Independent advisory for organisations building, maturing, or auditing their information security governance and compliance programmes — from policy framework creation to ISO 27001 readiness and enterprise risk management implementation.
Structures, roles, and accountabilities that direct and control the security programme.
Systematic identification, assessment, treatment, and monitoring of information security risks.
Meeting regulatory, contractual, and internal policy obligations — demonstrably and continuously.
GRC Services
GRC programmes fail when they are built around checkbox compliance rather than genuine risk reduction. Every engagement starts with the organisation's actual threat landscape and risk appetite — not a generic control list.
01 / GOVERNANCE
Design of the governance structures, roles, responsibilities, and decision-making frameworks that direct and oversee the information security programme. Covers security committee structure, CISO function design, security KPIs and reporting metrics, board-level risk communication, and security programme charter development.
02 / RISK
Design and implementation of a structured information security risk management framework. Covers risk identification methodology, risk assessment and scoring (qualitative and quantitative), risk treatment planning, residual risk acceptance, risk register development, and ongoing risk monitoring processes. Aligned to ISO 27005 and NIST SP 800-30.
03 / COMPLIANCE
Gap assessment, ISMS design, and certification readiness support for ISO/IEC 27001. Covers scope definition, context of the organisation, interested parties analysis, Annex A control assessment, Statement of Applicability (SoA) development, risk assessment documentation, and internal audit preparation — to position the organisation for a successful certification audit.
04 / COMPLIANCE
Implementation of the NIST CSF 2.0 across all six functions — Govern, Identify, Protect, Detect, Respond, and Recover. Covers current-profile assessment, target-profile definition, gap analysis, implementation tier determination, and a prioritised action plan. Suitable for organisations seeking a structured, internationally recognised baseline for their security programme.
05 / POLICY
Development of a complete, hierarchically structured security policy framework — from the overarching Information Security Policy down to technical standards and operational procedures. Policies are written to be implementable, auditable, and aligned to applicable regulatory requirements rather than generic templates that no one reads.
06 / BC/DR POLICY
Creation of Business Continuity and Disaster Recovery policy documentation — Business Continuity Plan (BCP), Disaster Recovery Plan (DRP), Business Impact Analysis (BIA), crisis communication procedures, and tabletop exercise design. Aligned to ISO 22301. Separate from BC/DR architecture design, which is covered under Security Architecture services.
07 / COMPLIANCE
Advisory support for organisations in scope for the Payment Card Industry Data Security Standard (PCI-DSS v4.0). Covers scoping, gap assessment against all 12 requirements, compensating control documentation, network segmentation review for scope reduction, and preparation for a Qualified Security Assessor (QSA) audit or Self-Assessment Questionnaire (SAQ).
08 / THIRD-PARTY
Design and implementation of a vendor risk management programme — covering vendor tiering, security questionnaire design, contractual security requirements, due diligence assessment methodology, ongoing monitoring processes, and fourth-party risk awareness. Aligned to ISO 27001 Annex A controls and NIST CSF supply chain risk management guidance.
09 / ADVISORY
Independent security leadership advisory for organisations that need senior GRC expertise without a full-time CISO. Covers security programme strategy, board and executive communication, regulatory liaison support, audit preparation, and ongoing governance oversight — available as a monthly advisory retainer or fractional CISO engagement.
Risk Management
Risk management is the foundation of an effective GRC programme. Without a systematic process for identifying and treating risk, compliance becomes a checkbox exercise that provides false assurance rather than genuine security improvement.
The risk management process is designed to be repeatable, auditable, and integrated into the organisation's existing decision-making cadences — not a standalone exercise conducted once a year.
Define the organisational context, risk appetite, risk criteria, and scope of the risk assessment. Establish the internal and external factors that influence information security risk for this specific organisation.
Identify information assets, associated threats, existing controls, and vulnerabilities. Map assets to business processes to ensure risk treatment prioritisation reflects operational impact.
Assess the likelihood and impact of each identified risk. Score risks consistently using a defined methodology — qualitative matrix, quantitative scoring, or hybrid — to produce a risk register that drives decisions rather than just documents them.
For each risk above the defined appetite threshold: select a treatment option (mitigate, transfer, avoid, accept), identify the specific controls to implement, assign ownership, and set target remediation timelines.
Map selected controls to applicable framework requirements (ISO 27001 Annex A, NIST CSF, CIS Controls) to ensure risk treatment simultaneously advances compliance objectives.
Establish a risk review cadence — quarterly for high risks, annually for the full register — with defined triggers for out-of-cycle reassessment when significant changes occur to the threat landscape or business environment.
Frameworks & Standards
Different industries, geographies, and customer relationships demand different compliance frameworks. Advisory engagements are structured around the frameworks that actually apply to your organisation — not the ones that are easiest to deliver.
The global benchmark for information security management. Advisory covers ISMS design, risk assessment, Annex A control implementation, Statement of Applicability, and certification audit readiness. Applicable to any organisation regardless of size or sector.
Updated in 2024 to include the Govern function alongside Identify, Protect, Detect, Respond, and Recover. Widely adopted globally as a structured baseline for security programme assessment and maturity improvement. Organisational Profiles enable gap assessment against target state.
Mandatory for any organisation that stores, processes, or transmits cardholder data. v4.0 introduces customised implementation approach and additional authentication and monitoring requirements. Advisory covers scoping, gap assessment, and QSA or SAQ preparation.
The international standard for business continuity management. Advisory covers BCMS design, business impact analysis, recovery strategy development, BCP/DRP documentation, and certification readiness. Integrates with ISO 27001 for a unified management system approach.
18 prioritised security controls that provide a practical, prescriptive starting point for organisations seeking to improve their security posture rapidly. Implementation Groups allow right-sizing to organisational maturity. Maps directly to NIST CSF and ISO 27001 Annex A.
Privacy compliance advisory covering GDPR (EU) and India's Digital Personal Data Protection (DPDP) Act 2023. Covers data mapping, lawful basis assessment, privacy notice design, data subject rights processes, processor agreements, and breach notification procedures — from an information security governance perspective.
Policy Framework Development
Most security policy frameworks fail not because they are wrong — but because they are unreadable, unimplementable, and disconnected from how the organisation actually operates. Policy development starts with what the business does, not what a template says.
Core Policies Developed
Policy Document Hierarchy
Tier 1 — Strategic
Top-level commitment from leadership. Sets direction, scope, principles, and accountability for the entire information security programme. Board-approved.
Tier 2 — Tactical
Domain-specific policies (Access Control, Incident Response, Data Classification, etc.) that translate strategic direction into specific requirements for each security domain.
Tier 3 — Operational
Specific, measurable requirements — configuration baselines, password standards, encryption standards, and logging requirements that implement the Tier 2 policies.
Tier 4 — Procedural
Step-by-step operational procedures and advisory guidelines for specific tasks — how to respond to an incident, how to onboard a vendor, how to classify a document.
Engagement Models
GRC advisory fits different formats depending on whether the organisation needs a one-time programme build or continuous strategic support.
Point-in-time independent assessment of current GRC posture against a chosen framework (ISO 27001, NIST CSF, PCI-DSS). Produces a prioritised remediation roadmap. Defined scope and timeline.
End-to-end design and implementation of a GRC programme — governance structure, risk management framework, compliance mapping, and policy framework. Suited to organisations establishing their first formal programme.
Ongoing monthly advisory for GRC strategy, policy review, audit preparation support, and compliance question resolution. Fixed hours per month. Suited to organisations that need senior GRC input without a full-time hire.
Part-time embedded security leadership — joining the organisation's leadership team on a fractional basis to own the GRC and security governance function. Includes board reporting, regulatory liaison, and programme oversight.
What You Receive
GRC engagements produce documentation that functions as a genuine programme foundation — not templated outputs renamed with the organisation's logo.
Structured assessment of current posture against the chosen framework — every control gap identified, rated by risk severity, and mapped to a prioritised remediation action.
A working risk register — not a template. Contains identified risks, likelihood and impact scores, assigned owners, treatment options selected, residual risk ratings, and review dates.
Complete set of security policies, standards, and procedures — written for the organisation, not copied from a generic library. Reviewed for regulatory alignment and internal consistency.
Phased remediation roadmap mapping the path from current posture to target compliance state — sequenced by risk reduction impact and resource requirements. Board-presentation ready.
For ISO 27001 engagements — a complete SoA documenting every Annex A control, applicability decision, justification, and implementation status. A mandatory certification artefact.
Structured session with security, compliance, and leadership teams covering findings, framework alignment decisions, and roadmap priorities — ensuring organisational alignment before implementation begins.
GRC connects to every other service
Architecture
GRC defines the control requirements — Security Architecture translates them into the technical infrastructure that implements those controls.
→ View Security ArchitectureApplication Security
Compliance frameworks like PCI-DSS and ISO 27001 require application security controls. AppSec consulting delivers the technical implementation those policies mandate.
→ View AppSec ConsultingOffensive Security
ISO 27001 Annex A and PCI-DSS Requirement 11 mandate regular penetration testing. Pentest findings feed directly back into the risk register.
→ View Penetration TestingTraining
Security awareness training is a mandatory control in ISO 27001, NIST CSF, and PCI-DSS. Training programmes are designed to satisfy the specific awareness requirements of applicable frameworks.
→ View Corporate TrainingCommon Questions
GRC stands for Governance, Risk, and Compliance. GRC advisory covers the design and implementation of the organisational structures, processes, policies, and controls that ensure an organisation's information security programme is governed effectively, risks are identified and managed systematically, and regulatory and contractual compliance obligations are met. Engagements cover governance programme design, risk management framework implementation, compliance gap assessment, and security policy framework development.
ISO 27001 advisory is the consulting and gap assessment work that prepares an organisation for certification — designing the ISMS, documenting policies and controls, conducting risk assessments, and remediating gaps. ISO 27001 certification is the formal audit conducted by an accredited certification body. Advisory work precedes and supports the certification process; the certification itself is issued by a third-party audit body, not by a consultant.
A security policy framework is the hierarchical set of policies, standards, procedures, and guidelines that govern how an organisation protects its information assets. A mature framework includes: an Information Security Policy, Acceptable Use Policy, Access Control Policy, Incident Response Policy, Data Classification Policy, Business Continuity and Disaster Recovery Policy, Vendor Risk Policy, and Cryptography Policy — among others. The framework is structured to align with applicable regulatory requirements and the organisation's risk appetite.
NIST CSF 2.0, released in 2024, introduces a sixth function — Govern — alongside the original Identify, Protect, Detect, Respond, and Recover functions. The Govern function addresses organisational context, risk management strategy, supply chain risk management, and roles and responsibilities. CSF 2.0 also broadens the framework's applicability beyond critical infrastructure to all organisations and introduces Organisational Profiles for structured gap assessment against a defined target state.
GRC advisory is designed for CISOs, compliance managers, risk officers, and security leadership teams at organisations building, maturing, or independently auditing their information security governance and compliance programmes. It is particularly relevant for organisations preparing for ISO 27001 or PCI-DSS compliance, responding to customer security questionnaire requirements, or rebuilding their GRC programme after a gap assessment reveals structural weaknesses.
Yes. GRC advisory, risk assessment, policy framework development, and compliance gap assessments are well-suited to remote delivery. Document reviews, structured workshops, and stakeholder interviews are conducted virtually. Onsite delivery is available globally for organisations requiring in-person engagement for sensitive risk discussions or board-level presentations.
Ready to Start
30-minute consultation. We'll discuss your current compliance obligations, governance gaps, and the most impactful place to start — before anything is formalised.
Available globally · Remote & onsite · Gap assessment · Programme build · Advisory retainer