Compliance
ISO 27001, NIS2, and DORA — delivered as a byproduct of real security operations, not a separate paper trail. Certification-ready in weeks, not quarters.
Most compliance work runs in a parallel universe to the actual security function. Documentation lives in a binder no one operates from. Controls are theoretical. Auditors get a tour of artefacts that have nothing to do with how the organisation actually runs. The certificate arrives, and so does the next breach.
We invert that: the security operation IS the compliance evidence. Endpoint coverage, identity policy, vulnerability data, incident records, SOC logs — these already exist if security is running properly. The compliance work is to organise them into the shape an auditor recognises, not to invent them.
- ISO 27001 from scratch
Maintained controls library, evidence collection, audit defence. Our Secured by FM model takes SMBs from onboarding to certification-ready in roughly four weeks, on templated controls and an integrated GRC tool.
- NIS2 readiness
Gap assessment, control mapping, supplier-chain scoping, and the operational changes that close the gap. Norway is incorporating NIS2 via the EEA Agreement; we sequence the work so it lands well before enforcement bites.
- DORA for financial services
Operational resilience testing, ICT risk management, third-party register, major-incident reporting. In force across the EU since January 2025.
- Audit preparation and defence
External-auditor-grade evidence, mock audits with our own audit-experienced consultants, and someone in the room when the real auditors show up.
- GRC tooling rollout
We deploy and operate the GRC platform underneath your programme — not a spreadsheet, not a wiki — so evidence collection scales without owning a half-time job.
- Continuous compliance
Quarterly reviews, control drift detection, change-impact analysis. Compliance does not lapse because someone left or rotated; it is a maintained surface, not a point-in-time exercise.
- 01 Scope
We map the regulations that actually apply, the systems that are in scope, and the controls already in place. Most organisations are further along than they think — and have a few critical gaps they did not know about.
- 02 Build
Controls library, evidence catalogue, policy stack, and the GRC tool wired into the security operation. Templated where possible, custom where the business actually differs from the template.
- 03 Run
Evidence collection, control testing, internal audit cycles, and the conversations with leadership when something is genuinely failing. The point is to find it before the auditor does.
- 04 Certify
External audit support — pre-audit dry runs, on-the-day defence, and the corrective-action work after the report lands. The certificate is the milestone, not the destination.
- ISO 27001 certified — and the controls library that goes with it, maintained as part of the operation.
- NIS2 and DORA mapped against your real environment, not a generic gap report.
- Audit evidence that comes out of the security function, not a parallel paperwork stream.
How fast can we be ISO 27001 certification-ready?
For a focused SMB scope on our Secured by FM model: roughly four weeks from kickoff to certification-ready, on templated controls and an integrated GRC tool. For a larger or more bespoke scope, plan for two to four months. The variable is not the controls themselves — it is how much existing operational evidence we can lift in versus how much has to be built fresh.
Do we have to use a specific GRC tool?
We have an integrated tool we deploy as part of Secured by FM, and we operate the major commercial GRC platforms our enterprise customers already run. We do not push tooling for tooling's sake. If you have something that works, we will operate it; if you do not, we will deploy ours and hand it over when the engagement ends.
What does NIS2 actually require us to do?
It applies to organisations across regulated sectors — eleven essential under Annex I, seven important under Annex II — and to companies in their supply chains. The substantive requirements are in Article 21: risk management measures across roughly ten control domains, plus incident reporting, governance, and supply-chain due diligence. The same Annex A controls used for ISO 27001 map directly onto Article 21, which is why we sequence ISO 27001 first.
We are not in financial services — does DORA apply to us?
Probably not directly, but possibly indirectly. DORA targets financial entities and their critical ICT third-party providers. If you supply software, hosting, or managed services to a regulated financial entity, you may inherit obligations through the contract. We can scope that quickly.
What is the compliance guarantee in Secured by FM?
On the Secured by FM SMB package, if the main ISO 27001 audit does not pass within the agreed window, we cover the next certification attempt. Gross negligence on the customer side voids the guarantee — we cannot guarantee outcomes for organisations that ignore the work. The guarantee exists because we have a high enough hit rate on controlled scopes to underwrite it.
Can compliance and the SOC really feed into each other?
Yes — and they should. Detection coverage, vulnerability data, identity governance evidence, and incident records are exactly the artefacts ISO 27001 and NIS2 audits ask for. If you are running the SOC and compliance in the same shop, the data flows once. If you are not, you are paying twice — once for the security operation, once for someone to write the report about it.