Pass the audit. Sell to the enterprise. Sleep at night.
ISO 27001, Cyber Essentials Plus, SOC 2 and GDPR designed to slot into how you actually work, not bolted on as a paperwork project.
Compliance is not paperwork. It is the price of doing business with serious customers, the gate on cyber insurance, and increasingly a board-level legal duty. We treat it that way. Our GRC team includes ISO 27001 lead implementers, lead auditors, certified DPOs and former Big Four audit managers, and we run programmes end to end through to certificate.
Our standard package gets a 25 to 100 person business ISO 27001 certified inside six months, including the management system, policies, controls, internal audit programme, gap remediation, supplier risk register, awareness training, and stage 1 and stage 2 audits with an accredited certification body. Cyber Essentials Plus is typically delivered in four to eight weeks.
After certification we keep you compliant continuously. That means quarterly internal audits, annual risk reviews, evidence collection automation, supplier reassessment, and a single source of truth for every certificate, control and policy. The audit becomes a thirty minute walk through a tidy system, not a six week scramble.
Capabilities included
ISO 27001 implementation
Full ISMS rollout from scoping through to stage 2 audit, including 93 Annex A controls mapped to your environment.
Cyber Essentials & Cyber Essentials Plus
Self-assessment, technical readiness, evidence collection and a CE Plus assessor relationship to certify on first attempt.
SOC 2 Type I & II readiness
Trust services criteria mapped to controls, evidence collection automated where possible, audit firm liaison through report issuance.
GDPR & UK Data Protection
ROPA, DPIAs, retention schedules, subject access procedures, breach response and outsourced DPO if required.
PCI DSS readiness
Scope reduction, control implementation and SAQ guidance for SaaS and e-commerce businesses.
Risk management
Quantified risk register, treatment plans, board-level KRIs and quarterly residual risk reviews.
Internal audit
Independent quarterly internal audits across ISMS, finance and IT controls with management response and tracking.
Vendor risk management
Supplier due diligence questionnaires, contract clause libraries, risk scoring and annual reassessment.
Security awareness training
Role-based learning paths, phishing simulation, board cyber briefings and developer secure coding workshops.
Tools we work with
Vendor-neutral. We pick the right fit for your scale, budget and existing investment.
Our delivery process
Scope
Define ISMS boundary, applicable standards, certification body and a written project plan with named owners.
Build
Roll out policies, controls, training and evidence collection. Weekly checkpoints and a live readiness dashboard.
Audit
Internal audit, management review, stage 1 and stage 2 with the certification body. We run the audit room.
Maintain
Quarterly internal audits, annual risk review, evidence freshness checks and continuous control monitoring.
What lands on your desk
Every engagement produces concrete artefacts you own and can show to your board, auditor or buyer.
- Documented Information Security Management System (ISMS) on a single platform
- Policy library mapped to ISO 27001 Annex A and your local regulatory obligations
- Risk register with quantified ratings and treatment plans
- Supplier register with due diligence evidence and reassessment dates
- Annual internal audit plan with quarterly audit reports and corrective actions
- Awareness training programme with role-based completion reporting
- Evidence pack ready for cyber insurance, RFPs and customer security reviews
- Certificate(s) issued by accredited certification body
Common questions
Do you guarantee certification?
We have never had a client fail an ISO 27001 stage 2 audit when they followed our programme. We commit in writing to remediate any major non-conformity at no additional cost.
Will compliance slow our engineering team down?
Done well, no. We integrate evidence collection into the tools developers already use (GitHub, Jira, cloud accounts) so the system collects evidence in the background.
Can you act as our outsourced DPO?
Yes. We provide a named, certified Data Protection Officer with backup, fully indemnified, with quarterly board reporting.
Do you handle US standards too?
Yes. SOC 2 Type I and II, NIST CSF, NIST 800-53 mapping, HIPAA readiness and increasingly the new SEC cyber disclosure requirements for our clients with US parents.
Selling to the enterprise? You will need this.
Book a 30 minute compliance scoping call. We will tell you which standards your sales team needs, in what order and on what timeline. Then quote a fixed price.