← Back to main site
← Services

GRC / Security Program Setup

Governance, risk, and compliance support for ISO 27001 and SOC 2 readiness. For SaaS and fintech leaders who need a structured path to certification: gap assessment, policies, risk register, and audit preparation. No generic templates; guidance tailored to your scope and risk profile.

Pricing: €4,000 – €12,000

Service overview

  • Governance, risk, and compliance support: gap assessment, policies, risk register, and audit preparation for ISO 27001 and SOC 2.
  • For SaaS and fintech leaders preparing for certification or customer due diligence.
  • Solves: unclear control gaps, missing policies, undocumented risk, and lack of audit-ready evidence.

Typical security risks discovered

  • Control gaps: missing or incomplete policies and procedures for access, change management, incident response, or vendor risk.
  • Unclear risk ownership: risks not assigned, no risk appetite or tolerance defined.
  • Evidence gaps: controls in place but not documented or evidence not collected for auditors.
  • Scope creep or misalignment: certification scope too broad or not aligned with actual product and infrastructure.
  • Vendor and third-party risk: no assessment or contract requirements for processors and subprocessors.

Assessment scope

  • Gap assessment against ISO 27001:2022 and/or SOC 2 Trust Services Criteria for your in-scope systems.
  • Policy and procedure development: information security, access control, incident response, business continuity, acceptable use, vendor risk.
  • Risk register: identification, assessment, treatment plans, and ongoing review process.
  • Statement of Applicability (SoA) and control mapping where applicable.
  • Audit readiness: evidence collection, owner assignment, and readiness checklist.

Deliverables

  • Gap assessment report with control-by-control status and prioritised remediation.
  • Draft policies and procedures (tailored to your context, not boilerplate).
  • Risk register and treatment plan template with initial risks and owners.
  • Audit readiness checklist and evidence guidance for selected framework.
  • Ongoing support option for SoA updates, policy reviews, and auditor liaison.

Expected outcomes

  • Clear path to ISO 27001 or SOC 2 certification with prioritised gaps and milestones.
  • Documented risks and controls that auditors and customers can follow.
  • Readiness to engage an auditor with evidence and ownership in place.
  • Option for ongoing support to maintain and evolve the program.
Request a consultation

Support my work

If my articles, case studies, or security resources helped you, you can support my work. Your support helps me maintain free content and keep publishing practical security guides.

Revolut

Quick support in seconds.

Buy me a spritz

Bank transfer (EUR)

If you prefer a traditional bank transfer, request IBAN and bank details via the contact form

Request bank details

Support is optional. For consulting or security work, please use the Services or Contact pages.