Traceability
Every control, policy and record is tagged to the clause or article it satisfies. No orphan documentation.
Methodology
A documented eight-stage implementation.
No ambiguity about where we are, what’s next, or what you need to approve. Every engagement moves through the same eight stages — with framework-specific outputs at each step.
-
Discovery & scoping
Establish the boundary of the engagement: systems in scope, stakeholders, regulatory and contractual obligations, and the certification outcome you’re working toward. We calibrate to your organisation rather than a template.
- Scope statement with systems, locations and data types
- Stakeholder map and RACI draft
- Obligations register (regulations, contracts, client commitments)
-
Gap assessment
Baseline your current state against every requirement of the chosen framework. We work from the standard’s text, not a simplified checklist — findings are traceable to specific clauses, controls or articles.
- Clause-by-clause (and/or Annex A) gap register
- Evidence review of existing policies, procedures, records
- Prioritised remediation backlog with effort estimates
-
Risk analysis
Asset-based risk assessment: identification, valuation, threat and vulnerability analysis, and impact / likelihood scoring. The register becomes the operating basis for control selection and treatment.
- Information asset inventory with ownership
- Risk register with inherent and residual scores
- Risk treatment plan with owner-dated actions
-
Control mapping
Translate treatment decisions into a Statement of Applicability or equivalent control matrix. Where you are implementing more than one framework, we build a crosswalk so a single control satisfies multiple standards.
- Statement of Applicability / TSC matrix
- Cross-framework control crosswalk
- Justification notes and residual-risk acceptance records
-
Implementation support
Hands-on build of the administrative, physical and technical controls. We pair with your engineering, IT and operations leads — we don’t parachute in advice and leave.
- Control-build workstreams with named owners
- Operational procedures and standard work
- Evidence capture plan (tickets, logs, screenshots)
-
Documentation
Author the full policy set and supporting procedures. Documents are written to the standard’s language, version-controlled, and structured so your team can maintain them after the engagement.
- 24–30 clause-mapped policies (framework-dependent)
- Procedure library with approvals and revision history
- Records templates (training, access review, incident log)
-
Internal audit & management review
Independent internal audit against the framework’s requirements, followed by a management review with evidence of performance, non-conformities and improvements.
- Internal audit programme, plan and report
- Non-conformity register with root cause and corrective action
- Management review minutes and decisions pack
-
Audit readiness
Certification-body or auditor rehearsal. We sit with your team through the request list, walkthrough interviews and evidence review — and stay engaged through the closing meeting if needed.
- Stage 1 / Stage 2 (ISO) or examination (SOC 2) rehearsal
- Evidence binder organised by clause / criterion
- Post-audit remediation pack (if findings)
· — Operating principles
How we work, beyond the stages.
A few non-negotiable behaviours that separate a programme your team can run from a programme that passes once and decays.
Transfer of ownership
Your internal team is written into every stage. By audit, they know the programme better than we do.
Evidence over assertion
If it’s not recorded, it didn’t happen. Operational evidence is designed in from day one, not chased later.
Fixed fee, fixed scope
Scoping is thorough enough that the commercial arrangement doesn’t creep. Change orders are transparent.
Engage the practice
Tell us your framework and timeline. We’ll scope it.
A 30-minute scoping call produces a fixed-scope proposal with timeline, deliverables and fee.