How it works
Assess. Plan. Operate. Certify.
Six steps in four verbs. Each one has owners, artifacts, and a clear bar for done.
- 01
Onboarding
We inherit the context you should not have to re-explain to a vendor.
- 02
Assessment & gap analysis
Controls mapped to the standard's clauses. Gaps prioritized by what the next deal and next audit actually need.
- 03
Roadmap
A prioritized plan in plain language — translated for engineers, the board, and customers.
- 04
GRC platform setup
We deploy and operate the automation platform. Evidence capture, control mapping, continuous monitoring, drift alerts — all wired in.
- 05
Managed operations
Access reviews, vendor risk, policy attestations, internal audits. Reporting your CTO, CFO, and customers each understand.
- 06
Audit & certification
We sit on your side of the table — through Stage 2, surveillance, and recertification.
How it works — common questions
How long does the engagement take to set up?
Onboarding plus assessment plus roadmap is usually completed inside the first 4 to 6 weeks. The GRC platform is operational shortly after. Managed operations then run continuously.
What is the cadence after onboarding?
Weekly working sessions during the readiness period; a steady monthly cadence afterwards. Plus quarterly leadership reviews, control owner check-ins, and the cadences each framework requires (access reviews, vendor risk, internal audits).
Do we need to buy a GRC tool separately?
No. The GRC automation platform is part of the managed engagement — we choose the one that fits your stack, deploy it, configure it to the framework, and operate it. You own the data and can keep operating it yourselves whenever you choose to.
What happens during an audit?
We coordinate end to end with the certification body or audit firm — scoping calls, evidence handover, interview prep with your team, walkthroughs, and remediation. You stay informed; we run the process.