Do you certify organisations to ISO 27001?

No. Certification is issued by an accredited certification body. Ethyra Advisory implements the ISMS and prepares the organisation for that external audit.

How long does an ISO 27001 implementation take?

Most first-time implementations are scoped at 12–16 weeks, plus Stage 1 / Stage 2 certification-body audits. Timeline depends on scope, existing controls, and internal bandwidth.

What is the difference between SOC 2 readiness and a SOC 2 audit?

Readiness is the preparation phase — building controls, documentation, and evidence architecture. The SOC 2 attestation itself is issued by a licensed CPA firm after an independent examination.

Do you operate outside India?

Yes. We deliver to clients across India, the EU and the US remotely, with jurisdiction-aware treatment of GDPR, UK GDPR, DPDP 2023 and sectoral frameworks.

GRC Implementation · India & EU

Implement ISO 27001. Pass the audit the first time.

Ethyra Advisory is an independent GRC practice. We design, document and operate information-security programs that hold up under scrutiny — from scoping the ISMS to the auditor’s closing meeting.

Book a consultation See frameworks

Engagement: Fixed-scope or retainer
Typical timeline: 12–16 weeks
Sector focus: SaaS · Fintech · Health

Statement of Applicability — ISO/IEC 27001:2022

Ctrl	Title	Status
A.5.1	Policies for information security	Implemented
A.5.9	Inventory of information & assets	Implemented
A.5.23	Cloud service use & security	In progress
A.6.3	Awareness, education, training	Implemented
A.8.24	Use of cryptography	In progress
A.8.28	Secure coding	Implemented

6 of 93 controls shown Revision 1.2 · Apr 2026

0Annex A controls we operationalise

0Frameworks we implement end-to-end

0Stage delivery method, doc-backed

0Response SLA on engagement enquiries

01 — Frameworks

Five programs, one implementation discipline.

We work across the frameworks that matter for SaaS, financial services, and health organisations operating in India, the EU and the US. Each engagement is scoped to the standards’ exact requirements — no templated uplift, no vendor lock-in.

ISO/IEC 27001:2022

Information Security Management System

Full ISMS with Clause 4–10 evidence, 93-control Statement of Applicability, and audit-ready documentation.

Implementation detail NIST CSF 2.0

Cybersecurity Framework

Govern, Identify, Protect, Detect, Respond, Recover — mapped to your current profile with a quantified tier roadmap.

Implementation detail SOC 2 · Readiness

Trust Services Criteria

CC1–CC9 control build, evidence architecture, and auditor-liaison support. Attestation issued by a CPA firm.

Implementation detail GDPR · UK GDPR · DPDP 2023

Data Protection & Privacy

Records of Processing, lawful basis, rights operations, processor chain, cross-border transfer, DPIA and breach response.

Implementation detail HIPAA

Security, Privacy, Breach Notification

ePHI safeguards across administrative, physical and technical domains, with Business Associate Agreements.

Implementation detail Cross-framework

Unified control catalogue

One control catalogue, multiple certifications. Crosswalks across ISO, NIST, SOC 2, CIS and your contractual obligations.

All frameworks

02 — Approach

Eight stages. No ambiguity at any of them.

A documented delivery method with explicit inputs, outputs, and owners. You always know what stage you are in, what comes next, and what you need to approve.

Stage 01

Discovery

Scope, context, stakeholders, obligations.

Stage 02

Gap assessment

Baseline vs. framework requirements.

Stage 03

Risk analysis

Asset-based register with impact / likelihood.

Stage 04

Control mapping

SoA, crosswalks, treatment planning.

Stage 05

Implementation

Technical and administrative control build.

Stage 06

Documentation

Policy set, procedures, records, evidence.

Stage 07

Internal audit

Independent clause-by-clause review.

Stage 08

Audit readiness

Stage 1 / Stage 2 rehearsal & evidence pack.

Full 8-stage methodology

03 — Deliverables

Tangible outputs. Not slide decks.

Every engagement produces a concrete set of documents, registers and records. All organised, version-controlled, and handed over in a format your team can maintain after we leave.

Group A

Governance

ISMS scope & context
Information security policy
Roles & responsibilities matrix
Supplier & third-party policy
Acceptable use policy
Management review pack

Group B

Risk

Risk methodology
Asset inventory
Risk register (asset-based)
Treatment plan
Residual risk register
Vendor risk assessments

Group C

Compliance

Statement of Applicability
Cross-framework crosswalk
Legal & contractual register
Internal audit programme
Evidence library
Non-conformity tracker

Group D

Documentation

Access control policy
Change management policy
Incident response plan
Business continuity plan
Cryptography & key mgmt
Secure development procedure

Complete deliverables catalogue

04 — Why this firm

A boutique practice with a documented discipline.

Most firms sell assessments and reports. We implement, document, and hand over a programme your team can run. Our engagements are designed to survive audits, team changes, and growth.

Implementation, not certification

We build the programme

We are an independent advisory — not a certification body or auditor. That separation is a feature: no conflict of interest, no pass-the-exam theatre.

Standards-first

Rooted in the actual text

Every recommendation cites the clause, control or article it addresses. You get an evidence trail that maps cleanly to the framework.

Boutique engagement

Senior people, small caseload

No pyramid staffing. Your engagement is led end-to-end by the people who scoped it. We take fewer clients so we can be accountable to each one.

Confidential by default

Discretion is a deliverable

NDA-first intake. No logos, case studies or identifying anecdotes without written permission. Our reference list is shared privately under MNDA.

Hand-over ready

Built for your team to run

Programs are documented so your in-house team can operate, review and extend them without us. Re-engagement is optional, never engineered.

Jurisdiction-aware

India · EU · US coverage

DPDP 2023, GDPR, HIPAA, SOC 2 and ISO 27001 — implemented with an understanding of how they interact in cross-border operations.

Ready to start?

Begin with a 30-minute scoping call. No pitch deck, no salesperson.

Tell us the framework you’re implementing, your deadline, and the in-house resources you have. You’ll receive a scoped proposal with timeline, deliverables, and fixed fee within two business days.

Request a consultation See how we work