Compliance & GRC Services
End-to-end compliance support across ISO 27001, SOC 2, Cyber Essentials Plus, NIS2, HIPAA, and FedRAMP.
What You Receive
- Gap assessment against the target framework
- Risk register and treatment plan
- Policy and procedure documentation
- Control implementation support and evidence packaging
- Pre-audit readiness review and mock audit
Compliance work is not a security programme — it is documentation, evidence, and demonstration that your security programme operates as designed. The two often diverge. We provide compliance and GRC services that connect security operations to certification outcomes, supporting organisations through gap analysis, control implementation, evidence packaging, and pre-audit readiness review.
Frameworks We Support
ISO 27001:2022
The international gold standard for information security management. We support organisations through the full ISMS lifecycle: scoping, context analysis, risk assessment and treatment, Statement of Applicability, policy and procedure documentation, internal audit, management review, and Stage 1 + Stage 2 certification preparation. The 2022 revision moves from 114 to 93 Annex A controls; we help organisations transitioning from the 2013 edition handle the changes correctly.
SOC 2 Type I and Type II
The de facto standard for US B2B SaaS procurement. We help organisations select trust services criteria (Security mandatory; Availability, Confidentiality, Processing Integrity, Privacy optional based on customer requirements), implement controls, prepare evidence, and engage AICPA member firms for the formal attestation. For organisations new to SOC 2, we recommend starting with Type I to validate control design before committing to the Type II observation period.
For a side-by-side comparison of frameworks and which to choose, see our framework comparison guide.
Cyber Essentials and Cyber Essentials Plus
UK NCSC's prescriptive technical scheme. Cyber Essentials (basic) is self-assessed; Cyber Essentials Plus adds independent technical verification. We support both certification preparation and ongoing maintenance. Particularly relevant for UK organisations selling into UK public sector where CE+ is mandatory for many contracts.
NIS2 Directive
For organisations with EU exposure — either directly through EU-registered entities or indirectly through supply chain obligations — NIS2 Article 21 imposes substantial cybersecurity requirements with personal liability for management bodies. See our NIS2 readiness guide for the technical detail.
HIPAA Security Rule
For US healthcare organisations and their business associates. We support Risk Analysis, Risk Management, Workforce Training, Access Management, Audit Controls, Integrity, Transmission Security, and Business Associate Agreement requirements.
PCI-DSS v4.0
For organisations handling payment card data. We support SAQ completion for Levels 2-4 merchants and ROC preparation for Level 1 merchants in partnership with QSA firms. PCI-DSS v4.0 introduces substantial changes from v3.2.1 — particularly around continuous control validation and customised approaches.
FedRAMP
For organisations pursuing US federal market access. We support FedRAMP Moderate baseline preparation including SSP development, control implementation, and 3PAO engagement preparation. FedRAMP High and JAB authorisations supported in partnership with US-based specialist firms.
Sector-Specific Frameworks
UK: FCA SYSC, NHS DSPT, NCSC CAF. US: GLBA Safeguards Rule, NYDFS 23 NYCRR 500, SEC Cybersecurity Disclosure Rule. International: ISO 22301 (Business Continuity), ISO 27017 (Cloud Security), ISO 27018 (PII in Cloud), ISO 27701 (Privacy Information Management).
Our Methodology
Phase 1: Gap Assessment
Comprehensive analysis of current state against the target framework. Documented gap report with prioritised remediation roadmap. For multi-framework programmes, single gap assessment covering the union of all in-scope frameworks.
Phase 2: Risk Management
Risk register tailored to your business context, not a generic template. Risk treatment plan with documented decisions, control selection, and residual risk acceptance. Annual risk reassessment cadence established.
Phase 3: Control Implementation
Policy and procedure documentation customised to your environment. Technical control implementation support — often delivered in partnership with your internal teams. Evidence collection processes and templates.
Phase 4: Internal Audit and Pre-Certification Readiness
Internal audit conducted to identify any remaining gaps before the formal certification audit. Mock audit run with realistic auditor questioning. Evidence packaging and management review preparation.
Phase 5: Certification Audit Support
Liaison with the certification body. Audit attendance and support. Finding response and remediation tracking. Certificate issuance verification.
Phase 6: Ongoing Maintenance (Optional)
Quarterly programme management, evidence maintenance between audits, surveillance audit preparation, scope expansion support as your organisation grows.
UK & USA Programme Delivery
We deliver compliance programmes for UK, US, and multi-jurisdictional organisations. Cross-border programmes are increasingly common — UK organisations adding SOC 2 for US expansion, US organisations adding ISO 27001 for EU/UK expansion, and global organisations managing parallel certifications.
A typical multi-jurisdictional sequence:
| Starting Point | First Add | Second Add | |---------------|-----------|------------| | UK SME — UK public sector focus | Cyber Essentials Plus | ISO 27001 | | UK SaaS — UK enterprise focus | ISO 27001 | SOC 2 Type II (for US) | | US SaaS — US enterprise focus | SOC 2 Type II | ISO 27001 (for EU/UK) | | US healthcare | HIPAA + SOC 2 Type II | HITRUST | | US federal contractor aspirant | SOC 2 Type II | FedRAMP Moderate | | UK financial services | ISO 27001 | FCA SYSC alignment |
What You Receive
- Gap assessment report — current state vs target framework with prioritised findings
- Risk register and treatment plan — your business risks, documented decisions
- Policy and procedure suite — customised to your environment, not generic templates
- Implementation roadmap — sequenced control deployment plan
- Evidence collection framework — what to collect, how to package, what auditors will ask for
- Pre-audit readiness review — mock audit and gap identification before the real one
- Audit liaison support — through Stage 1 + Stage 2 certification or attestation
- Optional ongoing programme management — vCISO retainer or quarterly programme reviews
Frequently Asked Questions
Which compliance frameworks do you cover?
Are you a certification body?
How long does ISO 27001 certification take from scratch?
How long does SOC 2 Type II take?
Do we need separate consultants for UK and US frameworks?
Can you support FedRAMP authorisation?
What about NIS2 in the UK?
Can you act as our virtual CISO or compliance manager?
Book a Compliance Gap Assessment
Tell us about your environment. We'll respond within one working day with a scoping call calendar invite and an initial price guide.