguards Rule, NYDFS 23 NYCRR 500, SEC Cybersecurity Disclosure Rule. International: ISO 22301 (Business Continuity), ISO 27017 (Cloud Security), ISO 27018 (PII in Cloud), ISO 27701 (Privacy Information Management).

Our Methodology

Phase 1: Gap Assessment

Comprehensive analysis of current state against the target framework. Documented gap report with prioritised remediation roadmap. For multi-framework programmes, single gap assessment covering the union of all in-scope frameworks.

Phase 2: Risk Management

Risk register tailored to your business context, not a generic template. Risk treatment plan with documented decisions, control selection, and residual risk acceptance. Annual risk reassessment cadence established.

Phase 3: Control Implementation

Policy and procedure documentation customised to your environment. Technical control implementation support — often delivered in partnership with your internal teams. Evidence collection processes and templates.

Phase 4: Internal Audit and Pre-Certification Readiness

Internal audit conducted to identify any remaining gaps before the formal certification audit. Mock audit run with realistic auditor questioning. Evidence packaging and management review preparation.

Phase 5: Certification Audit Support

Liaison with the certification body. Audit attendance and support. Finding response and remediation tracking. Certificate issuance verification.

Phase 6: Ongoing Maintenance (Optional)

Quarterly programme management, evidence maintenance between audits, surveillance audit preparation, scope expansion support as your organisation grows.

UK & USA Programme Delivery

We deliver compliance programmes for UK, US, and multi-jurisdictional organisations. Cross-border programmes are increasingly common — UK organisations adding SOC 2 for US expansion, US organisations adding ISO 27001 for EU/UK expansion, and global organisations managing parallel certifications.

A typical multi-jurisdictional sequence:

| Starting Point | First Add | Second Add | |---------------|-----------|------------| | UK SME — UK public sector focus | Cyber Essentials Plus | ISO 27001 | | UK SaaS — UK enterprise focus | ISO 27001 | SOC 2 Type II (for US) | | US SaaS — US enterprise focus | SOC 2 Type II | ISO 27001 (for EU/UK) | | US healthcare | HIPAA + SOC 2 Type II | HITRUST | | US federal contractor aspirant | SOC 2 Type II | FedRAMP Moderate | | UK financial services | ISO 27001 | FCA SYSC alignment |

What You Receive

  • Gap assessment report — current state vs target framework with prioritised findings
  • Risk register and treatment plan — your business risks, documented decisions
  • Policy and procedure suite — customised to your environment, not generic templates
  • Implementation roadmap — sequenced control deployment plan
  • Evidence collection framework — what to collect, how to package, what auditors will ask for
  • Pre-audit readiness review — mock audit and gap identification before the real one
  • Audit liaison support — through Stage 1 + Stage 2 certification or attestation
  • Optional ongoing programme management — vCISO retainer or quarterly programme reviews

Frequently Asked Questions

Which compliance frameworks do you cover?
ISO 27001:2022, SOC 2 Type I and Type II, Cyber Essentials and Cyber Essentials Plus, NIS2 Directive, HIPAA Security Rule, GLBA Safeguards Rule, PCI-DSS v4.0, FedRAMP Moderate and High, UK NCSC Cyber Assessment Framework, FCA SYSC, and sector-specific frameworks on request. We also support multi-framework programmes where ISO 27001 forms the foundation with additional certifications layered on.
Are you a certification body?
No — we are an advisory and implementation partner, not an accredited certification body. We help organisations achieve certification readiness; the formal certification audit is conducted by an independent UKAS, ANAB, or AICPA-accredited body. This separation is required for certification integrity.
How long does ISO 27001 certification take from scratch?
6-12 months for organisations starting without an existing ISMS. Faster (3-6 months) for organisations with mature security practices needing formalisation. The timeline includes scoping, risk assessment, control implementation, internal audit, management review, and Stage 1 + Stage 2 certification audits by an accredited body.
How long does SOC 2 Type II take?
Type I (controls designed effectively): 3-6 months. Type II (controls operating effectively over 6-12 months): 9-18 months total. The Type II observation period is the longest single component and cannot be shortened — auditors need to observe controls operating consistently.
Do we need separate consultants for UK and US frameworks?
No — our team handles cross-jurisdictional programmes. A UK organisation expanding into US markets typically pursues ISO 27001 first (already widely recognised in UK) then SOC 2 Type II layered on the ISO 27001 foundation. A US organisation entering UK / EU markets adds ISO 27001 to existing SOC 2. Layered approaches are more cost-effective than treating each framework independently.
Can you support FedRAMP authorisation?
Yes for FedRAMP Moderate baseline preparation. FedRAMP High involves additional complexity that we support in partnership with US-based 3PAO firms. We do not act as the 3PAO — FedRAMP requires independent assessment — but we prepare clients for the 3PAO engagement and support remediation.
What about NIS2 in the UK?
Although NIS2 is an EU directive, many UK organisations have NIS2 exposure through EU subsidiaries or supply chain obligations. We help identify which entities and services fall within NIS2 scope and prepare for Article 21 control requirements. The UK Cyber Security and Resilience Bill will likely mirror NIS2 structure when enacted — preparing for one prepares you for both.
Can you act as our virtual CISO or compliance manager?
Yes — vCISO and compliance manager retainers are available. Typical engagements are 0.5-2 days per month providing ongoing programme management, board reporting, evidence maintenance between audits, and incident response support. This is more cost-effective for SMEs than hiring a full-time CISO.

Book a Compliance Gap Assessment

Tell us about your environment. We'll respond within one working day with a scoping call calendar invite and an initial price guide.

By submitting this form you agree to our privacy policy. We will only use your details to respond to this enquiry.