Ethyra Advisory
Book a call
Services

Compliance programs for modern businesses.

Our engagements are scoped for outcomes. Each service below maps to a specific regulatory, contractual, or strategic objective — and we will tell you up front which ones you actually need, and which you don't.

ISO/IEC 27001:2022 Readiness

Flagship

The global benchmark for information security management. We take you from zero to Stage 2 audit readiness against the 2022 revision — including the updated Annex A control set and mandatory transition requirements.

  • Scoping workshop and Statement of Applicability
  • Risk assessment methodology and risk register
  • Complete ISMS policy suite tailored to your environment
  • Control implementation advisory (93 Annex A controls)
  • Internal audit and management review facilitation
  • Stage 1 and Stage 2 certification support

Typical timeline: 12–18 weeks to Stage 2 audit readiness.

SOC 2 Readiness (Type I & Type II)

AICPA

Preparation for SOC 2 examinations against the five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. We work with your chosen CPA firm and handle the heavy lifting.

  • Trust Services Criteria scoping (all five TSCs or subset)
  • Control design and mapping to TSC
  • Evidence workflow design — collect once, reuse for audits
  • Type I readiness (point-in-time control design)
  • Type II readiness (operating effectiveness over 3–12 months)
  • CPA auditor liaison and walk-through preparation

Typical timeline: 8–14 weeks for Type I; Type II requires an observation window.

GDPR Compliance Programs

EU / UK

For companies processing personal data of European or UK residents. We build pragmatic, defensible data protection programs — not theatre.

  • Record of Processing Activities (Article 30 ROPA)
  • Data Protection Impact Assessments (DPIAs) for high-risk processing
  • Lawful basis analysis and consent design
  • Cross-border transfer assessments (SCCs, TIAs)
  • Data subject rights procedures
  • Data Protection Officer advisory (outsourced DPO available)

India DPDP Act Compliance

India

The Digital Personal Data Protection Act, 2023 changes the compliance landscape for every Indian business. We help you navigate obligations as a Data Fiduciary (or Significant Data Fiduciary).

  • Data Fiduciary / SDF classification and scoping
  • Notice and consent architecture (valid, informed, free, specific)
  • Data principal rights operations
  • Data breach notification procedures (72-hour Board reporting)
  • Consent Manager integrations where applicable
  • DPO / Grievance Officer operating model

NIST CSF & NIST 800-53 Alignment

US / Federal

Cybersecurity Framework alignment for companies selling into US federal, critical infrastructure, or security-sensitive markets. We map your existing controls to NIST functions and plug the gaps.

  • Current-state profile against CSF 2.0 categories
  • Target-state profile based on business risk appetite
  • Roadmap to close priority gaps
  • Mapping to 800-53 control families where required

PCI-DSS Readiness

Payments

For merchants and service providers handling cardholder data. We help you achieve and maintain PCI-DSS v4.0 compliance through scope reduction, segmentation, and operational discipline.

  • Cardholder data environment (CDE) scoping
  • Network segmentation advisory
  • SAQ selection and completion support
  • Quarterly ASV scan coordination
  • QSA engagement liaison for Level 1 merchants

Policy & Control Development

Standalone

Sometimes you don't need a full certification — you need a credible policy stack because a customer asked for one, or because your board requires it. We draft policies calibrated to your environment, not copy-pasted templates.

  • Information security policy suite (20–30 policies as needed)
  • Acceptable use, access control, incident response, BCP/DR
  • Secure development lifecycle, change management
  • Vendor / third-party risk management program
  • Review cycles, approval workflows, and change tracking

Virtual CISO (vCISO)

Fractional

Fractional security leadership for scale-ups that aren't ready for a full-time CISO hire. Monthly retainer, board-level reporting, hands-on program ownership.

  • Quarterly risk strategy and board reporting
  • Vendor security reviews and customer security questionnaires
  • Incident response coordination
  • Security program roadmap and budget advisory
  • Direct escalation line for security decisions

Internal Audits

Pre-Cert

Independent, pre-certification internal audits for companies that already have an ISMS in place. We surface real findings before the certification body does — not rubber-stamp what's on paper.

  • ISO 27001 internal audit against Annex A and clauses 4–10
  • SOC 2 readiness audit against TSC
  • Evidence sampling and control operating effectiveness testing
  • Written internal audit report and remediation tracker
  • Management review facilitation
Not sure which fits?

Let's figure it out together.

A 30-minute scoping call is the fastest way to understand what your business actually needs. No sales pressure, no commitment.

Book a scoping call See our methodology