DORA, ISO 27001, GDPR & PQC Compliance Consultancy

Compliance has moved to the platform layer, and the platform layer is largely theatre. A green dashboard, a signed report, and an unchanged security posture is now the normal end-state of a certification project. We work on the gap. Whatever platform you have, we make its output mean something. We read your evidence the way an auditor will, then the way an attacker will, and tell you where those readings diverge.

For most clients, compliance is not a cost centre. It is a revenue enabler. Larger buyers expect a level of vendor compliance to manage their own third-party risk, and your posture is what unblocks the sale. We treat the work that way.

Wherever you are based, the regulatory and cultural gap between your home jurisdiction and UK or EU markets tends to be wider than the home team estimates. A SOC 2 report, an APAC equivalent, or a domestic certification is usually a credible starting position rather than a finish line. Inside the UK and EU, the same applies across national differences: BaFin, CSSF, ACPR, DNB and the FCA each read the same rulebook in their own dialect.

Where the value sits

Frameworks are now a commodity. The work that is not commoditised is everything around them.

Multi-jurisdiction translation

DORA, NIS2, UK CTP regime, GDPR, EU AI Act, plus national NCA quirks. The translation work between regulatory languages that legal alone cannot do.

DORA on both sides

Implementation for financial entities and DORA from the critical third-party side. Two different conversations, two different sets of artefacts. We cross-link to deeper analysis on dora-consultancy.com.

Register of Information as a risk tool

Not an annual filing. The 6.5% dry-run pass rate is the clue. We rebuild registers that examiners and incident-response teams can both use.

PQC readiness as a compliance programme

NIST FIPS 203, 204, 205 are standards. Treating PQC as a side project rather than a programme is the common mistake. For the cryptographic transition itself, see pqcconsultancy.com. Examiners will start asking.

Substitutability assessments

The analytical field everyone leaves blank in their Register of Information. It is also the field the ESAs use to judge whether your third-party risk practice is real.

Data privacy as a working discipline

GDPR and the rest are not a one-time exercise. They are a way to conduct business. We embed privacy into processes rather than bolt on compliance activity that adds cost without reducing risk.

We bring a solution, not a menu

Compliance is a body of judgement, not a body of forms. Our job is to read the room, the regulator and the auditor in the same conversation and bring a solution that works, not list the seventeen options that could theoretically work. You do not pay senior consultants to expand the option set, you pay them to narrow it.

Risk management as a working discipline, not a register. Risk appetite that operations can act on. Residual-risk thresholds that mean something at month-end. Quantitative risk used where the numbers genuinely move investment, not as theatre.

What we deliver

Beyond the positioning above, the specific offerings inside our compliance practice.

Risk management as a practice

Risk-framework design that ties asset identification, threat modelling, treatment planning, risk appetite and board-level reporting into one governance cadence rather than four parallel ones. Quantitative risk where the numbers actually move decisions, qualitative where they do not. Residual-risk thresholds that mean something at month-end.

Data privacy

GDPR and UK Data Protection compliance, data-protection impact assessments (DPIA), privacy programme design and implementation, data mapping and records of processing, subject-rights request procedures, breach response planning and support. Embedded into business processes rather than bolted on as compliance activity.

DORA implementation

Gap assessment against DORA requirements, ICT risk management framework, incident classification and reporting procedures, digital operational resilience testing programme design, third-party risk management for ICT providers, information-sharing arrangements. We work both sides: financial entities and critical third-party providers. Deeper analysis published at dora-consultancy.com.

ISO 27001 readiness

Gap analysis against ISO 27001 (and 27017 where cloud services are in scope), ISMS design and documentation including the Statement of Applicability, hands-on implementation support, internal audit, Stage 1 and Stage 2 audit preparation and remediation. We can also act as your surrogate internal audit function on an ongoing basis.

IT audit

IT general controls audit (access controls, change management, backup procedures, licence management, ITIL processes), cybersecurity audit against established frameworks, third-party assurance and interpretation of SOC reports and supplier certifications. The reach extends into operational technology and adjacent estates such as building management systems where the work calls for it.

PQC readiness

Cryptographic inventory and dependency mapping, quantum-vulnerability assessment, transition strategy and roadmap, vendor and supply-chain cryptographic assessment, hybrid-implementation guidance, long-term data-protection strategies for material with long confidentiality horizons. Deep cryptographic work is delivered jointly with pqcconsultancy.com.

Certification and attestation

How we approach the formal end of compliance, without selling theatre.

Readiness and internal audit

Pre-certification gap analysis that fixes controls, not just evidence. Internal audit and surrogate internal audit for organisations too small to staff one. Post-audit remediation when the platform missed something the auditor did not.

Scoped attestations under our name

For B2B supply-chain assurance where a formal certification is overkill and a credible practitioner signal is enough, we issue scoped attestations under our own name. Dated, defensible, written to be read by the recipient's procurement and security teams.

Frameworks we work with

ISO 27001 and 27017 readiness, SOC 2 readiness, DORA, NIS2, UK CTP regime, GDPR, UK Data Protection Act, PCI DSS, HIPAA, COBIT, ITIL. We map your existing posture to whichever set actually applies and run the gap.

Selected Project Examples

Compliance challenges are rarely solved by templates. Each organisation has unique regulatory obligations, risk appetites, and operational constraints. Here's how we've helped clients navigate complex requirements.

Hedge Fund DORA Compliance

Comprehensive DORA compliance programme for a hedge fund, establishing ICT risk management framework from the ground up.

Company-wide ICT risk assessment
Policy and standards development
Asset management framework
Business continuity planning

Outcome: Full DORA readiness achieved ahead of regulatory deadline, framework scaled for ongoing compliance management.

Medical Device HIPAA

HIPAA compliance implementation for a medical devices startup, enabling sales to US covered entities.

Governance and policy implementation
Technical controls design
Staff awareness training
Third-party compliance reviews

Outcome: Successfully passed enterprise client security assessments, unlocking $2M+ in previously blocked opportunities.

Transportation ISO 27001

End-to-end ISO 27001:2013 certification programme for a large transportation organisation.

Gap analysis and project management
Governance and policy implementation
Internal awareness training
Pre-audit review and remediation

Outcome: Successful certification on first attempt, no major non-conformities identified during Stage 2 audit.

Wealth Management GDPR

Data privacy implementation for a leading wealth management provider with over 6 million monthly visitors.

Legal basis identification
Privacy policies and standards
Subject access rights procedures
Data processing agreement alignment

Outcome: Full GDPR compliance achieved, subject access request handling time reduced from weeks to days.

Security Startup SOC2

SOC2 Type II preparation for a security technology startup entering enterprise sales.

Risk assessment and gap analysis
Governance framework updates
Operational process improvements
External penetration testing

Outcome: Clean SOC2 Type II report obtained, enabling Fortune 500 customer acquisition previously blocked by compliance requirements.

SaaS Escrow Solution

Creation of fully functional dormant SaaS environment to support M&A requirements for an educational provider.

Terraform Kubernetes deployment
Automated daily source updates
Docker component deployment
Quarterly end-to-end testing

Outcome: Buyer confidence secured, escrow arrangement contributed to successful acquisition completion.

Our Boutique Approach

We help you build compliance programmes that work for your organisation, not bureaucratic overhead that slows you down.

Framework Integration

We work the overlap between frameworks instead of running them as parallel programmes. One control set, multiple compliance outcomes. DORA, ISO 27001 and SOC 2 share more than they differ.

Pragmatic Implementation

We design controls that fit your operations, not textbook solutions that look good on paper but don't survive contact with reality.

Certification Success

Our clients consistently achieve certification on first attempt. We know what auditors look for and prepare you accordingly.

Knowledge Transfer

We build your team's capabilities alongside delivering compliance programmes. You maintain and evolve your compliance posture independently.

Compliance Services