Frameworks we implement

Five programs. One implementation discipline.

Every framework below is delivered as a full implementation engagement — scoping, gap assessment, risk analysis, control build, documentation, and audit readiness. Use the selector to step through each.

ISO/IEC 27001:2022

Information Security Management System.

Implementation phases

    Deliverables

      Focus areas

        A — Information security

        ISO/IEC 27001:2022

        The international standard for information security management. Requires a documented ISMS aligned to clauses 4–10 and the 93 Annex A controls (organisational, people, physical, technological). An accredited certification body performs the audit — we deliver the programme that passes it.

        Implementation phases

        • Phase 1Scoping, context, ISMS charter
        • Phase 2Risk assessment & asset-based register
        • Phase 3Statement of Applicability, treatment plan
        • Phase 4Policy build (24–30 documents)
        • Phase 5Control implementation & evidence
        • Phase 6Internal audit & management review
        • Phase 7Stage 1 / Stage 2 certification readiness

        Focus areas

        • Clauses 4–10Context, leadership, planning, support, operation, performance evaluation, improvement
        • Annex A.5Organisational controls (37)
        • Annex A.6People controls (8)
        • Annex A.7Physical controls (14)
        • Annex A.8Technological controls (34)

        Deliverables

        • ISMS-001Scope & context document
        • ISMS-002Risk methodology
        • ISMS-003Risk & treatment register
        • ISMS-004Statement of Applicability
        • ISMS-005Policy set (24+ documents)
        • ISMS-006Internal audit report
        • ISMS-007Management review pack
        • ISMS-008Certification evidence bundle
        B — Cybersecurity reference

        NIST CSF 2.0

        Outcome-based framework organised around six Functions — Govern (new in 2.0), Identify, Protect, Detect, Respond, Recover. Excellent anchor for enterprise programs, critical infrastructure, and hybrid standards environments.

        Implementation phases

        • Phase 1Govern baseline & strategy
        • Phase 2Identify: assets, context, risk
        • Phase 3Protect: access, awareness, data
        • Phase 4Detect: monitoring, anomalies
        • Phase 5Respond: playbooks, comms, analysis
        • Phase 6Recover: continuity, lessons learned
        • Phase 7Tier-progression roadmap

        Focus areas

        • GVGovernance, risk mgmt strategy, roles, policy
        • IDAsset mgmt, risk assessment, supply chain
        • PRIdentity, data security, platform, awareness
        • DEContinuous monitoring, adverse event analysis
        • RSResponse planning, comms, mitigation
        • RCRecovery planning, improvements

        Deliverables

        • CSF-001Current Profile
        • CSF-002Target Profile
        • CSF-003Cross-function control matrix
        • CSF-004Tier assessment + remediation roadmap
        • CSF-005Incident response & recovery playbooks
        • CSF-006Supply-chain risk programme
        C — Service organisation controls

        SOC 2 · Readiness

        Service-organisation control examination anchored in AICPA Trust Services Criteria. We deliver the readiness programme — control build, documentation, evidence architecture, and auditor liaison. The attestation itself is issued by a licensed CPA firm.

        Implementation phases

        • Phase 1Trust Services Criteria scoping
        • Phase 2System description drafting
        • Phase 3Control mapping (CC1–CC9)
        • Phase 4Gap remediation & control build
        • Phase 5Evidence architecture
        • Phase 6Observation window (Type II)
        • Phase 7CPA auditor liaison

        Focus areas

        • SecurityCommon Criteria CC1–CC9 (mandatory)
        • AvailabilityCapacity, resilience, recovery
        • ConfidentialityClassification, retention, destruction
        • Processing IntegrityCompleteness, accuracy, timeliness
        • PrivacyNotice, choice, collection, use, retention

        Deliverables

        • SOC-001System description
        • SOC-002TSC control matrix
        • SOC-003Policy set (access, change, incident, vendor, BC/DR)
        • SOC-004Evidence library & sampling plan
        • SOC-005Auditor response pack
        • SOC-006CUECs documentation
        D — Data protection

        GDPR · UK GDPR · India DPDP 2023

        Data-protection operating model covering records of processing, lawful basis, rights operations, processor governance, international transfer, breach response, and Data Protection Impact Assessments. Jurisdiction-aware for cross-border programs.

        Implementation phases

        • Phase 1Records of Processing (ROPA)
        • Phase 2Lawful basis & consent
        • Phase 3Rights operations (DSAR)
        • Phase 4Processor governance (Art. 28)
        • Phase 5International transfers & TIAs
        • Phase 6Breach response (Art. 33/34)
        • Phase 7DPIA programme

        Focus areas

        • Art. 5Lawfulness, fairness, transparency
        • Art. 12–22Rights of data subjects
        • Art. 24–31Controller & processor obligations
        • Art. 32Security of processing
        • Art. 44–49Transfers to third countries
        • DPDP 2023Indian notice, consent, cross-border

        Deliverables

        • PRV-001ROPA
        • PRV-002Privacy notice suite
        • PRV-003Consent & cookie framework
        • PRV-004DSAR playbook & templates
        • PRV-005Processor agreement pack
        • PRV-006Transfer Impact Assessment
        • PRV-007Breach response runbook
        • PRV-008DPIA template & register
        E — Protected health information

        HIPAA Security & Privacy

        For Covered Entities and Business Associates handling electronic Protected Health Information (ePHI). Administrative, physical and technical safeguards under the Security Rule, plus Privacy Rule and Breach Notification Rule implementation.

        Implementation phases

        • Phase 1ePHI discovery & data-flow map
        • Phase 2Risk analysis §164.308(a)(1)(ii)(A)
        • Phase 3Administrative safeguards
        • Phase 4Physical safeguards
        • Phase 5Technical safeguards & encryption
        • Phase 6Privacy Rule operations
        • Phase 7Breach procedures §164.400–414

        Focus areas

        • Security RuleAdministrative, physical, technical safeguards
        • Privacy RuleUses, disclosures, individual rights
        • Breach Notification4-factor assessment, 60-day clock
        • Enforcement RulePenalties & investigations
        • OmnibusBusiness Associate direct liability

        Deliverables

        • HIP-001ePHI inventory & data-flow map
        • HIP-002Risk analysis & management plan
        • HIP-003Administrative / physical / technical policies
        • HIP-004Business Associate Agreement set
        • HIP-005Breach notification runbook
        • HIP-006Workforce training materials
        Start a framework implementation

        Pick the standard. We’ll scope the programme.

        Share your framework, timeline and current posture. You’ll receive a fixed-scope proposal with timeline, deliverables and fee within two business days.

        Request a consultation See methodology