GRC & Compliance

Cybersecurity · GRC & Compliance

Compliance that auditors accept on the first pass.

Governance, risk, and compliance consulting for regulated industries. We’ve taken Israeli banks, payment processors, and SaaS companies through SOC 2, ISO 27001, DORA, and PCI-DSS engagements without a single material finding on first audit.

Get a readiness assessment
See frameworks we handle

Ten frameworks. One playbook.

Our team holds CISM, ISO 27001 Lead Auditor, and Lead Implementer certifications. We’ve taken organizations through each of these from kickoff to certified status.

Financial Services

DORA

Digital Operational Resilience Act · EU Financial

The new EU regulation covering ICT risk management, incident reporting, resilience testing, and third-party oversight for financial entities. Applies January 2025, most firms are still scrambling. We build your DORA program from gap assessment to operational readiness.

  • ICT risk management framework
  • Third-party register and oversight program
  • Threat-led penetration testing (TLPT) coordination
  • Incident reporting workflows
Industry Standard

ISO/IEC 27001:2022

Information Security Management Systems

The international standard for information security management. We take you from a 4-6 month implementation through Stage 1 and Stage 2 audits with a Big-4-accepting accredited body. Our certification rate on first attempt: 100%.

  • Scope definition and asset register
  • Risk assessment and treatment plan
  • Statement of Applicability with all 93 Annex A controls
  • Internal audit, management review, certification audit support
SaaS & Cloud

SOC 2 Type I & Type II

Trust Services Criteria · AICPA

The standard for SaaS companies selling to U.S. enterprises. We design your control environment, run the readiness assessment, coordinate the audit firm, and remediate findings before they become material exceptions.

  • Trust services criteria mapping (Security, Availability, Confidentiality)
  • Control design and evidence collection workflows
  • Auditor selection and coordination
  • Continuous monitoring program for Type II maintenance
Cyber Framework

NIST Cybersecurity Framework

CSF 2.0 · National Institute of Standards

The U.S. federal framework increasingly required by enterprise procurement teams and acquirers. We map your current maturity across Govern, Identify, Protect, Detect, Respond, Recover, and build a 12-month roadmap to your target state.

  • Current/target state maturity assessment
  • Outcome-based control roadmap
  • Mapping to NIST 800-53, ISO 27001, CIS Controls
  • Executive scorecard with quarterly tracking
Payment Card Industry

PCI-DSS v4.0

Payment Card Industry Data Security Standard

Required for any organization handling card data. v4.0 introduced significant new requirements around customized approach, continuous monitoring, and authenticated scanning. We prepare you for Level 1 ROC or self-assessment depending on your transaction volume.

  • Scope reduction strategy (network segmentation)
  • Cardholder data environment mapping
  • ASV scanning coordination and remediation
  • QSA audit preparation and finding remediation
EU Data Protection

GDPR

General Data Protection Regulation

EU privacy law with global reach. We build your data protection program: lawful basis documentation, ROPA, DPIAs for high-risk processing, breach response procedures, and the technical and organizational measures regulators expect to see.

  • Records of Processing Activities (ROPA)
  • Data Protection Impact Assessments (DPIAs)
  • Subject access request workflows
  • DPO advisory and breach notification support
German Cloud

BSI C5

Cloud Computing Compliance Criteria Catalogue

Germany’s cloud security standard, increasingly required by EU public sector and financial services buyers. We prepare your cloud platform for C5 attestation with full control evidence and continuous monitoring.

  • Control mapping to existing ISO 27001 or SOC 2
  • Evidence collection workflows
  • Continuous monitoring requirements
  • German audit firm coordination
AI Governance

ISO/IEC 42001

AI Management System Standard

The first international AI management system standard. Required by organizations that develop or deploy AI systems where governance, risk, and ethical considerations matter. We build your AIMS from scratch or align to your existing ISO 27001.

  • AI system inventory and risk classification
  • Bias, fairness, and explainability controls
  • Model lifecycle governance
  • Integration with existing ISO 27001 program

How we work through an engagement.

A typical certification engagement takes 4-9 months. We work in phases so you see progress quarterly and can budget accordingly.

01

Gap assessment (2-3 weeks)

We compare your current state against the target framework’s controls. The output is a prioritized gap report with effort estimates and a recommended sequence. You’ll know exactly what you need to build, buy, or change before the engagement formally starts.

Deliverable: Gap report (40-80 pages), executive briefing, fixed-price quote for implementation phase.

02

Implementation (3-6 months)

We work alongside your team to build the controls. Documentation, policies, procedures, technical controls, evidence collection workflows. We do as much as makes sense for us to do, and we coach your team on the parts they need to own long-term.

Cadence: Weekly working sessions, monthly steering committee reviews.

03

Internal audit & pre-assessment (3-4 weeks)

We run a full internal audit using the same methodology your external auditor will use. Any findings get remediated before the certification audit begins. This is why our first-time pass rate is 100%.

Deliverable: Internal audit report, remediation completion evidence, management review documentation.

04

Certification audit support (2-4 weeks)

We coordinate with the external auditor (we maintain relationships with all major Big 4 and specialized audit firms in Israel and the EU), prepare evidence packages, and sit in on audit interviews to ensure controls are explained accurately.

Deliverable: Certified status, auditor’s report, maintenance program for the certification cycle.

05

Continuous maintenance (ongoing, optional)

Most clients retain us for continuous monitoring after certification. Quarterly control reviews, evidence sampling, change management for new systems, and annual surveillance audit preparation. Typical retainer: $4-8K monthly depending on scope.

Deliverable: Quarterly compliance dashboard, annual recertification readiness package.

Three engagement models.

Most clients start with the gap assessment to validate scope and timeline. The implementation engagement starts after the gap report is delivered.

Gap Assessment

$12K-25K
Fixed-price · 2-3 weeks
  • Single framework (or framework comparison)
  • Gap report with control-level findings
  • Prioritized remediation roadmap
  • Fixed quote for implementation
  • Executive briefing call

Start here

Full Certification

$60K-180K
Fixed-price · 4-9 months
  • Gap assessment included
  • Full implementation support
  • Internal audit and pre-assessment
  • External audit coordination
  • Certification delivered
  • 3 months of post-cert support included

Most clients

Compliance Retainer

$4K-8K/mo
Recurring · 12-month minimum
  • Quarterly control reviews
  • Change management consulting
  • Evidence sampling and storage
  • Annual surveillance audit prep
  • Unlimited Slack/email questions
  • Discount on additional frameworks

After certification

Tell us which framework you need.

30-minute scoping call. We’ll discuss your current posture, timeline pressures, and recommended starting point. Fixed quote within two business days.

Book a scoping call