ISO 27001, PCI DSS, SOC 2 & Regulatory Compliance, Made Audit-Ready
Governance, risk and compliance work only counts if it survives an external audit. We build the policies, controls and evidence trail your assessor actually expects to see.
Frameworks we take you through, end to end
ISO/IEC 27001:2022 Readiness
Gap assessment, ISMS design, Statement of Applicability, and internal audit support ahead of certification.
PCI DSS Compliance
Scoping, control implementation and QSA-ready evidence for merchants and payment service providers.
SOC 2 Readiness (Type I & II)
Trust Services Criteria mapping and control design ahead of your SOC 2 audit.
GDPR & Data Privacy
Data mapping, lawful-basis review and privacy control implementation for organisations handling EU personal data.
HIPAA Compliance
Administrative, physical and technical safeguard review for healthcare and healthtech platforms.
RBI Cyber Security Framework
Control alignment for NBFCs, fintechs and payment platforms regulated by the RBI.
SEBI CSCRF Compliance
Cyber security and cyber resilience framework alignment for SEBI-regulated entities.
IRDAI Compliance Audit
Information and cyber security control review for insurance sector entities.
DPDP Act 2023 (India)
Readiness for India's Digital Personal Data Protection Act — data-principal rights, consent management and breach-notification controls.
CERT-In Directions
Alignment with CERT-In's 2022 cyber security directions: logging, incident reporting timelines and audit evidence.
BCP / DRP Planning
Business continuity and disaster recovery planning, tested through tabletop exercises.
Exporting to the EU or the Gulf? We get you ahead of the regulation wave
Indian service providers and product companies working with European and Middle East clients are increasingly asked to prove conformity with local cyber law. We build that evidence before your customers or regulators ask.
EU NIS2 Directive
Gap assessment and control alignment against NIS2 for essential/important entities and their supply-chain partners — governance, risk management and incident-reporting obligations.
DORA (Financial Sector)
Digital Operational Resilience Act readiness for financial entities and their ICT third-party providers — resilience testing, incident classification and register-of-information support.
Cyber Resilience Act (CRA)
Get ahead of the CRA's core obligations (broadly applying from 2027) for products with digital elements — secure-by-design, vulnerability handling and SBOM/lifecycle evidence.
EU AI Act
Risk-classification and governance mapping for AI systems placed on the EU market, aligned with our AI & LLM Security practice and ISO/IEC 42001.
GDPR (EU)
Data mapping, lawful-basis review, DPIAs and cross-border transfer safeguards for organisations handling EU personal data.
UAE — NESA & DESC
Alignment with UAE Information Assurance (NESA/SIA) standards, Dubai's DESC ISR, and ADHICS for healthcare entities in Abu Dhabi.
Saudi Arabia — NCA ECC & SAMA
Readiness for the National Cybersecurity Authority's Essential Cybersecurity Controls (ECC) and the SAMA Cyber Security Framework for the financial sector.
Qatar — NIA
National Information Assurance (NIA) policy alignment and Qatar Central Bank cyber requirements for regulated entities.
Gulf Data Protection (PDPL)
Saudi & UAE Personal Data Protection Law readiness — data-subject rights, consent, cross-border transfer and breach-notification controls.
ISO/IEC 42001 & NIST AI RMF
AI management-system and AI risk-framework readiness — increasingly requested alongside traditional security compliance.
How the engagement runs
Scope
A short call to align on assets, timelines and compliance targets.
Test
Manual, expert-led testing augmented by AI-assisted analysis.
Report
Business-risk-ranked findings with reproducible proof-of-concept.
Retest
One included retest cycle plus an attestation letter.
Common questions
Typically 8–16 weeks depending on organisational maturity and scope, covering gap assessment, control implementation, and internal audit before your certification body audit.
No — certification is issued by accredited certification bodies / QSAs. We prepare you to pass that audit and can support liaison with your chosen certifying body.
GRC delivers structured governance, documented controls and audit-ready evidence. vCISO provides ongoing security leadership and execution. Many clients run both in parallel — see our vCISO page for the distinction.
Yes — many controls overlap. We map a single control set to multiple frameworks where possible to reduce duplicate effort.
Yes. We run gap assessments and control-alignment programs for EU NIS2, DORA, the Cyber Resilience Act (CRA, broadly applying from 2027) and the EU AI Act — increasingly required of Indian service providers and product companies exporting to Europe.
You might also need
Ready to scope this engagement?
Get a fixed-price quote within one business day.



