Find the gaps
before attackers do.

Risk assessments, internal audits and third-party audits that produce findings your engineers can action, not just compliance theatre.

Risk assessment first.

We use ISO 27005 or NIST SP 800-30 methodology to identify your assets, the threats against them, the vulnerabilities that expose them, and the residual risk after existing controls. Every risk gets an owner, a treatment, and a review date.

Internal audit.

Required by ISO 27001 Clause 9.2. But useful for any organisation. We test your ISMS against its own policies, the standard, and your contractual obligations. Non-conformities are flagged before the certification body finds them.

Third-party audit.

Independent assurance for procurement teams, supply chains, and regulators. We can audit your vendors on your behalf, or be audited as your security partner.

What an audit delivers.

01

Data flow analysis

See where personal, financial, and operational data actually moves through your systems.

02

ISMS gap analysis

Non-conformities surfaced before the certification body finds them.

03

Regulatory compliance

Readiness against UK GDPR, EU GDPR, NIS2, DORA, ISO 9001, ISO 14001.

04

Emergency readiness

Incident response gaps surfaced and fixed before you need them.

Findings you can action.

1

Scoping

Agree the framework, boundary, and depth of testing. Sampling strategy locked.

2

Discovery

Interviews, document review, system walkthroughs across the scope.

3

Testing

Control effectiveness testing, evidence sampling, control-design assessment.

4

Reporting

Findings register with severity, root cause, and a prioritised remediation roadmap.

  • Executive summary.Two pages. For the board, not the IT team.
  • Findings register.Major, minor, observation. With evidence, root cause, and a fix.
  • Heat-mapped risk register.Inherent risk, residual risk, treatment, owner, review date.
  • Remediation roadmap.30 / 60 / 90-day plan with cost and effort estimates.
  • 60-day re-audit.Verification that major findings are closed. Included.

Methodology auditors recognise.

  • ISO/IEC 27001
  • ISO/IEC 27002
  • ISO/IEC 27005
  • NIST CSF 2.0
  • NIST SP 800-30
  • NIST SP 800-53
  • NIST SP 800-171
  • CSA STAR

Frequently asked.

Internal vs third-party audit. What's the difference?

An internal audit is done by you (or a consultant acting on your behalf), required by ISO 27001 Clause 9.2 before any certification audit. A third-party audit is done by an external party for someone else's benefit. Usually a customer, regulator, or your own assurance over a vendor. We do both.

How big a sample do you take?

Risk-based. Typically 10-20% of controls per audit pass, weighted toward higher-risk areas. We document the sampling rationale so any external reviewer can defend it.

Can you audit our existing auditor's work?

Yes. Second-party verification is a common use case. Particularly where there's been a change of internal team, regulator scrutiny, or an acquisition.

What if you find a major issue?

You hear about it immediately. We don't sit on critical findings until the report is delivered. If something is actively dangerous, we flag it the same day.

Do you re-audit after remediation?

Yes. A 60-day re-audit of major findings is included in the fee. Repeated re-audits or extended scope are billed separately.

Pairs well with

ISO 27001 / SOC 2

Audit findings feed directly into ISMS implementation and certification readiness.

Learn more →

Penetration Testing

Audits surface design gaps; pen tests surface exploit gaps. Use both.

Learn more →

vCISO Services

Annual audit cadence is much easier with a vCISO maintaining the ISMS between cycles.

Learn more →

Make compliance
feel inevitable.

Book a free consultation