Services · Compliance readiness

Compliance readiness that doesn’t take over your company

A customer or market now requires SOC 2, ISO 27001, HIPAA, or a privacy framework. The goal is to get there without turning your roadmap into an audit project.

One program, many frameworks

The treadmill version of compliance treats every framework as a separate project: a SOC 2 project this year, an ISO project next year, a HIPAA scramble when the health-system deal shows up. Each one starts from scratch. Each one exhausts your team a little more.

I build it the other way: one coherent security program — one set of policies, one evidence library, one risk register — mapped outward to every framework your markets demand. The second certification costs a fraction of the first. The fifth is mostly paperwork.

What working together looks like

01

Gap assessment

Where you stand against the framework that’s gating your deal — scoped honestly, including what you can defer.

02

Pragmatic remediation

Close the gaps that matter, in priority order, with your engineers getting specific asks — not a 300-row spreadsheet.

03

Audit support

I sit with you through auditor selection, evidence review, and the audit itself — as your security leader, not a bystander.

Frameworks covered

SOC 2, ISO 27001, HIPAA and PHIPA, GDPR, and the newer arrivals — NIS2 and DORA in the EU, national schemes like Cyber Essentials and BSI IT-Grundschutz, CMMC and CPCSC for defence-adjacent work. The full list, grouped by the market each one unlocks, is in the frameworks guide.

If your framework isn’t on the list, the program-first approach still applies — that’s the point of it.

Where compliance platforms fit

Tools like Vanta and Drata are genuinely useful — I use them with clients. They collect evidence and monitor controls well. What they don’t do is make scoping decisions, negotiate with auditors, or take accountability when a customer’s security team pushes back. The platform needs an owner. I work with your tools, not against them.

FAQ

How long does SOC 2 take?

For most seed-to-Series-B companies: three to six months to a Type 1, then a Type 2 observation window of three to twelve months. If someone promises two weeks, ask what they’re skipping.

Our customer wants SOC 2 — should we do ISO 27001 instead?

Usually you do what the customer asks. But if your market is global or security-mature, ISO can be the better long-term anchor. This is exactly the kind of call we make together, based on your pipeline.

Do we need to pause feature work?

No. A well-scoped readiness effort runs alongside your roadmap. The failure mode is trying to do everything at once — which is a scoping problem, not a compliance requirement.

What if we fail the audit?

Audits aren’t pass/fail surprises when the readiness work is honest. We don’t book the auditor until the evidence says you’re ready.

A certification deadline on the horizon?

The next step is a 30-minute conversation — no pitch, no obligation. An honest read on where you stand and what actually matters next.