Services · 02

Compliance,
as a function.

SOC 2, HITRUST, GovRAMP, PCI-DSS. We run gap assessments, author policies, collect evidence, and liaise with your QSA / 3PAO — so you don't have to.

SOC 2
Type I & II

Readiness in 90 days, Type II observation windows scoped from 90–365 days. Trust services criteria + CC mapping.

Tooling: Vanta · Drata · Secureframe
HITRUST
CSF r2 / e1 / i1

CSF inheritance, inheritance workbooks, and AssessXchange coordination. Healthcare + payers.

Tooling: MyCSF · AssessXchange
GovRAMP
StateRAMP / FedRAMP

SSP authoring, 3PAO coordination, continuous monitoring — moderate baseline most common.

Tooling: OSCAL · GovRAMP PMO
PCI-DSS
v4.0.1

Scope reduction, tokenisation strategy, RoC / AoC readiness. QSA liaison included.

Tooling: PCI SSC · Your QSA
vCISO + SOC-as-a-Service

Ongoing governance,
on a retainer you can predict.

vCISO

Fractional CISO for board reporting, risk management, and vendor reviews. 10–40 hours/month.

SOC-as-a-Service

24×7 monitoring, triage, and incident response. SIEM + EDR operated by senior analysts.

Continuous compliance

Evidence collection stays warm between audits. Drift alerts before auditors find them.

Start your readiness

Audit-ready
in 90 days.

Gap assessment → policies → evidence → audit. We run the whole thing so your team can keep shipping.

Start a gap assessment → Book a call