Compliance Services

Risk Management

Effective risk management goes beyond templates and tick-boxes. We help organisations develop genuine understanding of their risk landscape and make informed decisions about risk treatment.

Our approach integrates information security risk with broader business risk, providing boards and executives with the clarity they need to allocate resources effectively.

Risk assessment framework design and implementation
Information asset identification and classification
Threat modelling and vulnerability assessment
Risk treatment planning and tracking
Risk appetite definition and governance
Board-level risk reporting and communication

Discuss Risk Management

Data Privacy Services

Data privacy requirements continue to evolve and expand. We help organisations understand their obligations, implement appropriate controls, and respond effectively when things go wrong.

Our practical approach focuses on embedding privacy into business processes rather than bolting on compliance activities that add cost without reducing risk.

GDPR and UK data protection compliance
Data protection impact assessments (DPIA)
Privacy programme design and implementation
Data mapping and records of processing
Subject rights request procedures
Breach response planning and support

DORA Compliance

The Digital Operational Resilience Act introduces significant requirements for financial entities and their ICT service providers.

DORA requires financial entities to establish comprehensive ICT risk management frameworks, implement robust incident reporting mechanisms, conduct regular resilience testing, and manage third-party ICT risks effectively. The regulation applies not only to banks, insurers, and investment firms, but also to critical ICT third-party service providers.

We help organisations navigate DORA requirements with practical implementation strategies that build genuine resilience, not just compliance artefacts. Our approach addresses:

Gap assessment against DORA requirements
ICT risk management framework development
Incident classification and reporting procedures
Digital operational resilience testing programmes
Third-party risk management for ICT providers
Information sharing arrangements

For detailed guidance on DORA compliance, visit dora-consultancy.com.

Post-Quantum Cryptography (PQC) Readiness

Quantum computing threatens current cryptographic protections. Organisations must begin preparing now for the transition to quantum-resistant algorithms.

The transition to post-quantum cryptography is not a simple upgrade. It requires comprehensive assessment of cryptographic dependencies, careful planning to avoid disruption, and phased implementation that balances security with operational stability.

We help organisations understand their exposure and develop practical transition roadmaps that address:

Cryptographic inventory and dependency mapping
Risk assessment for quantum-vulnerable systems
PQC transition strategy and roadmap development
Vendor and supply chain cryptographic assessment
Hybrid cryptographic implementation guidance
Long-term data protection strategies

For detailed guidance on PQC readiness, visit pqcconsultancy.com.

ISO 27001 Certification

ISO 27001 provides a structured framework for information security management. We guide organisations through implementation and certification with a focus on building genuine security capability.

Gap Analysis

Assessment of your current security controls against ISO 27001 requirements, identifying gaps and prioritising remediation based on risk and effort.

ISMS Development

Design and documentation of your Information Security Management System, including policies, procedures, and the Statement of Applicability.

Implementation Support

Hands-on support to implement controls, conduct internal audits, and prepare your team for certification assessment.

Certification Support

Preparation for and support during Stage 1 and Stage 2 certification audits, including remediation of any non-conformities.

IT Audit Services

Independent assurance over your IT controls and processes.

IT General Controls Audit

Assessment of access controls, change management, backup procedures, and other IT general controls for SOX, SOC, or internal assurance purposes.

Cybersecurity Audit

Evaluation of cybersecurity controls against established frameworks, identifying gaps and providing practical remediation recommendations.

Third-Party Assurance

Review and interpretation of SOC reports, security assessments, and certifications from your vendors and service providers.

Selected Project Examples

Compliance challenges are rarely solved by templates. Each organisation has unique regulatory obligations, risk appetites, and operational constraints. Here's how we've helped clients navigate complex requirements.

Hedge Fund DORA Compliance

Comprehensive DORA compliance programme for a hedge fund, establishing ICT risk management framework from the ground up.

Company-wide ICT risk assessment
Policy and standards development
Asset management framework
Business continuity planning

Outcome: Full DORA readiness achieved ahead of regulatory deadline, framework scaled for ongoing compliance management.

Medical Device HIPAA

HIPAA compliance implementation for a medical devices startup, enabling sales to US covered entities.

Governance and policy implementation
Technical controls design
Staff awareness training
Third-party compliance reviews

Outcome: Successfully passed enterprise client security assessments, unlocking $2M+ in previously blocked opportunities.

Transportation ISO 27001

End-to-end ISO 27001:2013 certification programme for a large transportation organisation.

Gap analysis and project management
Governance and policy implementation
Internal awareness training
Pre-audit review and remediation

Outcome: Successful certification on first attempt, no major non-conformities identified during Stage 2 audit.

Wealth Management GDPR

Data privacy implementation for a leading wealth management provider with over 6 million monthly visitors.

Legal basis identification
Privacy policies and standards
Subject access rights procedures
Data processing agreement alignment

Outcome: Full GDPR compliance achieved, subject access request handling time reduced from weeks to days.

Security Startup SOC2

SOC2 Type II preparation for a security technology startup entering enterprise sales.

Risk assessment and gap analysis
Governance framework updates
Operational process improvements
External penetration testing

Outcome: Clean SOC2 Type II report obtained, enabling Fortune 500 customer acquisition previously blocked by compliance requirements.

SaaS Escrow Solution

Creation of fully functional dormant SaaS environment to support M&A requirements for an educational provider.

Terraform Kubernetes deployment
Automated daily source updates
Docker component deployment
Quarterly end-to-end testing

Outcome: Buyer confidence secured, escrow arrangement contributed to successful acquisition completion.

Our Boutique Approach

We help you build compliance programmes that work for your organisation, not bureaucratic overhead that slows you down.

Framework Integration

We help you leverage overlap between frameworks - one control set, multiple compliance outcomes. DORA, ISO 27001, and SOC2 don't need separate programmes.

Pragmatic Implementation

We design controls that fit your operations, not textbook solutions that look good on paper but don't survive contact with reality.

Certification Success

Our clients consistently achieve certification on first attempt. We know what auditors look for and prepare you accordingly.

Knowledge Transfer

We build your team's capabilities alongside delivering compliance programmes. You maintain and evolve your compliance posture independently.